DC: 9 – Vulnhub (Without sqlmap)

Add a comment

Overall Summary

This Vulnhub image is a machine that I considered very fun to go through as it allowed me to better understand SQL injection and yet another interesting privilege escalation technique. The machine can be initially exploited by doing SQL injection and gathering some credentials. There is an SSH service which is initially in the state of “filtered” and requires “Port Knocking” to open the port, the information needed can be gathered by leveraging an LFI vulnerability. Privilege escalation requires logging in as a specific user to be able to retrieve some passwords and become another user which has some sudo permissions on a specific file. Overall the machine is very fun and a lot can be learned from it, the SQL injection I used is completely manual without using “sqlmap”. 

Scanning and Enumeration

A full TCP nmap scan returns the following information:

 

 

 

From the output we see that the SSH service is being filtered and only port 80 is open. Browsing to the HTTP service displays the following page:

 

 

Going to the display all records options displays information about potential users

 

 

 

There is also a search option which seems to look for first names and last names.

 

 

If we do a common SQL injection it returns all the information from the “Display All Records” option, this is the SQL injection I used:

test' or 1=1 -- -

Since the SQL injection didn’t gave me any errors, it seemed like it was vulnerable to SQL injection do I started by enumerating the number of columns that I could work with. To enumerate the columns I’ll use the query “order by” starting with number 1 and increasing it until it returns an error or it doesn’t return any information, I’ll test this out using the known first name of “mary” and the syntax of the query will look as follows:

mary' order by 1 -- -

Increasing the number by one we would see that it stops displaying information when doing “order by 7” this means that the number of columns is 6. The next step will be to identify where is the information displayed for each column so I’ll place some numbers to identify each column, and this can be accomplished by the following query:

mary' union all select 1,2,3,4,5,6 -- -

From the screenshot we see the location of each column which is identified by a number. Now that we know where information can be displayed we need to enumerate the database version (assuming this is MySQL) and can be done using the following query:

mary' union all select 1,2,3,4,@@version,6 -- -

 

 

The information obtained from determining the version aids in understanding how the queries will be made. The next step is to enumerate the databases using the information schema, this is the query used to list the databases:

mary' union all select 1,2,3,4,schema_name,6 from information_schema.schemata -- -
We will get the following results:

 

 

 

From this information the “users” database seems the most interesting. For now we will now enumerate the tables to see what’s interesting, the following query was used to enumerate the tables:

mary' union select all 1,2,3,4,table_name,6 from information_schema.tables -- -
We will significantly more information this time, but scrolling to the end shows an interesting table named “UserDetails”.

 

 

 

 

I will now list the field names that the table contains to see which fields would contain important information. To accomplish this the following query will be used:
mary' union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='UserDetails' -- -

 

 

There are 6 fields in total but the ones we are interested in are the “username” and “password” fields. To display only this information from the “UserDetails” I will put the username in column number 4 and the passwords in column 5, this is the query I used:

mary' union all select 1,2,3,concat(username),concat(password),6 FROM users.UserDetails -- -

We will get different usernames and passwords (the screenshot is only a fraction of all).

 

 

And if we also look at the Users table we will get an admin username and a hashed password. The query to accomplish this looks like this:
mary' union all select 1,2,3,concat(username),concat(password),6 FROM Users -- -

 

 

 

To get the password from the hash I used Crackstation.net instead of using tools on the machine and was able to quickly get the password.

 

 

 

With this password I was able to login in as the admin user by going to the “Manage” option.

 

 

Exploitation

Once logged in we see at the bottom a message that says “File does not exist” as if it was looking for a file, so trying a very common LFI technique I was able to successfully read files from the system.

 

 

Basically all the users that I saw earlier have access to the machine and the passwords we got might allow me to get into the machine, but from the nmap report we know that the SSH port is being filtered, this could mean that is either being restricted by IP maybe or we are dealing with “port knocking”. Taking advantage of the LFI I attempted to read a knockd.conf file if available and was able to successfully get information from such a file.

 

 

Great, now all we have to do is to knock the sequence of ports displayed from the file using nmap. Port knocking with nmap using those port numbers can be accomplished with the following command:

nmap -p 7469,8475,9842 --max-retries 0 192.168.80.132

 

 

The SSH port was successfully opened. With the credentials I obtained earlier I placed them in two separate files for usernames and passwords, I then used hydra to brute force SSH and see which users will have access through SSH, this is the command I used for hydra:

hydra -L usernames.txt -P passwords.txt 192.168.80.132 ssh

 

 

 

 

There were three valid credentials working with SSH so I simply SSH as the chandlerb user.

 

 

 

Post-Exploitation

For privilege escalation I started checking for sudo permissions and files in the home directories of the users I had access to and listing the files and directories for the user “janitor” home folder listed a file with some new passwords.

 

 

I copied those passwords to the password list that I already had used hydra again to see if I could get some more valid credentials as different users.

 

 

 

 

I was able to get valid credentials for the user “fredf” and using SSH to log in as fredf also shows that he has some sudo permissions to execute a file named “test”.

 

 

By executing the file I get the following message:

 

 

 

so it seems like I need to give it some parameters and by the suggestion of the words “read” and “append” it seems as if I could read files and append it to a file, so lets try that. I’ll attempt to read the shadow file and append a file to the /tmp folder named “myshadow” with the following command:

sudo /opt/devstuff/dist/test/test /etc/shadow /tmp/myshadow
I was able to successfully get the contents of the shadow file appended to the “myshadow” file.

 

 

 

To become root I thought that it would be great to add another user to the passwd file with root privileges. The process I followed to generate an entry for the new user can be learned from here

https://hacknpentest.com/linux-privilege-escalation-via-writeable-etc-passwd-file/ I’ll first generate an encrypted password using Perl, this is the command I used:

perl -le 'print crypt("mystrongpassword","salt")'

 

 

I will now put the entry for the new username in a file named “newuser” in the /tmp folder, notice that I added the encrypted password to the entry.
echo "newroot:samIllSUTVKpo:0:0:Similar_to_root:/root:/bin/bash" > /tmp/newuser
We can now take advantage of the test file to append the newuser file to the passwd file and be able to our new user “newroot”, I’ll execute the script as follows to append the file:
sudo /opt/devstuff/dist/test/test /tmp/newuser /etc/passwd
Once the file is appended I tried to use the “su” command to become the new user “newroot” and was able to successfully get root privileges.

 

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments