sql

All posts tagged sql

TryHackMe – Burp Suite: Repeater

Posted by d3nni5 on 14/06/2023
Posted in: Linux, Red. Tagged: , , , , .

Walkthrough of the Burp Suite Repeater Web Application pentesting room focusing on the practical sections.

Repeater

Simply put, the Repeater feature of Burp Suite enables the pentester to edit and continue to send iterations of intercepted requests against the victim computer. Let’s send our captured request to the Repeater by right-clicking on the request and choosing “Send to Repeater”. We can modify our requests at any time, for instance if we change the “Connection” header to “open” from close in the request the response “Connection” header will change from “close” to “keep-alive”.

Practical Example

Repeater is best suited for the type of task where we have to submit the same request repeatedly. For example, during SQLi vulnerability, web application firewall or web form parameter tests. Let’s change the headers for a query that we send to a target adding the “FlagAuthorised: True” header at the bottom and also ensure there are two blank lines left at the end.

Send the request. What is the flag you receive?

Practical Challenge

Now, it’s high time to verify a validation. Let’s click on any of the “See more” buttons on the product page and capture the request. After sending it to the Repeater and start fuzzing with the number at the and. The goal is to imbalance the server when entering unexpected entries. Let’s get a “500 Internal Server Error” code by changing the number to something else.

What is the flag you receive when you cause a 500 error in the endpoint?

Extra Mile SQLi with Repeater

In this section we are to find and exploit a Union SQL Injection vulnerability in the ID parameter of the “/about/ID” endpoint. Upon injecting a single apostrophe (‘) is usually enough to cause the server to error.

The response page is rather informative both the code or the rendered version. It tells us that database table we are selecting from is called “people” and that the query is selecting five columns from the table: “firstName”, “lastName”, “pfpLink”, “role” and “bio”. We can guess where these fit into the page, which will come in handy when we choose where to place our responses and omit the column number and table name enumeration steps.

To find the target column we can use a union query to select the column names for the “people” table from the “columns” table in the information_schema default database. We need to put the query to where we discovered the vulnerability with the apostrophe. First of all we have to change the ID “2” to an invalid number (“0”) to ensure that we don’t retrieve anything with the original (legitimate) query. The rest of the query selects our target then four null columns. In addition, using the “group_concat()” function, we can merge all the column names into one output with which we are able to identify eight columns in the table with our target “notes” column included.

We know the name of the table (people), the name of the target column (notes), the ID of the CEO (1) as per the URL of Jameson Wolfe’s profile, so everything is there to capture the flag.

What is the flag?

Thanks for reading and as always, any feedback is most welcome.

TryHackMe – DailyBugle Walkthrough

Posted by d3nni5 on 21/01/2023
Posted in: Linux, Red. Tagged: , , , , , , , , .

Walkthrough of a Linux machine exploitation attacking a blind SQL injection vulnerability in a Joomla CMS account then privilege escalation by taking advantage of Yum package manager.

Deploying the vulnerable machine and initial enumeration

From our usual Nmap scan we can see that 3 TCP ports are open (22, 80, 3306) on a CentOS Linux machine.  A Joomla content manager runs on the Apache webserver and MySQL MariaDB database there is in the backend.

Another more specific Nmap scan comes back with some even more interesting info with regards to port 80 and Joomla.

What is the Joomla version?

Let’s find some exploits for the vulnerability spotted by Nmap.

Exploiting CVE-2017-8917

We are going to use Sqlmap as suggested in the exploit description with some slight modifications. Most importantly I have taken out the “–level” switch entirely as the Nmap scan classified the vulnerability as critical (CVSS 9.8) meaning that the exploitation could be easier. We can save some time in this way as it would not need that many payloads to be run against the weaknesses. As we can see below a user with it’s password hash is successfully carved out from the database table.

After saving the hash into a text file let us crack it with John.

What is Jonah’s cracked password?

Now we have the Jonah’s password, so let us login to Joomla via the admin URL which was found by an earlier Nmap scan above. The plan is to get a reverse shell by modifying a PHP Joomla template with embedding suitable reverse TCP exploit code into it. Let’s navigate to our proposed nest template which is the “index.php” in the “Protostar” theme. We can take out all the comments from the beginning of the exploit code to save some space. Also do not forget to modify the IP-address of your machine and the desired port number which should match with the port number of your Netcat listener. After inserting the exploit code at the top of the index.php, let’s save it.

Then upon navigating to the corresponding URL of the website we should receive a reverse shell on our listener.

Privilege Escalation

Let us spawn an interactive pty shell quick, then we have to raise our privileges from the webserver user to root. We might poke around for some credentials and found some in the webserver directory.

Luckily that works with the only user found on the machine, so we are fortunate enough to answer to another question.

What is the user flag?

Now let us login with SSH as we know a user and his password as well and check his privileges. 

What we can see is that he is able to run the Yum package manager which can be forced to spawn a root shell by loading a custom plugin according to GTFOBins.

All we have to do is just copy-paste the lines into the terminal one by one.

What is the root flag?

Thanks for reading and as always, any feedback is most welcome.

TryHackMe – GameZone Walkthrough

Posted by d3nni5 on 16/01/2023
Posted in: Linux, Red. Tagged: , , , , , , .

Walkthrough of a Linux machine exploitation attacking SQL database, cracking some credentials and gaining root privileges with Metasploit payload.

Deploying the vulnerable machine

What is the name of the large cartoon avatar holding a sniper on the forum?

Obtain access via SQLi

The Nmap scan shows 2 services, SSH and HTTP but not much additional information.

There is an SQL database underneath to abuse via the login page. Our input is put into the SELECT * FROM users WHERE username = :username AND password := password query in the backend. If we put ‘ or 1=1 — – into the user field that authenticates the session as 1=1 is always true, it returns all of the values.

This allows us to bypass the login page.

What page are we get redirected to?

Using SQLMap

First of all we need to intercept a request via this search feature of the site using BurpSuite. 

After catching and saving the whole POST request into a text file we could pass it to SQLMap to use our authenticated user session.

In the users table, what is the hashed password?

What was the username associated with the hashed password?

What was the other table name?

Cracking a password with JohnTheRipper

What is the de-hashed password?

What is the user flag?

Exposing services with reverse SSH tunnels

First of all we have to do some internal enumeration dumping the traffic flowing through the sockets with the tool Ss which is basically a replacement for the Netstat command.

Tcp 10000 is open but blocked by a firewall rule as there was no sign of it during the initial Nmap scan. In a situation like this we can circumvent the block with port forwarding. Local SSH tunneling makes it possible to forward the port from a remote machine back to the local machine.

This means that the same Nmap scan now is able to detect the port and service of the machine via 127.0.0.1.

This can also be confirmed in our webbrowser.

What is the name of the exposed CMS?

What is the CMS version?

Privilege Escalation with Metasploit

Looking for potential exploits we have got a couple Metasploit ones.

Two important things to keep in mind with the tunneling, first of all the SSH port forwarding must be alive during the Metasploit exploit and the second thing is a consequence of this namely that the RHOST will be the local machine, not the victim in the lab.

Thanks for reading and as always, any feedback is most welcome.