Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

From SQLi to Shell

Introduction

This exercise is from pentesterlab and its goal is to go from a SQL injection, gain access to the administration console, then enter the administration console and run commands on the system.
This VM is purely educational and there are no flags to capture.

Location

https://www.pentesterlab.com/exercises/from_sqli_to_shell/online

Getting started

The focus is on port 80, but to be 100% sure, I’m starting with a nmap scan.

Port 22 and 80 are open. On the webserver Apache is running. The website looks like a photo blog (title) and that’s going to be my starting point.
Another way to get valuable information about the system is looking at the HTTP header returned by the server with a tool called cURL.

In the example provided by pentesterlab you can use a tool called wfuzz to retrieve possible folders.
Another tool is dirb, which I’m going to use.

website1
 
url1
Following the rest of the links I get similar pages and an login page.
url2
This is obviously going to be my way in.
To get the content of the database, I’m going to exploit the vulnerability by hand first and later on with an automated tool called sqlmap.
url3
url4
url5
url6
url7
url8
 
 
And there we have the username and password of the admin account.
The password is hashed. So the first step is to crack the hash. It looks like a MD5 hash and before I’m going to use a tool called John-the-Ripper, I’m going to search the internet first to see if someone already took the liberty to crack this particular hash.

Nice. Saves me some time. This only worked because the hash was unsalted. If it were, I needed to brute-force it, which would take a whole lot of time (on my laptop).
For educational purposes I created a password list (with only the hash) and a dictionary list (with only the right password) and I’m going to run John-the-Ripper.

Now for the automated way with sqlmap. In this scenario again I’m using the custom made dictionary list to speed up things.

It can save up a lot of time using a tool like sqlmap.
Now to use the found credentials and let myself in.
At the admin section there is an option to manage the pictures and to upload a picture.
In this case, I’m going to upload a dirty file and try to get a reverse shell.
First of I’m going to create a payload with msfvenom.

Next I’m going to upload it to the server. Unfortunately there is a small check and PHP files are not permitted.
Time to run burp suite and examine the data.

Because I don’t know what kind of filter is implemented I capture the POST request and send it to the burp suite repeater. There I can change the data and test the results. After a while it seems that there is a simple extension filter. To bypass that filter I use the extension   .php.qwerty because Apache doesn’t know this kind of extension and will dismiss it and run with the extension it does know:   .php
When I got the php file on the server it’s time to start up a listener and execute the file by browsing to   /admin/uploads/shell.php.qwerty

On a real system you can try to elevate your rights, but in this case the final objective was to get a remote shell.
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.