Skip to main content

39 VM : HackDay: Albania

https://www.vulnhub.com/entry/hackday-albania,167/


Walkthru:

A. https://github.com/DavidBrosnan/Walkthroughs/wiki/Hackday-Albania [directory hopping using wfuzz, sql injection, sqlmap, file type restriction upload php reverse shell as jpg, msfvenom,meterpreter, no python 2.7 or gcc, password in config.php, mysql> prompt, outfile from mysql, writetable passwd file, adding a root user/pwd to passwd file]

B. http://security-geek.in/2017/02/08/vulnhub-hack-a-day-albania/ []

C. https://g0blin.co.uk/albania-vulnhub-writeup/ [dirsearch, sqlmap time based blind attack, why username field is susceptible to attack while password field isnt ,port forward in our meterpreter session]

Notes:


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Walkthru C..I note in Sqlmap that we were redirected to index.php when triggering the payload. Let's try entering the generated payload of username=test' RLIKE SLEEP(5)-- smYE as our username, and see why we're being redirected to index.php. Tried to login with it , and I was in

root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5


root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5 --technique T
T=time based blind attack 

Ok - obviously the login function must be defined in config.php, so let's see what we've got. I cat out the contents of config.php, and find the check_login function.
function check_login($username,$password){



    $username = str_ireplace("OR", "", $username);
    $username = str_ireplace("UNION", "", $username);
    $username = str_ireplace("AND", "", $username);
    $password = str_ireplace("'","",$password);
    $sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
    $result = mysqli_fetch_assoc(execute_query($sql_query));
    $result = $result["ID"];
    if($result >= 1){
        return $result;
    }else{
        return -1;
        }


}
Ok - so we were unable to retrieve any data, because a number of key commands are stripped out. The reason that the username field is the only vulnerable parameter is because the ' character is stripped from the password field.

Comments

Post a Comment

Popular posts from this blog

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM: pWnOS 2.0

Walkthru A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ] b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit] c. http://netsec.ws/?p=430 [burpsuite, sql porxy] d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds] e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap] f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good . It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we...
Post a Comment
Read more