Hack the Pentester Lab: from SQL injection to Shell VM

at 7:04 AM Tuesday, January 10, 2017

Hello friends!! Today we are going to solve another CTF challenge “From SQL injection to Shell I”. This VM is developed by Pentester Lab.  You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell,80/
Install the iso image in VM ware and start it. The task given in this lab is to gain access of administration console and upload PHP webshell.
Level: Beginner

Penetrating Methodologies
·         Network Scanning (Nmap)
·         Vulnerable to Error Base SQL Injection
·         Exploiting SQL Injection (SQLMAP)
·         Uploading Web shell
·         Spawning Shell (Netcat)

Walkthrough

The target holds 192.168.1.103 as network IP; now using nmap lets find out open ports.
nmap -A 192.168.1.103




Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test; ruxcon; 2010; all pictures; admin. Click on test.




The above URL: http://192.168.1.103/cat.php?id=1 will run query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding ‘ at last of URL:
http://192.168.1.103/cat.php?id=1'




sqlmap -u 192.168.1.103/cat.php?id=1 --dbs --batch
If you remembered the title of web page was “An Awesome Photoblog” hence name of database should be photoblog.




Now let’s fetch entire data under photoblog database through following command:
sqlmap –u 192.168.1.103/cat.php?id=1 –D photoblog --dump-all --batch




The first task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd.




Congrats!!! The first task is completed.

Now the last task is to upload PHP webshell. Under administration console you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload image.




Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php
Open it with text editor and add listening IP and port to get reverse connection of victim’s machine and save this file with php extension. Then launch netcat listener at listening port.
nc -lvp 1234




Then I uploaded our malicious PHP script.




It gives error NO PHP!! It means there is some whitelist for filtering PHP/php extension. 




Then I rename the malicious script as shell.pHP and try to upload it again.




Now you can perceive that a new row is added as shell which contains our backdoor shell.pHP, now to execute backdoor click on shell and you will get reverse connection at netcat.




Wonderful!!! We completed our last challenge also here we have spawned victim web shell.


Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)