Exploiting Gloin - samuel-richardson/Sam-Tech-Journal GitHub Wiki

Recon

Gloin IP

  • Obtained the golin IP address using nslookup with the 10.0.5.22 DNS.

Gloin nmap

  • Running a nmap scan on gloin to find open ports and vulnerabilities.

  • Open ports on gloin are 22(ssh), 443(https), and 3389(rdp).

  • Based on initial research, the webpage hosted on 443 is the most likely point of entry.

Gaining Access

Discovered vulnerability

  • The initial login page login.php is vulnerable to SQL injection via the built-in login form.
  • This gives Access to this page bypassing the authentication.

Getting a foot Hold

  • After bypassing authentication, I inspected the HTML of the new page. Which revealed more PHP inputs.
  • Using those arguments, I went to the page.
  • Using this page, I was then able to use union injection on the id field. After determining the number of columns with order by I looked to see what columns I could use revealing the 2 column would output.
  • Now I can access the database with this method. Below shows the dump of the table names.
  • This shows the admin_list table which is interesting. Below shows the columns of the admin_list.
  • Using this information I can now access the usernames, fullname, and password of the table. This is shown below.
    • username
    • fullname
    • password
  • The password looks like a hash. Googleing the hash reveals that is likely an MD5 hash. I then used hashcat and rockyou to crack the hash. hashcat -m 0 "4214db3884e9cd913b49b5b44e49ae96" rockyou.txt

Root Compromise

  • After having obtained the admin user and password from the DB I tried to use this credentials to login to gloin with rdp.
  • Using the username: Adminstrator and password: Moira2Featon6 I was able to gain access using rdp.
  • With root access I can now retrieve the user and root flags.

User Flag

Root Flag

How might these vulnerabilities be mitigated

  • To prevent SQL injection the admin should use prepared statements in addition to enforcing least privilege and also filter PHP requests to prevent certain attacks.
  • To prevent access to the server, the admin should use a different password for the administrator account than the password stored in the database.

Reflection

While exploiting the target, I run into some issues and wasted some time when exploitations weren't possible. At first, I tried to use union injection on the login.php page. However, I was unsuccessful because only the last column displayed output, and it was less convenient because I had to log out to retry an injection. Eventually, I decided to try and exploit the second page, which took me some time to find the page it links to in the HTML. After accessing the take exam area, I was able to start using union injection. I did have some trouble as I had to research the commands on how to do this using SQLite vs MySQL. thankfully this was easy and I could see the errors being thrown by my request. After getting the password and username, I had not realized that the password was a hash initially. After returning to the project a little, I realized it might be a hash and after cracking, it was able to log in as the Administrator user.