Module #9 Journal Entries - wAlber47/Tech-Journal GitHub Wiki

Page contains journal entries and troubleshooting steps for the labs and activities completed in this module.

SQLi Review

Exploiting Gloin

Our task for this lab is to exploit a new machine, named Gloin. Going in, we know nothing about the machine besides it's name. First thing to do in this case, is to enumerate the IP Address for the machine using a previously discovered DNS server.

image

Now that we have this address, we can run NMap scans on the machine to discover any services that the machine is running.

image

Here we see that there are three services running on Gloin, (SSH, HTTP, and MS-WBT-SERVER). Upon investigating these services, I discovered these findings:

  • SSH (OpenSSH for Windows_7.7): Typical SSH login session, will investigate further down the line once more information is discovered.
  • HTTP (Apache HTTPD 2.4.51): Navigating to https://10.0.5.31:80 loaded nothing.
  • MS-WBT-Server: Used for Windows Remote Desktop and Remote Assistance connections, upon further investigation it seems like there are vulnerabilities relating to this service. Especially due to the fact that the SSH service is running on Windows 7.7, which is extremely outdated.

At this point, I had only tried connecting to the HTTP server on Port 80, (not realizing it was running on port 443), which led me down a rabbit hole. I transferred all the random stuff I did to the end of the documentation. But here, I document my attempts at performing a SQL injection attack on Gloin.

  • HTTP (Apache HTTPD 2.4.51): Navigating to https://10.0.5.31:443/ loaded into a page asking for a reference exam.

Vulnerability: SQLi

I established the various URL's on Gloin to be:

  • 10.0.5.31/entrance_exam/login.php
  • 10.0.5.31/entrance_exam/admin/login.php

Once seeing both of these, I decided to focus my attack on the Admin version of the login page.

By inputting admin' or '1' = 1' with any password in the login screen I was able to login to the course page as the Administrator. This page gave me some more information, but wasn't aware of anything of too much importance that came from here.

I ran a few SQL Injection attacks that allowed me to pull these results from the page:

image

This allowed me to Access the Online Entrance Exam System with Gloin's account, I was also able to access John D Smith's account. Couldn't find anything of value from this page.

Using a SQL injection found online, we were able to get the hash of the administrator password.

image

When entering that into an online hash cracking site, we found the admin's password:

image

User Flag

image

Root Flag

image

Other Attempts

From this point, the goal was to find a vulnerability that could be leveraged against the machine. To do this I first attempted to use nmap -v --script vuln 10.0.5.31. This proved to not be useful, as the scan gave me no additional information about any vulnerabilities. However, while waiting for the scan to run, this OpenSSH 7.7 vulnerability was found. CVE-2018–15473 is a way to enumerate users on a system without having any acccess. With all this said, I installed the exploit script

image

Quickly I ran into issues with this, but figured it was the script and not the vulnerability. Remembering about searchsploit, I looked for OpenSSH 7.7 vulnerabilities this way. Most of of the ones that I found kept giving me an error with paramiko, and nothing I did was able to correct it.

Mitigations

As an administrator for Gloin, you would want to serialize the input as much as possible to prevent any SQL injections. Also maybe scrubbing some of the data that appears in the error messages could help deter attackers from gaining information.

Reflection