OSCP Capstone Lab Writeup - SQLi Module - Alvida-Eatery

 

Take a look

Website Content Analysis:

Accessed the website (http://192.168.139.47:80)

 

  • Website Content Analysis:

    • Displays bakery goods and coffee products

    • Static content only

    • No interactive elements found:

      • No search functionality

      • No login forms

      • No input fields

    Initial Assessment:

    • Limited attack surface due to lack of user input fields

    • Traditional injection techniques not immediately applicable

    • Need to explore alternative entry points

    Further Website Exploration: 

  • Located and clicked on alvida-eatery.org link within the main website
http://www6.alvida-eatery.org/lander?template=ARROW_3&tdfs=0&s_token=1731789108.0467710000&uuid=1731789108.0467710000&term=Caterer%20Menu&term=Lunch%20Catering&term=Restaurant%20Table%20Reservations%20Online&searchbox=0&showDomain=0&backfill=0

  • Attempted SQLMap injection on URL parameters:

  • Targeted 'uuid' parameter

  • Result: 403 Forbidden error received 

Initial Attack Attempts:

Hint Analysis:

  • Hint suggests binding IP address to website domain

  • This indicates potential DNS/host file configuration requirement 



Host File Configuration:

  • Updated /etc/hosts file to bind target IP (192.168.139.47) to alvida-eatery.org domain


Post-Configuration Testing:

YES! The website transformation was incredible after the host file update, a juicy search functionality appeared (potential SQLi goldmine!)



SQLi Attempt Analysis(can be ignored):

  • Eagerly launched SQLMap against the search box parameter:

  • Ugh, hit with a 403 Forbidden error (so close!)

  • No SQL injection vectors found (disappointing but won't give up!)

  • Determined to find a way in, I tried more parameters:

  • The 'cat' parameter looked promising...but no luck

  • 'page_id' parameter was another dead end

  • Frustrating results, but each failed attempt brings me closer to success





Source Code Analysis

WordPress Discovery and Exploitation:

  • checked the source code, I spotted WordPress signatures in the source code.






Treasure Hunting

Then I did a wpscan for the website, find some plugins on it.





  • With renewed energy, I launched a targeted sqlmap scanning against WordPress admin-ajax.php:


sqlmap -u "http://alvida-eatery.org/wp-admin/admin-ajax.php?action=get_question&question_id=1" -p 'question_id' -D wordpress -T wp_users --dump --technique=T --flush-session --ignore-code=404 --level=5 --risk=3

  • The anticipation was killing me during the long SQLMap runs...

  • JACKPOT! 🎉 Successfully extracted user credentials:

  • Username: admin

  • Password hash: [redacted WordPress hash with salt]



  • Hands trembling with excitement, I fired up John the Ripper:

  •    john --wordlist=/usr/share/wordlists/rockyou.txt wp_hash.txt

  • YES! YES! YES! Password cracked successfully!

  • That moment when the hash finally cracked - pure penetration testing euphoria! 🚀



After successfully logging in with the cracked credentials, I accessed the WordPress admin dashboard - a whole new world of possibilities!



With methodical precision, I conducted thorough reconnaissance of the admin interface while researching WordPress vulnerabilities. A promising attack vector emerged: the plugin upload functionality could potentially be leveraged for a reverse shell. The anticipation built as I formulated my plan.

Reverse shell

Working carefully, I crafted a PHP reverse shell, packaged it into a ZIP file, and attempted to upload it as a plugin. While I could see it in the uploads section, the system required admin approval via email verification - a potential roadblock.









Undeterred, I attempted to modify the admin email to my own address to intercept the verification, but despite multiple attempts and checking both inbox and spam folders, no verification email arrived. A setback, but not the end of the road.



During my exploration of the WordPress plugins, my eyes lit up when I discovered several inactive plugins - a potential goldmine for exploitation! With calculated precision, I initially targeted the inactive Akismet plugin, attempting to modify it for a reverse shell.





However, access was denied with a forbidden error.



Then, I devised a new strategy. Noticing that active plugins were locked down, I methodically deactivated the Perfect Survey plugin, modified its code to include my reverse shell payload, and reactivated it. The moment of truth came when I tested it - success! My pulse quickened as the reverse shell connection established.


With growing excitement but maintaining professional focus, I began enumerating the system. A quick 'ls' command revealed the website directory structure. Following my instincts, I traversed up the directory tree using 'ls ../../../' and discovered additional files.

My persistence paid off when I spotted flag.txt at the bottom of the listing. With steady hands, I executed 'cat flag.txt' and there it was - mission accomplished!








Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more