Command Injection in web app with cat command disabled.
Nmap Scan
root@kali:~# nmap -sC -sV -O -T4 10.10.202.157Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-04 01:07 ESTNmap scan report for 10.10.202.157Host is up (0.36s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 2048 5e:f6:90:db:53:33:48:65:85:58:47:38:e1:b1:3e:92 (RSA)| 256 1c:42:c6:81:88:0d:cb:4a:99:1f:60:58:65:9a:55:ee (ECDSA)|_ 256 c9:e8:9e:19:f8:c2:97:1a:4a:f7:df:18:27:45:b6:89 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Rick is sup4r coolNo exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.80%E=4%D=1/4%OT=22%CT=1%CU=43191%PV=Y%DS=4%DC=I%G=Y%TM=5FF2B108OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F8%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)SEQ(SOS:P=F5%GCD=1%ISR=10E%TI=Z%CI=I%TS=8)SEQ(SP=FB%GCD=1%ISR=10E%TI=Z%II=I%TS=8…
Nmap, gobuster, base64 decoder,sort,uniq,burpsuite, turbointruder, php reverseshell, netcat,crackstation,find,gtfobin
Nmap
kali@kali:~$ sudo nmap -sC -sV -O 10.10.151.156
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-26 22:48 EST
Nmap scan report for 10.10.151.156
Host is up (0.35s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Device type: general purpose|specialized|storage-misc|WAP|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X|2.4.X (90%), Crestron 2-Series (89%), HP embedded (89%), Asus embedded (88%)
OS CPE…This will be a write up on a PwnTillDawn Online Battlefield box — Stuntman Mike. Please check out the following links to find out more on PwnTIllDawn Online Battlefield.
Nmap Scan
kali@kali:~$ sudo nmap -sC -sV -O 10.150.150.166Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 01:31 ESTNmap scan report for 10.150.150.166Host is up (0.20s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 (protocol 2.0)| ssh-hostkey:| 2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA)| 256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA)|_ 256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519)8089/tcp open ssl/http Splunkd httpd| http-robots.txt: 1 disallowed entry|_/|_http-server-header: Splunkd|_http-title…
Nmap
kali@kali:~$ sudo nmap -T4 -A 10.10.88.51
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-24 05:26 EST
Nmap scan report for 10.10.88.51
Host is up (0.35s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1d:8f:d6:43:74:50:e4:6f:cb:bc:6c:f8:75:ff:9e:c9 (RSA)
| 256 bc:82:77:00:d3:1f:69:c5:e5:22:c5:f1:2a:53:b5:41 (ECDSA)
|_ 256 aa:77:05:57:bd:63:82:fc:77:8e:fa:e3:97:d9:d5:16 (ED25519)
80/tcp open http Node.js Express framework
| http-title: Hydra Challenge
|_Requested resource was /login
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/24%OT=22%CT=1%CU=39163%PV=Y%DS=4%DC=T%G=Y%TM=5FBCE0 …Nmap
kali@kali:~$ sudo nmap -sC -sV -O 10.10.133.102
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 02:41 EST
Nmap scan report for 10.10.133.102
Host is up (0.35s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version…Nmap, gobuster, php reverseshell, netcat, burpsuite, find,gtfobins
Nmap
kali@kali:~$ sudo nmap -T4 -A 10.10.216.110
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 05:00 EST
Nmap scan report for 10.10.216.110
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title…This lab contains an SQL injection vulnerability in the login function.
To solve the lab, perform an SQL injection attack that logs in to the application as the
administratoruser.
Head over to the login page.
When we input a username and password, the query string will look like:
SELECT * FROM users WHERE username = ‘administrator’ AND password = ‘password’I input a single quote in the username and login (same with password). Both result in an internal server error, which shows that it might be vulnerable to SQL injection.
This lab contains an SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out an SQL query like the following:
SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1
To solve the lab, perform an SQL injection attack that causes the application to display details of all products in any category, both released and unreleased.
First, let’s click on a category.
After clicking on the corporate gifts category, the URL shows:
https://ac321f581f89aa2e808a3eb200d10094.web-security-academy.net/filter?category=Corporate+giftsNotice the bold words, which are the query string.
The application will make a SQL query to…
Nmap Scan
ali@kali:~$ nmap -T4 -sC -sV 10.10.132.197
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-17 08:25 EST
Stats: 0:02:31 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.61% done; ETC: 08:28 (0:00:01 remaining)
Nmap scan report for 10.10.132.197
Host is up (0.37s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-11-17T13:27:15+00:00; +1s from scanner time. …Nmap scan
kali@kali:~$ nmap -T4 -sC -sV 10.10.218.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-18 02:00 EST
Nmap scan report for 10.10.218.181
Host is up (0.35s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
|_ssl-date: 2020-11-18T07:02:03+00:00; +1s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
8000/tcp open http Icecast streaming media server
|_http-title: Site doesn't have a title (text/html). …
Yikai
Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.
