boot2root/CTF

Walkthrough for Pentester Lab: XSS and MySQL FILE

xss_and_mysql_file
DEF CON 22 is just a couple of short weeks away and there’s sure to be some CTF fun there, so there’s no better time to brush up on the basics. At Vulnhub, you’ll find a ton of boot2root challenges that cover a wide range of security vulnerabilities.

This challenge from the people at Pentester Labs is quite simple – based around cross-site scripting and using MYSQL write file permissions, the goal is to achieve remote code execution.

While the official write-up is detailed and somwhat elegant, we all approach these problems in different ways, and with different tools and techniques. Mine is dirty, but it gets the job done – and while we are going to achieve code execution as per the goal, we’re going to get our bonus points by escalating to root as well.

Let’s get started.

The VM is sitting at 192.168.20.227 so let’s see what services are available:

x1
Starting with HTTP:

x2
Looks like a basic blog, with a comment section and an admin portal. Clicking on the Admin link sends us to the login page, and we know this is a XSS challenge, so the obvious place to start is on the comments form which contains the fields Title, Author and Text. Going for the most basic of basic XSS tests, we pop <script>alert(‘XSS’)</script> straight into the Text field and get confirmation that the site is indeed vulnerable to XSS:

x3
The assumption here is that there is an administrator who at some point will review the posted comments on the site, and with a XSS vulnerability, we have a chance to steal his session cookie value and use it to log into the site as the admin.

So let’s grab that cookie. For this we’ll use some Javascript to run client-side in the victim’s browser, and some PHP code to grab the cookie value and store it in a variable.

First the PHP code:

x4
Let’s run a local web server to host this PHP an grab the cookie when the victim views our blog post. There are lots of ways to do this, here’s my way:

x7
Time to inject our XSS script using Javascript:

x8
Our code is injected, and we see our own cookie which is good news as confirmation. Soon thereafter, we grab the administrator’s session cookie as they view the post:x9
We can now import this cookie using whatever tool we feel like using (for me, it’s the Cookies Manager+ addon for Iceweasel) which allows us to cruise through into the admin area under a pre-authenticated session. Now we can create, edit or delete blog posts, but not much else. Clicking around the newly available links gives us some URLs referencing PHP objects – possible SQL injection. Injecting a single quote into the edit.php id function confirms this:
x10
We also get the document root path for the site too, which may come in handy. Time to fire up sqlmap and see whether it’s base scan gives us anything before moving on to manual probing:x11
No manual work required here – sqlmap has nailed it with a standard blind injection. So we now have access to the backend database and can start looking for things of interest like credentials. Rather than pick through each table one at a time, let’s dump the lot:x12
…and so on. We get a set of credentials for the admin user, which allow access to the blog admin page (which we already have anyway via our cookie theft), so that’s not particularly useful. The only other user hash found is for a system maintenance account which is unlikely to be easily crackable or useful. Moving on.

We want to upload a PHP shell and based on the description of this boot2root, it’s likely going to be possible via the FILE privilege inside mysql. We already know the document root, so let’s try to upload our PHP shell to the classes directory:

x13
No dice. We don’t have write privs for that directory. But using Burp’s spider function we’ve found another directory called css, so let’s try that one:

x14
No warning output from sqlmap, so let’s check to see if our PHP shell is now available…

x15
It is indeed, and we confirm code execution is possible, so we’ve met the requirements of the challenge! Now it’s time to earn our bonus points by getting root. Checking the local password file highlights a local account named user:

x16
Recalling our nmap scan at the beginning, we remember ssh is also running…and now we have a valid username. Let’s see if we can brute-force an SSH login for this account:

x17
Well it took a while, but we managed to brute-force our way in using the credentials user:live. So now that we have a shell on the box, let’s get on there and see what kinds of privileges we have:

az01

Interesting. The absence of an error message during validation suggests this user has sudo access…

az02

And there’s your root.A quick and easy boot2root – thanks to PentesterLab.com for putting it together and to the great VulnHub for hosting it.

sw1tch

1 Comment

  1. Tell me how you decided the cookie grab is of admin.normally application also setting the cookie.SO how you differentiate the cookies of user or admin.

Leave a Reply

Your email address will not be published. Required fields are marked *