Updated: May 25
In this article we are going to solve a very interesting challenge credit card scammers from vulnhub. This is a intermediate level machine . we can download this from vulnhub.
IP of the target : 192.168.43.82
First step is to find the open ports and services running in the system using nmap as
nmap -sC -sV -Pn 192.168.43.82
we start enumerating from port 80
and nothing much useful on other ports .
we have form to buy a product . we start with testing for SQL injection but failed , OS command injection failed too and at last lets try XSS attack . If we remember clearly then we should know that XSS can be used for sessionid hijacking and to do that we can use this payload .
so to save our time we filled this payload in every text box and started a listener on specified port as sudo nc -nvlp 80(in my case)
and after submit this is what we got
we have the PHPSESSID of a user ( most probably of admin) and we also found a webpage /_admin/dist/index.php ( no need for directory bruteforce )
we visit this url and capture the request packet using burp suite so that we can modify the packet and can edit the cookie .
we modified the PHPSESSID and after forwarding the request packet we are inside the admin panel and after that we edited the PHPSESSID using devtools so that we don't have to edit the PHPSESSID again and again!
we can execute SQL queries here , So here we tried a query something like into outfile......(not mentioned the exact query because that comes out to be of no use , but by checking the content of /home/ we found the username , and that is useful for us )
Now here we think of SQL injection and tried it using sqlmap
NOTE : I am not going to tell you the exact command for sqlmap , find it by yourself and if you feel really stuck then contact me at firstname.lastname@example.org for the hint.
and after a successful SQL injection attack we got some hashes and cracking them give us the password for user moneygrabber .
after using the cracked password to connect to SSH we are in as user moneygrabber.
Now we checked for user privileges but got nothing and then checked for SUID binaries using the command
find / -perm -u=s -type f 2>/dev/null
now after checking with the strings command we found that this binary is executing a shell script.
bash -c '/bin/bash'
then set permission to executable using chmod+x and then run the SUID binary /usr/bin/backup
and this completes our challenge by reading all the 3 flags :)