In this article we are going to solve another CTF challenge . This Machine is also intended for beginners . In this Challenge we will learn about some web based vulnerability.
We can download this machine from vulnhub website.
As we know our first step is to find the IP address of the target and for that we run the command: netdiscover -i wlan0
Now we will use nmap to check for the open ports . command used : nmap -A 192.168.43.126
We can see in the above image that 4 ports are open and these are : 22(SSH),25(SMTP),80(HTTP) and 631(ipp) .
So first of all lets browse the HTTP service so we open our browser and type in the IP address of our targeted machine.
So we start exploring the Blog page ,click on any of the blog and then check the URL.
Now if we change Blog&id=2 to Blog&id=1 or Blog&id=5 then we are able to read other blogs very easily and what if we change it to Blog&id=5' then it gives us an error and it clearly indicates that this is SQL injection.
After this we are going to use a tool sqlmap. This is a tool which comes preinstalled in the Kali Linux, this tool is used to perform SQL injection and with the help of this tool we can fetch all the Data.
So for that we used the command : sqlmap --url "192.168.43.126/index.html?page=blog&title=Blog&id=5" --dbs
--url specifies the URL
--dbs means Enumerate DBMS databases
So we have 6 different databases but database name ehks looks a little bit strange so we decided to find tables present in this database by using the command : sqlmap --url "192.168.43.126/index.html?page=blog&title=Blog&id=5" -D ehks --tables
-D specifies the Database to enumerate
--tables means Enumerate DBMS database tables
so now we are going to find all the data of the table user using the command :
sqlmap --url "192.168.43.126/index.html?page=blog&title=Blog&id=5" -D ehks -T user --dump
-T specifies the DB the table to enumerate.
--dump Dump DBMS database table entries
So now we have user_name and their password and we can use these credentials to connect to SSH Server by using the command : ssh email@example.com
Now first of let's check for the user privileges by using the command : sudo -l
it means we can run any command ,then we should we able to change the password for the root user by using the command : sudo passwd root
password changed successfully for root user, so by using the command su root we can get access to the root user's shell.
Done!! we are root user now and that completes our challenge successfully.