Union machine is a vulnerable machine with Linux operating system among retired machines. Using these vulnerabilities, we are expected to obtain user and root authorization.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of the network scan, we found that port “80/tcp http nginx 1.18.0 (Ubuntu)” is open.
We use the browser to provide enumeration on this port.
We looked at the source code, developer mduna, and wepanlayzer with no results, and started a scan with gobuster to detect hidden files and directories.
Gobuster scan
We didn’t get much result in files and directories.
We said let’s perform enumeration on the web.
It seemed to us that there was a query screen here, could there be sql injection here?
when I wrote it, it would return to me and tell us that I could join the chlalgene.
We tried to do sql injection by typing ma’or 1=1;– – –
Here ippsec was returning to us as a user, so there is actually a swlinjection.
Outgoing requests were going with a post request, so let’s enter the rail with burpsuite and get the post request file and test with sqlmap
Here uhc@localhost replied to us to have information about infomartion schema
ma’ union select group_concat(schema_name) from information_schema.schemata—
Let’s use the command
Here we have captured information about the dbs.
The November db is remarkable because it is more likely to be found in it when we are asked about the november flags.
‘ union select group_concat(table_name) from INFORMATION_SCHEMA.tables where table_schema=’november’;– – -“
Here we brought the flag, players tables, let’s read the flag table from these tables
Here flag:one palyerse:player table and colums are detected.
Let’s read the one colums in the flag table
We obtained the UHC{F1rst_5tep_2_Qualify} flag.
Let’s enter the flag we obtained in the flag field
It says that it gives ssh connection to our ip address
Let’s try to make a connection. uhc@localhost had found it and we tried to ssh using it and it asked for a password and we couldn’t log in. Therefore, let’s try to read the files using file.load in sql
Let’s not read the contents of the config.php and firewall.php files that we detected in Gobuster and read /etc/paswwd to detect the username
‘ union select load_file(‘/var/www/html/index.php’);– -“
understood why sqlmap is not working 🙂
$username = “uhc”;
$password = “uhc-11qual-global-pw”;
We have detected Credential information.
Firewall.php
Etc/passwd
We’re pretty sure it’s a Uhc user.
Let’s connect with ssh with this username and password.
Here we got our user flag and successfully connected. Since we do not have root authorization, we got permission denied error.
We provide local enumeration when we do not have root authorization.
Here in the firewall.php file, it takes the ip address as HTTP_X_FORWARDED-FOR and runs it under sudo authorization. Let’s intervene here with burpsuite and manipulate the firewall.php file.
First we see if we can run the ping command
We ran the ping command, listened with tcpdump. And we got
Then we type the command to get the bash shell and get our shell.
We have obtained a shell on the ww-data user and we cannot access the restricted root directory in this shell authorization. Therefore, let’s provide local enumeration here
Using the sudo -l command, we were able to run all kinds of commands with sudo authorization here, we ran bash with sudo authorization, and in this way we obtained the roo authorization we wanted and captured the flagi.
