Revenge (SQLi + sudoedit .service config)

GOAL: Is to deface the front page.

#1 FLAG 1

PORT SCAN

RUNNING GOBUSTER ON PORT 80

Go buster was not showing me one file name app.py when i searched the source code and tried other dir bruteforcer then they showed up the file named app.py.

Contents of app.py

Route to /products/<product_id> is vulenrable to sql injection as the untrusted data <product_id> is directly passed to the sql query.

RUNNING SQLMAP

ENUMERATION DATABASES

Database duckyinc looks interesting.

ENUMERATING TABLES

DUMPING ALL DATA FROM A DATABASE

Here you’ll get the first flag.

#2 FLAG 2

OBTAINED USERNAMES AND HASHES

There is one hash that is uniques that is starting with $2a$08$ and username server-admin for the same.

CRACKING HASH WITH HASHCAT

My hashcat was not running properly so it took my time. This image is from another writeup.

These cracked credentials are access to SSH.

LOGGING AS USER SERVER-ADMIN

READING SECOND FLAG

#3 FLAG 3

PRIVILEGE ESCALATION

sudo -l

Looks like we can change the configuration file for service duckyinc and reload the daemon after changing the file and can enable and restart the service as root. So, lets try and get a shell as root.

shell.sh

I created a shell.sh file on holder /home/server-admin which we will execute when the duckyinc service restarts

Changing the file /etc/systemd/system/duckyinc.service

CURRENT CONTENT OF THE FILE

CHANGED CONTENT

RESTARTING THE SERVICE

Checking /tmp/

And the file is created with SUID bit set.

GETTING A ROOT SHELL

GETTING THE FINAL FLAG

There was no final flag on the usual place. Our goal was to deface the website so lets change the content of the hompage.

CHANGING INDEX.HTML

And now if we check the /root, we have a new file.

CHECKING ROOT DIRECTORY

As you can see, we can now able to see the flag3.

READING THE FLAG

HOORAY!! SUBMIT THE FLAGS AND ENJOY!!