You should check the Seattle v0.3 CTF - it is another great VM this time from
GracefulSecurity.
(I found it few weeks ago on
vulnhub.com and now it was a time to do it.) It was again great
pleasure and a lot of fun. Thanks!
So, after quick nmap...
... we can see that there is a nice WWW:
...and (as it was looking like an e-commerce/shop I was wondering if) there is "some kind of SQL Injection". Now, to be honest, I had a one problem here with sqlmap. I couldn't run it against normal URL, I mean it was possible (in my case) only when I started it like this:
sqlmap -r req.txt --level 5 --risk 3. I decided to use
sqlmap with
-r parameter, because I couldn't find a way to run it against any 'normal' (simple GET from CLI) request I
found.
Full request (req.txt) looks like this:
Now we can be sure that this webpage is vulnerable:
Running sqlmap with --passwords param gives us:
Oh, how nice. :) But there still no shell access (ssh) so let's find out, what we can do now. I saw 'My Account' page on our Seattle web server, so (as we already have access to DB), I was wondering maybe there is some other (that root) account (and password), maybe e-commerce users...
In deed, there is - admin's :)
Cool, checking:
Oh, thanks.
What's next?
;)
So
level2 I will leave for you as an exercise. ;)
Brak komentarzy:
Prześlij komentarz