Injector Walkthrough Servmor Security
So today a friend of mine told me that a new organization called servmor security had started some virtual pentesting labs and he wanted me to try tackling some of their machine so i decided to give it a try. I started with a machine called Injector and the name of the box is really a great hint on how i did the box since you have to exploit SQL injection vulnerability in a web application and leverage that to dump some bcrypt [Blowfish 32/64 X3] hash of a user crack the hash using john the ripper and use the hash to log into the box via ssh. After logging into the box you go through a bunch of database config file and found the same root password used in MySQL is also the root password of the box so use those same credential to get root on the box. This box clearly show how credential reuse is a horrible thing since it makes the job of any attacker easy. The box is best rated as easy since there are really no rabbit holes on the box and also everything is pretty straight forward. Without much say let’s jump is
As always we are going to start of with a nmap scan of the box this will give us a pretty good idea of services that are running on the box
And we find two ports are open ssh and HTTP. Since ssh requires credentials i decided to enumerate HTTP first since as always it has the biggest attack vector. On opening the webpage we get a really nice page called stack
The webpage look like a content management system (CMS) to me. I decided to view the source code of the webpage maybe i might be lucky and find some debug statements left by the author that can be useful in exploiting the box. And i found a potential email left as a debug statement and also we get a potential hostname of the box servmorsecurity.com
The email contains a username which might be handy if we decided to bruteforce any login pages on the website. Before doing any directory bruteforcing with gobuster I decided to click on various link on the site and login brought me to a login page
I tried default credentials like admin:admin, admin:password but all didn’t work. But remember we found an admin’s email on the source code of the home page so we could potentially bruteforce the password but opted against doing it since account lockout policies are a thing this day on many web application i decided that was going to be my last resort. So i decided to register as a normal user and interact with the application as any other users would and maybe i might find something interesting that will cause me to exploit the box
So i registered to the side with email hello@hello.com and the password hello
logged in into the application
Which really didn’t have much information so i clicked on MEMBER SEARCH which brought me to a search bar which help you know if members exists on the web application or not
So i decided to test and see if the parameter had SQL injection vulnerability and voila i hit a jackpot the search parameter was SQL injectable .
So i decided to use sqlmap to dump the database because sometimes you get lucky and find some credentials. So i intercepted the request using burpsuite
And copied the search request to a file and used sqlmap to analyze the request
And after a few minutes sqlmap found the payload error-based injection and time based blind injection worked
The next logical thing to do was to dump all database content using — dump as i said earlier we might bee lucky and find some credentials
And after the dump had completed i found some bcrypt [Blowfish 32/64 X3] hash credentials on the database
Now it’s time to get cracking. I used john the ripper to crack those credentials and the wordlist i used was rockyou
Since the crypt [Blowfish 32/64 X3] hash takes a long time to crack i decided to start with Daniel’s and admin’s credentials
And after about 2 minutes i was able to crack Daniel’s password which was penguins i decided to test if credentials reuse was happening on the box
So i tried to ssh into the box using those credentials and to my surprise it worked (so credential resuse was going on in the box)
We got a shell on the box and there was a flag called entry.txt we can submit the flag and earn the points
Now it’s time for priviledge escalation to gain root access to the box. Before running linpeas (My best script for checking privilege escalation vectors on linux) i decided to see if there were any interesting files that were located in /var/www/html and found a file called database.php that we had read access to
On viewing the contents of the file i got credentials for MySQL server
Since we figured out credential reuse was going on in the box i decided to test if that could be the root’s password
And to my surprise it was root’s password
Now we are root on the box. Now we can submit the root flag and earn the points
And we are done. The box is really a nice one for beginners and i hope you guys try the new site I’ll leave a link below if you guys want to check it out but that’s it for now guys till next time take care. If you liked the walkthrough you can clap for me down below
I’ve just been informed that servmor security was doing a test run it’s still not in production that’s why if someone has tried accessing there site it doesn’t work sorry guys but we’ll just have to be patient and wait for a release date