Simple CTF : From SQLinjection to Webshell

There is an interesting sample for practicing how to do a CTF (simple CTF). It is a VM which had been created by Pentesterlab Team. We can download the VM at the link. The VM is one of hundreds exercises develoved by Pentesterlab as part of the White Badge. The white badge is the easiest badge that covers a wide range of web vulnerabilities to give people a view of what kind of issues can be found in web application.
Let’s start the exercise.
1. Firstly, I install the VM in my Vmware Workstation version 14 with bridge setup. The IP is 192.168.211.111. And my attacking host is Kali Linux.
2. As the begining part of Pentest, I scan both services and ports which are open using nmap like below:

3. As described by nmap scanning result above, we get information that the VM has the vulnerable web service. Lets check the login page “/admin/login.php” and test the field by inserting parameter boolean injection 1′ or ‘1’ = ‘1 like below:

Unfortunately it does not result anything.

4. The injecting boolean parameter method has been failed, so let’s find another way. If we look at the home page and one sample page http://192.168.211.111/cat.php?id=2 with single quote at the end url, It gives us sql error information like below:

5. Based on error information above, It has SQL Injection Vulnerability. Then, take the sql map for exploiting it. Running this script “sqlmap –u http://192.168.211.111/cat.php?id=2’ –dbs” will give result like below:

6. There are 2 databases. Nevertheless I choose photoblog in this section. Then extract all tables in the database using script “sqlmap –u http://192.168.211.111/cat.php?id=2’ –D photoblog –tables”.

7. Based on those extracted tables above, there is one interesting table. It is users. So, let’s dump the entire of it using sqlmap script “sqlmap –u http://192.168.211.111/cat.php?id=2’ –D photoblog –T users –dump”.

8. All are on our own now. We can login as admin using that credential.

9. After we login as admin, there is a new way for exploit the server. It is a menu for uploading a web shell through menu “New picture”. Beforehand, I have to set and generate the webshell using Weevely. Weevely is one of a great tools for exploiting by shell payload.

Then try to upload the webshell.

10. Neverthelles, the web application has a simple parameter security when somebody is uploading into it. It will drop a php file.

As the newbie pentester, I do not give up. Let’s try to change the file extension into .php3 then upload into it.

At last, it can be uploaded safely. Open the file (webshell) and copy the url.

11. After that, let’s set a listener at our attacking machine kali-linux.

Finally, “London” has been fallen by simple webshell. Have a nice trying this walkthrough.

 

Leave a Reply

Your email address will not be published. Required fields are marked *