Exploiting KB Vulnerable Web App 1 Write-Up

This post contains the steps to get a root shell with Exploit KB Vulnerable Web App 1 VM

This VM can he found here. Have a look to find even more VMs

Host discovery

First, we need to discover where the machine is on our network. To do so, let’s use Nmap:

nmap -sP 192.168.1.1/24 

Fingerprinting

After getting the IP address, we need to do some fingerprinting.

nmap -sV 192.168.1.23

Fig. Nmap scan result

As we saw it, there were only two services available on this host: SSH and Apache. I decided to use Nikto to scan the Web server.

Here are the report :

Fig. Nikto report on ports 80 (HTTP)

There were (loads) of interesting things here, but some of the most interesting :

  • /database/
  • /admin/
  • and the website itself !

Let’s exploit it !

Exploitation

First, there’s some directory listing on /database/ and there was an interesting backup: exploit.sql. In this file, we managed to gather some credentials which were not hashed !

Fig. Directory Listing of /database/

Fig. SQL Backup: Exploit.sql

Then, we were able to connect to the platform.

Fig. Admin login page

Fig. Connected as ‘Admin’

While playing with the application, some URLs were interesting :

http://192.168.1.23/newspage.php?id=1

I decided to check for some SQL injection and used SQLmap to exploit those:

Fig. Dumping all databases through SQL Injection

Fig. Dumping all MySQL’s users/passwords, and cracking them

Thanks to this vulnerability, we’ve been able to dump the entire Database System (Which was a MySQL Backend System). We managed to crack Mysql users’s password which was…: toor.

With those (re-used & weak) credentials, we were able to connect to the root’s account through SSH. Then, we had root access.

Fig. Connecting through SSH with root’s credential

Fig. Cat /etc/shadow

Really easy VM but really interesting one to practice with.

Hope you liked it ! Cheers.