Hello injectors, This is our first write-up. This exercise explains how you can perform a SQL injection to gain access to the administration console. Then in the administration console, how you can run commands on the system via shell. The level of this exercise is Easy/beginner level so it will only take 5 to 10 minutes to solve the box.

So, let’s take a look at first step by booting up the the virtual machine.

Booting screen
Booting screen

After booting the virtual machine with NAT network check weather it is communicating with other machines or not with netdiscover.

netdiscover -r 192.168.234.0/24 which will give you the following result.

MAC address
MAC address

For this beginner level machine this much information is enough for further exploitation. Lets look at the available web-application on http://192.168.234.130 which is vulnerable to SQL injection because the name of machine itself is SQLi to Shell.

Vulnerable Page
Vulnerable Page

After injecting the database we’ve got the credential in the MD5 hash format. so lets crack it with Findmyhash. Findmyhash script try to crack different types of hashes using free online services.

findmyhash MD5 -h 8efe310f9ab3efeae8d410a8e0166eb2 which will give you the following result.

Hash
Hash

Ok so we’ve got the the following credential after the cracking the above MD5 hash → ‘P4ssw0rd’. so lets login with the credentials, in result it will give you the vulnerable file upload functionality so before we upload the file lets generate the weevely backdoor with the following command. Weevely is a web shell designed for remote server administration and penetration testing that can be extended over the network at runtime with more than 30 modules.

weevely generate [PASSWORD] [PATH].php

Weevely
Weevely

We can now upload this backdoor from the option ‘New picture’ available in the admin page. this malicious file upload vulnerability allows an attacker to upload shell or backdoor to the server.

Uploader
Uploader

So let’s upload our backdoor ‘shell.PHP’ to the web server.

shell
shell

So we’ve successfully uploaded the backdoor under /admin/uploadsdirectory now its time to back connect the backdoor with following command weevely [PATH] [PASSWORD] which will give you the interactive shell in result.

Backconnection
Backconnection

As you can see the backdoor is interacting pretty well with user ‘www-data’.You can perform various operations with weevely like mounting a remote file system, uploading exploit to root the server etc. I hope you like this small walkthrough. For better knowledge video PoC is attached below.

Have a happy injecting 😃

LEAVE A REPLY

Please enter your comment!
Please enter your name here