In a previous post, I wrote about Exploiting Jenkins.  So what is Jenkins?  "The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project."  My interest in Jenkins is purely from the exploitation side and my avenue for entry has either been through Metasploit or the Groovy Scripting Console.  Like most things hacking, if you really want to learn how to exploit something, you install it, configure it, and deploy it -- you will get a much better understanding of the nuts and bolts.  I rarely see Jenkins, I've yet to go down that rabbit hole and it should come as no surprise then that I discovered another way to get a shell.


    I believe this is the same author as Sumo.  The box states that it's "Beginner to Intermediate", the object is:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)." and I'm glad I went back to read that because you don't need to elevate root to get the flag.  It also states:  "Warning: Be careful with "rabbit hole" -- not really sure exactly about that part.  Anyway, fun box so let's jump into it:


    According to PortSwigger:  "SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution."  And according to the SQLMap description:  "sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers."

    This isn't a 101 of SQL Injection, if you're familiar with SQLMap, you've moved past 101.  This is the method I use when I leverage SQLMap.  I've seen other syntax for performing these tasks but I prefer to capture the POST request in Burp, dump the contents into a file, and then point SQLMap to my text file POST request.


    The description states that the box is "Beginner" and "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."  I don't want to put too much information up front but if you haven't been hacking for long, this is a blast from the past with a neat entry. 

    We kick off with Nmap:


    This box is described as "Intermediate" and the description states:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."

    I'll admit, I'm getting a little worn out on the multiple web serving troll ports.  It's basically the same box recycled with a different twist.  That being said, the privilege escalation was excellent.  There are multiple entrances for a low privilege shell and I cover two. 


    Page 4 of 57

    © 2020 sevenlayers.com