HackTheBox | Public Challenge

Hack The Box Challenge
1

image

This HackTheBox is owned by team ErrOr SquaD @prial261 with the score 700 out of 1200. It means there are more 5 vulnerabilities which are not discovered. We are throwing it as an public challenge to all members. Our aim to is making an opportunity for study and to share knowledge.

By The Way congratulations Team ErrOr SquaD :purple_heart:

HackTheBox:
http://178.128.30.125

Discovered Vulnerabilities by ErrOr SquaD

  1. SQL Challenge 0x10
  2. SQL Challenge 0x20
  3. XSS Challenge 0x00
  4. XSS Challenge 0x10
  5. Boolean-based blind SQL Injection
  6. Union Based Sql Injection
  7. Pingback Attack

FAQ

Question: I saw you guys arranged HackTheBox at Daffodil International University. Why don’t you guys announce it first?
Ans: Yeah… we just worked as Tech Support. The program is organized by a company. Hope you understand.

3 Likes
2

Love you bro… :heart_eyes:

3

we already solve few problems :stuck_out_tongue:

2 Likes
4

Then share and give an opportunity to learn… :facepunch:t6:

3 Likes
5

<3

1 Like
6

The reason why we love you… and this forum :heart_eyes:

2 Likes
7

SQL Challenge 0x00 Solution :-

Reproduce :-

  1. Open Browsers Inspect Elements Network tab to monitor query execution as we are using and sleep(15) payload .
  2. Visit http://178.128.30.125/sqli0x00/?id=1’)) and sleep(15)–+ and monitor in Inspect Elements Network tab that response length is 15*** ms long .

Thanks .

2 Likes
8

Hi bro… Can you please share your solved problems to us? :woozy_face:

9

I think others should try 1st . Then I will share POC with you guys :smile:

TIPS :- Fun part of this challenge is doing everything manually . If you use automate tools I think it will miss the hidden parts and also no fun with it . Only Firefox browser is enough to solve most of issues :wink:

1 Like
10

but I told them (Judge) not to use automated scanners and burp suite free version is allowed. :rofl:

3 Likes
11

Judge told not to use Burp . I thought it applies on both burp free and pro . And Most of time I use Burp’s Repeater/Intruder tabs only . I don’t believe on the scanners and never take a look on those results -_-

Almost 90% are false reports and not exploitable .

3 Likes
12

I hope Few Days Later I will Be Trying To Share Those Problem Solution … :stuck_out_tongue:

1 Like
13

I only know about number 7 :sob:

Screenshot_138
Screenshot_1381149×686 71.8 KB

1 Like
17

SQL Challenge 0x10 to RCE

SQL Injection :-

  • Visit below link with query and you will see all column & tables of SQL database :-
https://pastebin.com/raw/LEEnaJKZ

36 AM
36 AM2156×1356 331 KB

  • Now visit below query to check privileges :-
https://pastebin.com/raw/wf52y0Uu
  • ‘root’@‘localhost’ -> YES confirms we have read/write permission on server .
  • Lets read /e tc/passwd
https://pastebin.com/raw/mbyhjk7x

15 AM
15 AM2880×700 408 KB

  • Let’s try to write files on /tmp/ dir using into outfile query :-
https://pastebin.com/raw/7Mp6wnJR
  • Again use load_file to see if really the file was created on server :-
https://pastebin.com/raw/ewMXaLqy

59 AM
59 AM1736×1198 147 KB

  • This is enough to prove we can create files on server side . Now If a attacker can get the server root path then he can upload a web php shell to get access to the server and do whatever he want .

Using load_file I was able to read some really interesting files on server system what will be useful for various attacks :-

https://pastebin.com/TuHvKpBi
  • I was able to read systems logs/configuration and many other files :-
/e tc/httpd/conf/httpd.conf
/e tc/resolv.conf
/e tc/php.ini
/e tc/my.cnf
/e tc/hosts
/e tc/redhat-release
/e tc/crontab
/e tc/nginx/nginx.conf
/var/run/utmp
/var/log/wtmp
/var/log/lastlog
/e tc/bashrc
/e tc/sysconfig/network-scripts/ifcfg-eth0
/e tc/fstab
/e tc/inittab
/e tc/httpd/conf.d/php.conf
/var/log/boot.log
/e tc/httpd/conf.d/ssl.conf
/e tc/logrotate.d/httpd
/e tc/netconfig
/boot/grub/grub.conf
/e tc/rpc
/e tc/nsswitch.conf
/var/log/dmesg

Note :- This platform don’t allow to use the word /e tc/passwd so I have given a space in it . Remove it before testing . :smile:

Thanks .

2 Likes
18

Could you please remove the unnecessary stuffs? like the comments and <br/>? It will make the things much more smooth :thinking:

19

Thanks bro to posting SQL Challenge 0x10 to RCE.

2 Likes
20

What you are calling unnecessary stuffs that I call clean work . As you can see I am using browser most of time to reproduce so those unnecessary stuffs will make the output look good and easy to understand .

Someone said :- If you can’t make it good then make it look good :wink:

2 Likes
21

Nice thinking

2 Likes
22

Ok :neutral_face:

1 Like
23

Did you handcrafted to sql injection?
Or just used some tools to exploit? It seems almost impossible to me do this kind of bypass.

1 Like