HackTheBox | Public Challenge

image

This HackTheBox is owned by team ErrOr SquaD @prial261 with the score 700 out of 1200. It means there are more 5 vulnerabilities which are not discovered. We are throwing it as an public challenge to all members. Our aim to is making an opportunity for study and to share knowledge.

By The Way congratulations Team ErrOr SquaD :purple_heart:

HackTheBox:
http://178.128.30.125

Discovered Vulnerabilities by ErrOr SquaD

  1. SQL Challenge 0x10
  2. SQL Challenge 0x20
  3. XSS Challenge 0x00
  4. XSS Challenge 0x10
  5. Boolean-based blind SQL Injection
  6. Union Based Sql Injection
  7. Pingback Attack

FAQ

Question: I saw you guys arranged HackTheBox at Daffodil International University. Why don’t you guys announce it first?
Ans: Yeah… we just worked as Tech Support. The program is organized by a company. Hope you understand.

3 Likes

Love you bro… :heart_eyes:

we already solve few problems :stuck_out_tongue:

2 Likes

Then share and give an opportunity to learn… :facepunch:t6:

3 Likes

<3

1 Like

The reason why we love you… and this forum :heart_eyes:

2 Likes

SQL Challenge 0x00 Solution :-

Reproduce :-

  1. Open Browsers Inspect Elements Network tab to monitor query execution as we are using and sleep(15) payload .
  2. Visit http://178.128.30.125/sqli0x00/?id=1’)) and sleep(15)–+ and monitor in Inspect Elements Network tab that response length is 15*** ms long .

Thanks .

2 Likes

Hi bro… Can you please share your solved problems to us? :woozy_face:

I think others should try 1st . Then I will share POC with you guys :smile:

TIPS :- Fun part of this challenge is doing everything manually . If you use automate tools I think it will miss the hidden parts and also no fun with it . Only Firefox browser is enough to solve most of issues :wink:

1 Like

but I told them (Judge) not to use automated scanners and burp suite free version is allowed. :rofl:

3 Likes

Judge told not to use Burp . I thought it applies on both burp free and pro . And Most of time I use Burp’s Repeater/Intruder tabs only . I don’t believe on the scanners and never take a look on those results -_-

Almost 90% are false reports and not exploitable .

4 Likes

I hope Few Days Later I will Be Trying To Share Those Problem Solution … :stuck_out_tongue:

1 Like

I only know about number 7 :sob:

1 Like

SQL Challenge 0x10 to RCE

SQL Injection :-

  • Visit below link with query and you will see all column & tables of SQL database :-
https://pastebin.com/raw/LEEnaJKZ

  • Now visit below query to check privileges :-
https://pastebin.com/raw/wf52y0Uu
  • ’root’@‘localhost’ -> YES confirms we have read/write permission on server .
  • Lets read /e tc/passwd
https://pastebin.com/raw/mbyhjk7x

  • Let’s try to write files on /tmp/ dir using into outfile query :-
https://pastebin.com/raw/7Mp6wnJR
  • Again use load_file to see if really the file was created on server :-
https://pastebin.com/raw/ewMXaLqy

  • This is enough to prove we can create files on server side . Now If a attacker can get the server root path then he can upload a web php shell to get access to the server and do whatever he want .

Using load_file I was able to read some really interesting files on server system what will be useful for various attacks :-

https://pastebin.com/TuHvKpBi
  • I was able to read systems logs/configuration and many other files :-
/e tc/httpd/conf/httpd.conf
/e tc/resolv.conf
/e tc/php.ini
/e tc/my.cnf
/e tc/hosts
/e tc/redhat-release
/e tc/crontab
/e tc/nginx/nginx.conf
/var/run/utmp
/var/log/wtmp
/var/log/lastlog
/e tc/bashrc
/e tc/sysconfig/network-scripts/ifcfg-eth0
/e tc/fstab
/e tc/inittab
/e tc/httpd/conf.d/php.conf
/var/log/boot.log
/e tc/httpd/conf.d/ssl.conf
/e tc/logrotate.d/httpd
/e tc/netconfig
/boot/grub/grub.conf
/e tc/rpc
/e tc/nsswitch.conf
/var/log/dmesg

Note :- This platform don’t allow to use the word /e tc/passwd so I have given a space in it . Remove it before testing . :smile:

Thanks .

2 Likes

Could you please remove the unnecessary stuffs? like the comments and <br/>? It will make the things much more smooth :thinking:

Thanks bro to posting SQL Challenge 0x10 to RCE.

2 Likes

What you are calling unnecessary stuffs that I call clean work . As you can see I am using browser most of time to reproduce so those unnecessary stuffs will make the output look good and easy to understand .

Someone said :- If you can’t make it good then make it look good :wink:

2 Likes

Nice thinking

2 Likes

Ok :neutral_face:

1 Like

Did you handcrafted to sql injection?
Or just used some tools to exploit? It seems almost impossible to me do this kind of bypass.

1 Like