SQLi

This post documents my process for solving the Pandora box on Hack The Box. The challenge focuses on recon, SNMP enumeration, port forwarding, SQLi on an internal service, and a series of lateral movement and privilege escalation steps. Recon Initial port scan: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.136 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -sC -sV 10.10.11.136 Open ports: 22 (SSH) 80 (HTTP, Apache, Ubuntu) Enumerated with UDP scan (-sU): ...

This post documents my process for solving the Validation box on Hack The Box. This challenge centers on SQL injection, writing a web shell via SQLi, and privilege escalation via password reuse. Recon Started with full port scan: ports=$(nmap -p- --min-rate=1000 -T4 <IP> | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) echo $ports # 22,80,4566,5000,5001,5002,5003,5004,5005,5006,5007,5008,8080 nmap -p$ports -sC -sV 10.10.11.116 Main open ports: 22 (SSH), 80 (Apache), 4566 (nginx), 8080 (nginx). ...

This post documents my process for solving the Writeup box on Hack The Box. The machine revolves around web enumeration, CMS exploitation, SQLi, hash cracking, and privilege escalation via PATH hijacking. Recon Target: 10.10.10.138 nmap -sC -sV 10.10.10.138 Results: 22/tcp (SSH) OpenSSH 9.2p1 Debian 80/tcp (HTTP) Apache httpd 2.4.25 (Debian) robots.txt has a disallowed entry: /writeup/ Site uses CMS Made Simple, version 2.2.9.1 CMS Exploitation Accessed /writeup and /writeup/doc/CHANGELOG.txt to confirm CMS version. ...

This post documents my process for solving the Help box on Hack The Box. This box involves GraphQL enumeration, credential dumping, hash cracking, and classic web application enumeration and exploitation. Recon Initial nmap scan: nmap -sC -sV -oA nmap/help <IP> Found GraphQL running on port 3000. GraphQL Enumeration Referred to PayloadsAllTheThings - GraphQL Injection to start enumeration. Discovered GraphQL types via introspection: http://10.10.10.121:3000/graphql?query={__schema{types{name}}} Full schema dump and queries revealed a user type with username and password fields. ...

This is a challenge old-02 from webhacking.kr. I was stuck trying to understand how people were discovering this SQLi vulnerability through a cookie, as no blog posts explained why the attack was effective. This wasn’t a typical SQLi challenge that I’m used to, so I really wanted to know why it worked the way it did. The goal of this challenge is to figure out the password used for the admin.php page (mentioned in the HTML comment). ...

A challenge about SLQi that uses Union injection technique. What is convenient about this challenge is it shows the query that is used to pull the data from the database. I used these SQL injection cheat sheet that is from the SQLi fundamental module from the HTB academy: cn' UNION select 1,database(),2,3-- - Current database name cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - List all databases cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - List all tables in a specific database cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - List all columns in a specific table Steps I took based on the cheat sheet from the HTB Academy: ...

This is a challenge from webhacking.kr. As the name of the website suggests, it is about SQL injection. You can check the source code of the page: <?php if($_GET['no']){ $db = dbconnect(); if(preg_match("/ |\/|\(|\)|\||&|select|from|0x/i",$_GET['no'])) exit("no hack"); $result = mysqli_fetch_array(mysqli_query($db,"select id from chall18 where id='guest' and no=$_GET[no]")); // admin's no = 2 if($result['id']=="guest") echo "hi guest"; if($result['id']=="admin"){ solve(18); echo "hi admin!"; } } ?> Our goal seems to be creating a payload that would make the id value admin and also make the no value 2. So, let’s assume that there is no filter so we can enter anything as a payload. When we enter 2 as our input, you will see something like this: ...