TryHackMe: Advent of Cyber 2 [Day 5] Someone stole Santa’s gift list!
Room: Advent of Cyber 2
After last year’s attack, Santa and the security team have worked hard on reviving Santa’s personal portal. Hence, ‘Santa’s forum 2' went live.
After the attack, logs have revealed that someone has found Santa’s panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On
MACHINE_IP:8000 you'll find the copy of the website and your goal is to replicate the attacker's actions by dumping the gift list!
Question #1 Without using directory brute forcing, what’s Santa’s secret login panel?
Today we are working with another web challenge, this time using SQL Injection on Santa’s Forum:
For Question #1, I just guessed based on the hint. This could have been accomplished with something like GoBuster, but it specifies that no brute forcing is allowed.
Question#3 How many entries are there in the gift database?
From here we can see Santa’s Secret Login Panel.
Using the lengthy guide included with today’s challenge, I eventually figured out that the method for bypassing this login page is as follows:
That will take you to a new page where you will be able to traverse the database:
I am going to be using Burp Suite and SqlMap to automate this for me. After you get Burp Suite opened, turn on Foxy Proxy to start intercepting:
Make sure intercept is on:
Then head back over to the webpage and do a test request:
After you hit search, check back with Burp and you will see the request. Save this so SqlMap can use it. You can turn intercept and Foxy Proxy off at this point.
From here, head to a command line to start SqlMap. I used the following command:
The -r /root/Desktop/santasql portion is what I saved my request as earlier.
Remember that Santa is using a Web Application Firewall, which is why you see that “tamper” portion of the command. Also, Santa mentions that he wants to upgrade from sqlite, so you can assume that's what we are working with.
From the results, you will be able to answer the rest of the questions for today.
We can see there are 22 entries in the gift database:
Question #4 What did Paul ask for?
Using that same table, we can see that Paul asked for github ownership.
Question #5 What is the flag?
The flag is located in the “hidden_table”, but since we dumped the entire database, that came along with it.
Question #6 What is admin’s password?
Here we have the last answer!
Happy Hacking! ❤