TryHackMe: Advent of Cyber [Day 23] LapLANd (SQL Injection)
Room: Advent of Cyber
“Santa’s been inundated with Facebook messages containing Christmas wishlists, so Elf Jr. has taken an online course in developing a North Pole-exclusive social network, LapLANd! Unfortunately, he had to cut a few corners on security to complete the site in time for Christmas and now there are rumours spreading through the workshop about Santa! Can you gain access to LapLANd and find out the truth once and for all?
Supporting material available here.”
Question #1 Which field is SQL injectable? Use the input name used in the HTML code.
I’m starting with an nmap scan:
Now I’ll head over to that website to see what’s going on.
Aw. That’s actually really cute with the falling snowflakes and everything.
I would really recommend reading the source material if you are new to SQL Injection. It’s about 4 pages long, but everything is explained in an easy to understand way.
I am going to use Sqlmap for this. First though, I’m going to use Burpsuite to capture the request from the website. What you want to do is send off a fake login request and then capture it with Burpsuite.
If you’re using the TryHackMe attack box, they have Foxy Proxy already installed in the browser. Just switch it on:
If not, you will have to make sure you set up Burpsuite as a proxy in your browser. HERE are instructions for how to do that.
Then open BurpSuite and choose all the defaults to create a new temporary project.
Send a fake login request. It doesn’t really matter what you use for credentials. The info we need will be transferred to Burpsuite in the Proxy > Intercept tabs.
The SQL field I highlighted in orange contains the answer to the first question:
Question #2 What is Santa Claus’ email address?
Use the “Action” tab to save this output as a text file.
To grab a dump of the database, use the following command with the file you just saved.
Just FYI, this is NOT a delicate approach. Everyone paying attention will know exactly what you’re doing. So this is not realistic at all.
This method is more useful in CTFs where you don’t really care if anyone knows you’re barging into the database like the Kool-Aid man.
It will ask you a lot of questions through-out the process. You can just use “yes” as default. Except when it asks you if you want to crack the passwords. I put “no” because I didn’t want to be there all day and I could just grab the single hashes I wanted.
When the process is over, it will spit out a few database tables for you to look through.
You might see it overlap a bit because your screen isn’t big enough to show the whole thing. That’s OK, you can pick through it to find the info you need. Santa’s email will be located in the “users” database:
Question #3 What is Santa Claus’ plaintext password?
You can just grab his hash from the same “users” database and throw it in CrackStation:
Question #4 Santa has a secret! Which station is he meeting Mrs Mistletoe in?
The answer to this question can be found in the “social” database.
Question #5 Once you’re logged in to LapLANd, there’s a way you can gain a shell on the machine! Find a way to do so and read the file in /home/user/
We have Santa’s email and password, so let’s use those to log in.
When you log into LapLANd, you’ll notice there’s an upload button at the top. An obvious target.
This actually reminds me of the Vulnversity box on TryHackMe that I just completed a few days ago. You use this same scenario to upload a PHP Reverse Shell.
You first had to test what type of files you can upload. In the other box, you could not upload .php files, but you COULD upload .phtml files. I’ll try .php first and if that doesn’t work, try another.
You will find what you need here:
You want the “php-reverse-shell.php” at the bottom (in blue)
Copy and Paste that entire block of code/comments into a new file. Look through it to make a few minor changes:
Change the IP field to your IP, and then the port to whatever port you want to use to listen. I just kept the port the same.
Set up a listener on netcat at this point, using that same port you chose:
We can test the file uploads now. Save that file and change the extension to .php.
Attempt to upload it:
Ok, Plan B. Change the extension to .phtml and try again.
No error message, looks like we’re good. Confirm this by checking netcat:
We’re in! All you have to do from here is change to the directory in the question and the flag will be yours.
One more day of Christmas Challenges left.
Happy Hacking! ❤