Hackthebox freelancer is based on SQL injection. This CTF is pretty straight forward and gives learning about the SQLMap tool.

Here is my way to get the flag from this CTF:

freelancer hackthebox walkthrough

The website is made out of bootstrap and php. I checked the contact form but couldn’t find anything, I was thinking at first of a stored XSS but, it turns out, it is not.

freelancer walkthrough

 

I fired up Dirb after going through the website. Found these directories:

freelancer hackthebox

The /adminitrat/ has the login page.  I tried SQL injection in here but no luck.

 

freelancer

I checked all the directories and files mentioned by Dirb but couldn’t find any way to get in.

Back to the main page. I checked the Source code of the webpage.

 

 

It looks pretty messed up but if you look closely, there are something here to pay attention to.

I highlighted the line saying “<!– To configure the contact form email address, go to mail/contact_me.php and update the email address in the PHP file on line 19. –>“, I was thinking to fuzz the URL to get the parameters, where I can inject for SQL but I found one more link which is much more easier to inject into.
You will see familiar sql injection parameters. “portfolio.php?id=1“. This is where we will inject.

I fired up SQLMap for this task. The challenge was pretty smooth after that.

It is a boolean based Blind SQLi and also time based SQLi, you can try out with this:

http://docker.hackthebox.eu:31108/portfolio.php?id=1 AND 1=1–

OR

http://docker.hackthebox.eu:31108/portfolio.php?id=1-SLEEP(10) —

You can check out my articles on Boolean and Time based SQLinjection over the below links:

Boolean Based Blind SQL Injection on MySQL: How to do manually

Time based Blind SQL Injection on MySQL: How to do manually

 

 

SQLMAP will give you the table name and hashes for the login credential.

If you look at the credentials, the below hash seems to be blowfish hash, which are pretty hard.

I turned on John for the blowfish hash above.

I went back on to SQLMap and tiedy to change the password or insert a value in the safeadmin database, but that is not possible. SQLmap cannot do it for you. I tried to make some changes using –sql-shell but nothing happened.

Then I started going through the files, checked the privilege of my current user and I had the privilege to view the file.freelancer privilege hackthebox

we enter in the database as db_user.

You can check the file through SQLMap using –file-read=”<location/filename>”.

I read the file location –/var/www/html/administrat/include/config.php, this is a known file

We have the db user and password here!

freelancer hackthebox

Let’s see what else info we can see, I saw index.php under administrat/ directory in Dirb. Let’s see if that has any info.

freelancer hackthebox

We see two files there, config.php that we already saw and another is panel.php.

Let’s check Panel.php

freelancer hackthebox

There we go! panel.php contains the flag for the challenge.

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: