Hackthebox freelancer is based on SQL injection. This CTF is pretty straight forward and gives learning about the SQLMap tool.
Here is my way to get the flag from this CTF:
The website is made out of bootstrap and php. I checked the contact form but couldn’t find anything, I was thinking at first of a stored XSS but, it turns out, it is not.
I fired up Dirb after going through the website. Found these directories:
The /adminitrat/ has the login page. I tried SQL injection in here but no luck.
I checked all the directories and files mentioned by Dirb but couldn’t find any way to get in.
Back to the main page. I checked the Source code of the webpage.
It looks pretty messed up but if you look closely, there are something here to pay attention to.
I highlighted the line saying “<!– To configure the contact form email address, go to mail/contact_me.php and update the email address in the PHP file on line 19. –>“, I was thinking to fuzz the URL to get the parameters, where I can inject for SQL but I found one more link which is much more easier to inject into.
You will see familiar sql injection parameters. “portfolio.php?id=1“. This is where we will inject.
I fired up SQLMap for this task. The challenge was pretty smooth after that.
It is a boolean based Blind SQLi and also time based SQLi, you can try out with this:
http://docker.hackthebox.eu:31108/portfolio.php?id=1 AND 1=1–
OR
http://docker.hackthebox.eu:31108/portfolio.php?id=1-SLEEP(10) —
You can check out my articles on Boolean and Time based SQLinjection over the below links:
http://www.anonhack.in/2018/07/boolean-based-blind-sql-injection-how-to-do-manually/
http://www.anonhack.in/2018/07/time-based-blind-sql-injection-on-mysql-how-to-do-manually/
SQLMAP will give you the table name and hashes for the login credential.
If you look at the credentials, the below hash seems to be blowfish hash, which are pretty hard.
I turned on John for the blowfish hash above.
I went back on to SQLMap and tiedy to change the password or insert a value in the safeadmin database, but that is not possible. SQLmap cannot do it for you. I tried to make some changes using –sql-shell but nothing happened.
Then I started going through the files, checked the privilege of my current user and I had the privilege to view the file.
we enter in the database as db_user.
You can check the file through SQLMap using –file-read=”<location/filename>”.
I read the file location –/var/www/html/administrat/include/config.php, this is a known file
We have the db user and password here!
Let’s see what else info we can see, I saw index.php under administrat/ directory in Dirb. Let’s see if that has any info.
We see two files there, config.php that we already saw and another is panel.php.
Let’s check Panel.php
There we go! panel.php contains the flag for the challenge.