TryHackMe: Avengers Blog

·

9 min read

We Have A Hulk

'Learn to hack into Tony Stark's machine! You will enumerate the machine, bypass a login portal via SQL injection and gain root access by command injection.'

Hello all! I'm Jin, and welcome to my blog. Today's write-up is on the THM Avengers Blog room which I completed as part of the Web Vulnerabilities course on TryHackMe. I'll admit I blazed through this course because a lot of it was things I had previous experience with thanks to PentesterLab. If you're looking for ways to supplement your learning, I definitely recommend it.

Anyhow, this is a sweet and simple box with a good walkthrough in the tasks themselves so we'll mostly just be documenting process here. That said, let's go~

Task 2 - Cookies

Task 1 just has us connect to the machine, so we'll start with task 2.

Task 2 is cookies. Cookies can do a lot of things, like store login info, shopping cart items, basically anything the website needs to remember about you and your session since that information isn't stored on the website itself. Cookies can also be used to track traffic and some anti-virus classify them as spyware.

To view cookies, we can hit F12 to bring up the console and click Storage (on Firefox). 91-1.png

And right away we see our flag.

Task 3 - HTTP Headers

HTTP headers let a client and server pass information with an HTTP request or response. Header names and values are separated by a single colon. The main two HTTP methods are GET and POST. GET requests data from a resource and POST sends data to a server.

Question 1: Look at the HTTP response headers and obtain flag 2.

Back to the Developer Tools, this time the Network tab. We may need to hit refresh (F5) to have the requests logged here. 92-1.png

Clicking on a request displays its data on the right, and right away we spy our flag. 92-2.png

Note: Intercepting requests with Burp or Zap is a great way to view (and edit!) headers.

Task 4 - Enumeration and FTP

Next up we'll be scanning the machine with nmap. If this isn't your first time with me, you're probably familiar with my preferred scan nmap -A -p- [ip] -vv. For this machine, however, we'll follow the instruction. Let's scan with nmap 10.10.162.20 -v as instructed. 93-1.png

Our scan tells us that there's FTP and SSH on this server. Let's try FTP with the credentials we found. What credentials? Well... 93-2.png

groot:iamgroot seems likely. Let's try it.

Question 1: Look around the FTP share and read flag 3!

First, we connect to FTP with ftp 10.10.162.20. 93-3.png

Then we enter the credentials we found. 93-4.png

We can use use basic Linux to navigate the share, and get to download the flag. 93-5.png

Then we can cat the flag on our local system. 93-6.png

Task 5 - GoBuster

GoBuster can help us find directories that aren't readily available by just clicking around. It brute-forces URIs (directories and files, DNS subdomains, and vhost name. Here, we want to see if there are any hidden directories to explore.

Question 1: What is the directory that has an Avenger's login?

We'll use the command gobuster dir -u http://10.10.162.20 -w /usr/share/wordlists/dirb/common.txt to see what we can see. 94-1.png

Assets popped up! 94-2.png

But navigating there nets us nothing. It's still worth trying though, because more access is always better than less (for us). 94-3.png

In the spirit of trying things, /logout popped up so we try it. Not blindly though, because its marked as 302 -- redirect. And where do logouts usually redirect to? 94-4.png

That's right, login portals. GoBuster also confirms our suspicions. 94-5.png

The lesson here? Tools are great, but you don't have to rely wholly on them when you've got a perfectly good head on your shoulders. Use it~

Task 6 - SQL Injection

On to SQL Injection, or SQLi for task 6.

SQLi relies on knowing how SQL works, which is explained in the task. Basically, we want the expression we're sending data to to evaluate as “True” without comparing to any data stored elsewhere. 1=1 is always true, so that becomes integral to our payload.

Question 1: Log into the Avengers site. View the page source, how many lines of code are there?

95-1.png

Just to be safe, we test admin:admin. It's tradition, after all. 95-2.png

For the actual SQLi, we use the “credentials” ' or 1=1--:' or 1=1--. 95-3.png

And we're in! Now we need to find out how many lines of code are in the page source. We can do that by right-clicking the page and left-clicking View Page Source from the pop up menu. 95-4.png

(Navigating to view-source:[url] will also do the trick.) 95-5.png

Scrolling to the bottom shows us we have 223 lines of code. 95-6.png

Task 7 - Remote Code Execution and Linux

Once logged in, we have a control panel! Following the instruction provided shows us the location of the flag, but we can't use cat. (I also learned about chaining commands with ‘;’)

Question 1: Read the contents of flag5.txt

If we can't use cat, how do we read files? I can think of a couple ways. First, tac. It's cat, but reads files backwards line by line. 96-1.png

we can also grep the file in question, searching for an empty string. Nothing matches everything, so we get everything back. grep ‘’ flag5.txt 96-2.png

The grep method is useful if we want to retain the file's order.

With that flag, the Avengers room is complete~

Endgame

So that was the Avengers Blog! How was it? After coming this far with the beginner's path and now here at the end of the web vulns path, I'm really feeling good about the basics. Of course, this is a field that's always changing, growing, rapidly shifting and expanding, but like anything else, it's solid fundamentals that growth and progress are built on. Instead of looking at unknown machines with worry if I'm good enough, I'm now starting to relish the chance to get stuck and learn something new. It's a wide world out there, so hack safely, and build that confidence to not only take you where you want to go, but figure out a way when none seem apparent.

That's all for now. Thank you for reading, and see you in the next bit~