TryHackMe: Jurassic Park

Initial foothold

  1. Port scan

There’re 2 open ports: 22 and 80.

2. OS and service scan

There’re 2 services: SSH on port 22 and HTTP on port 80.

3. Vuln scan

There’s robots.txt on HTTP service.

Service Enumeration

  1. SSH

Connecting is succeeded.

2. HTTP service

nikto scan

Directory scan w/ gobuster

Access HTTP site

/index.php

View page source, not much revealed

Follow the link to shop.php

Click on one the choices, I was redirected to /item.php?id=3

/item.php?id=1

Conclusion:

id is a parameter. Maybe I can do SQL injection.

Exploitation

  1. Intercept item.php w/ Burp Suite and send it to the Intruder

2. Supply the payload and start the attack

Here’s my payload on GitHub.

Looking at the length there’re many values. I will start w/ 407.

Try the query

Failed!!!

Next is 516, I skipped 408 and 409 because It’s the same request and the length is different due to strings’ size.

There’s a filter in this system.

Try 1765

No error. Good to go.

3. Test for union injection

Before attacking, I will encode the query w/ Burp Suite’s decoder function.

The full request will be:

I will add “$” at number position.

Load the payload

Here’s my GitHub link

Start the attack, judging by the length. This machine is also vulnerable to union injection and it needs 5 columns to display the result.

Test the query

Version number

Database

Get other databases

There’s only 1 interesting database: park.

Retrieve table names

Retrieve column names of table ‘users’

I was filtered.

Change single quite (‘) to double quote (“)

Retrieve data

I was filtered. I probably filtered by column name.

Test one by one starting w/ id

There’re 2 users.

username

I was filtered

password

I got 2 passwords.

Before trying to work around w/ ‘username’ filtering. I will retrieve data from tables ‘items’

Column name

Data

Copy and arrange it. ID #5 mentioned filtered characters.

/item.php?id=5

There’s s massage to Dennis.

Until now, there’re 2 possible usernames: dennis and Dennis

3. Try to log in w/ ssh starting w/ username: dennis and both of the passwords.

Privilege Escaltion

  1. Verify sudo

I can escalate w/

Here’s the command

Now I’m root.

2. Finding flags

1st flag is located in /home/dennis

5th flag is located in /root

2nd flag location is hinted in /home/ubuntu/.bash_history

It’s in /boot/grub/fonts/

3rd flag is written in /home/dennis/.bash_history