search

πŸ‡Rabbit Hole

License

The following post by anthonyjsaab is licensed under CC BY 4.0arrow-up-right

hashtag
0 - Introduction

Link to room: https://tryhackme.com/r/room/rabbitholeqqarrow-up-right

Machine version: RabbitHole v1.3

This writeup walks you through a room on TryHackMe created by shamollasharrow-up-right

hashtag
1 - Port Scan

hashtag
1a - Discovery

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ sudo nmap -T4 -p- rabbit.thm                                                                                            
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-25 21:53 EEST
Nmap scan report for rabbit.thm (10.10.45.20)
Host is up (0.096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 723.03 seconds

hashtag
1b - Versioning and OS fingerprinting

hashtag
1c - Vulners

hashtag
2 - Web server probing

hashtag
2a - Inspection

Landing page
Login form
Registration form

Note that dirbusting does not uncover any hidden pages.

hashtag
2b - Normal user interaction

Registering with test:test
After logging in

hashtag
2c - Attempting XSS

When we logged in, the username of the admin was echoed on our webpage. Additionally, the admin appears to login every minute. If their landing page is the same as ours, and they are listed all the users and their last logins, an XSS attempt could let us steal their cookie.

After spinning up an HTTP server on our Kali machine, we will try to register using the following payload as a username:

After logging in, we receive our own cookie:

This means that our payload was stored correctly and is correctly rendering on a browser.

We wait a bit for the admin to login again and trigger the payload on their browser. Unfortunately, after multiple minutes, no request was received on our HTTP server. We can confirm that the admin was logging in during our waiting by refreshing and seeing their attempts:

hashtag
2d - SQLi

In the above image, we can see that our payload triggered an SQL error message to be displayed. This is a clear indication that the target is vulnerable to SQLi.

However, since "anti-bruteforce" measures are in place, we will avoid using sqlmap and will instead be doing everything manually.

hashtag
2di - Enumerating how many columns needed for successful UNION with previous SQL statement

Not successful
2 columns it is

hashtag
2dii - Enumerating tables

hashtag
2diii - users table

Columns in the users table
Usernames that are able to be displayed (which don't trigger syntax errors)
The list of hashes displayed is limited to 6 hashes. Also, the hashes are not display fully (only the first half is shown)
We have to do this for each password hash

After some more enumeration, here is the list of hashes we get:

Here are the cracking results:

You can ignore the test and 123 passwords. I created these

Trying to crack the first MD5 hash using rockyou.txt did not yield anything. Logging in using foo or bar does not give us anything good.

The passwords of foo and bar seem to indicate that we are in a rabbit hole.

PreviousPyratNextTryHack3M: Bricks Heist

Last updated