About the Challenge
This challenge really taught me a lesson. It’s the best challenge I have ever done recently. The key to solving this challenge is a kind of spirit which can help you overcome difficulties in pen-testing.
Recon
At the beginning, like most of pen-test, it’s a static web page. Nothing juicy in “robots.txt”. I scrolled paeg form the top to bottom only found a message form seems vulnerable. I tried XSS but no bot gonna to receive it. Just a trap.
Then as usual pen-test. I use dirsearch tool to scan the path and background may be hidden. The result is shown below. There are some js files proved XSS is impossible.
I have been stuck here for a very long time. That might happend in our daily work. All you need is patient. I read the source code again and again carefully. BTW the raw source code was mess. HTML auto formatting is your good friend. Then I noticed a tiny tiny comment.
Is there a file called “portfolio.php” hidden in the shadow? I visited this url with parameter “id=3”.
Enumeration
Although I couldn’t understand the sentence, I knew maybe there is SQL injection here. So I uesd sqlmap to test it.
Nice! Finally I got something useful. It was much harder than it looks like. With out patient and attentive I could only find some useless files.
Next step was the same as usual.
1 | ./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 --dbs |
Another difficult came. I have the key but couldn’t find the key hole. I didn’t find a login page. I changed a tool, using “dirb” to rescan web again. This time I got simething.
I submited usernape and password however the password was incorrect. Also I couldn’t crack the password. So I change tool and wordlist again. I use dirbuster
with directory-list-2.3-medium.txt
. Suddenly I realized how important it is to use good/different word lists.
It shows many files I didn’t find at the beginning. However, when I tried to visit panel.php, it jump to index.php. I felt like it must hiddef something important. I used curl but got nothing.
Fortunately, we have sqlmap.
1 | ./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 --file-read=/var/www/html/administrat/panel.php |