Hack the Box-FreeLancer

About the Challenge

This challenge really taught me a lesson. It’s the best challenge I have ever done recently. The key to solving this challenge is a kind of spirit which can help you overcome difficulties in pen-testing.

Recon

At the beginning, like most of pen-test, it’s a static web page. Nothing juicy in “robots.txt”. I scrolled paeg form the top to bottom only found a message form seems vulnerable. I tried XSS but no bot gonna to receive it. Just a trap.

Then as usual pen-test. I use dirsearch tool to scan the path and background may be hidden. The result is shown below. There are some js files proved XSS is impossible.

I have been stuck here for a very long time. That might happend in our daily work. All you need is patient. I read the source code again and again carefully. BTW the raw source code was mess. HTML auto formatting is your good friend. Then I noticed a tiny tiny comment.

Is there a file called “portfolio.php” hidden in the shadow? I visited this url with parameter “id=3”.

Enumeration

Although I couldn’t understand the sentence, I knew maybe there is SQL injection here. So I uesd sqlmap to test it.

Nice! Finally I got something useful. It was much harder than it looks like. With out patient and attentive I could only find some useless files.

Next step was the same as usual.

1
2
3
4
./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 --dbs
./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 --tables
./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 -T safeadmin --columns
./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 -T safeadmin --columns username password --dump

Another difficult came. I have the key but couldn’t find the key hole. I didn’t find a login page. I changed a tool, using “dirb” to rescan web again. This time I got simething.

http://docker.hackthebox.eu:31479/administrat/

http://docker.hackthebox.eu:31479/administrat/include/

I submited usernape and password however the password was incorrect. Also I couldn’t crack the password. So I change tool and wordlist again. I use dirbuster with directory-list-2.3-medium.txt. Suddenly I realized how important it is to use good/different word lists.

It shows many files I didn’t find at the beginning. However, when I tried to visit panel.php, it jump to index.php. I felt like it must hiddef something important. I used curl but got nothing.

Fortunately, we have sqlmap.

1
./sqlmap.py -u http://docker.hackthebox.eu:30569/portfolio.php?id=3 --file-read=/var/www/html/administrat/panel.php