Lesson Learned? | TryHackMe | Writeup
Have you learned your lesson?
Find This Room: Lesson Learned?
Recon
Nmap confirms we are working with ports 80 and 22.
A ZAP scan in standard mode detected a SQL injection vulnerability in the username parameter on the main page. However, ZAP submitted an overly aggressive payload that ended up damaging the system.
OSINT
As part of the instructions to approach this box like a real penetration test, we decided to conduct some OSINT. During our research, we came across some intriguing tweets from none other than the box’s creator, Tib3rius.
If the lockout message wasn’t already a clear hint, it’s now evident that we’re dealing with an AND-based SQL injection exploit.
Obtaining a Valid Username
Since our approach involves using an AND query for injection, we’ll need a valid value for the username parameter being targeted. A quick review of the login page’s failure message suggests it could potentially leak valid usernames when subjected to a brute-force attack.
We use a username list from Seclists to brute force the login prompt and quickly find one that works, returning a shorter “invalid password” string:
Now Let’s Pwn This WebApp Through My Favorite Technique Is Manual Test
Now that we’ve confirmed the username field is injectable, we can proceed with manual testing. To simplify the process, I referred to quick-SQLi.txt from SecLists due to my less-than-perfect memory. This file includes several sample payloads using techniques like OR 1=1 with common usernames such as "admin."
Since we already have a valid username, we adapted these patterns by substituting AND for OR where applicable.
The first successful payload we found was:arnold' and '1'='1'#
This can be shortened to:arnold' #
Or Use Burp Suit To Injection
Follow Me : Linkedin , Facebook , Github , Join Us On Community , THM Account
