We covered Command Injection & SQL Injection which are in the OWASP TOP 10 list of vulnerabilities. This was part of HackTheBox Looking glass & Sanitize challenges.

Challenge 1: Looking Glass

The challenge description stated, “We have built the most secured networking tool in the market. Come and check it out.” After spawning the machine, I obtained an IP address and port for the application. The application provided information about backward routing and network efficiency using tools like traceroute and ping. Traceroute allows users to follow a packet through the network to a specific destination, while ping can be used to check if a device with a valid internet address or domain name is online.

I tested the ping functionality with an IP address, and the output looked like a command-line output. This suggested that the application might be passing user input directly to the system for execution. The key question was whether the input was filtered. If not, it could lead to command injection.

I hypothesized that the backend might be using a system function like system("ping -c1 139.59.189.170"). To test for command injection, I tried to append another command using a semicolon (;) or double ampersand (&&), which are common command separators in bash. I used the input 139.59.189.170 && ls. The output showed the ping results and a file named index, confirming command injection.

To find the flag, I tried listing the contents of the root directory: 139.59.189.170 ; ls /. The output revealed a file named flag_xxxx. I then attempted to read the flag file using: 139.59.189.170 ; cat /flag_xxxx (replacing flag_xxxx with the actual flag file name from the previous step). This successfully displayed the flag.

Challenge 2: Sanitize

The challenge was described as: “Can you escape the query context and log in as an admin at my super secure login page?” The prompt also showed a SQL query: select * from users where username = 'admin' and password = 'admin'. This strongly suggested a SQL injection vulnerability.

I navigated to the login page. Trying default credentials like admin/admin failed and displayed the SQL query that was executed. The displayed query confirmed that the input was directly embedded into the SQL statement, making it vulnerable.

To exploit this, I crafted a SQL injection payload for the username field: admin' or '1'='1' -- .

  • admin' closed the original string for the username.
  • or '1'='1' added a condition that was always true.
  • -- (with a space after the dashes) commented out the rest of the SQL query, bypassing the password check.

I used this payload in the username field and any random password. This successfully logged me in as admin and displayed the flag.

Technical Commands Extracted

From the “Looking Glass” challenge (command injection):

  • ping -c1 139.59.189.170 (Assumed base command executed by the application)
  • 139.59.189.170 && ls (Used to test for command injection and list files in the current directory)
  • 139.59.189.170 ; ls / (Used to list files in the root directory)
  • 139.59.189.170 ; cat /flag_xxxx (Used to display the content of the flag file, where flag_xxxx is the name of the flag file found)

From the “Sanitize” challenge (SQL injection):

  • select * from users where username = 'admin' and password = 'admin' (The vulnerable SQL query)
  • Username payload: admin' or '1'='1' --

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles