We covered Command Injection & SQL Injection which are in the OWASP TOP 10 list of vulnerabilities. This was part of HackTheBox Looking glass & Sanitize challenges.
Challenge 1: Looking Glass
The challenge description stated, “We have built the most secured networking tool in the market. Come and check it out.” After spawning the machine, I obtained an IP address and port for the application. The application provided information about backward routing and network efficiency using tools like traceroute
and ping
. Traceroute
allows users to follow a packet through the network to a specific destination, while ping
can be used to check if a device with a valid internet address or domain name is online.
I tested the ping
functionality with an IP address, and the output looked like a command-line output. This suggested that the application might be passing user input directly to the system for execution. The key question was whether the input was filtered. If not, it could lead to command injection.
I hypothesized that the backend might be using a system function like system("ping -c1 139.59.189.170")
. To test for command injection, I tried to append another command using a semicolon (;
) or double ampersand (&&
), which are common command separators in bash. I used the input 139.59.189.170 && ls
. The output showed the ping results and a file named index
, confirming command injection.
To find the flag, I tried listing the contents of the root directory: 139.59.189.170 ; ls /
. The output revealed a file named flag_xxxx
. I then attempted to read the flag file using: 139.59.189.170 ; cat /flag_xxxx
(replacing flag_xxxx
with the actual flag file name from the previous step). This successfully displayed the flag.
Challenge 2: Sanitize
The challenge was described as: “Can you escape the query context and log in as an admin at my super secure login page?” The prompt also showed a SQL query: select * from users where username = 'admin' and password = 'admin'
. This strongly suggested a SQL injection vulnerability.
I navigated to the login page. Trying default credentials like admin
/admin
failed and displayed the SQL query that was executed. The displayed query confirmed that the input was directly embedded into the SQL statement, making it vulnerable.
To exploit this, I crafted a SQL injection payload for the username field: admin' or '1'='1' --
.
admin'
closed the original string for the username.or '1'='1'
added a condition that was always true.--
(with a space after the dashes) commented out the rest of the SQL query, bypassing the password check.
I used this payload in the username field and any random password. This successfully logged me in as admin and displayed the flag.
Technical Commands Extracted
From the “Looking Glass” challenge (command injection):
ping -c1 139.59.189.170
(Assumed base command executed by the application)139.59.189.170 && ls
(Used to test for command injection and list files in the current directory)139.59.189.170 ; ls /
(Used to list files in the root directory)139.59.189.170 ; cat /flag_xxxx
(Used to display the content of the flag file, whereflag_xxxx
is the name of the flag file found)
From the “Sanitize” challenge (SQL injection):
select * from users where username = 'admin' and password = 'admin'
(The vulnerable SQL query)- Username payload:
admin' or '1'='1' --