Premise

In this video walkthrough, we covered the steps taken to perform a testing for the presence of SQL injection vulnerability. We used TryHackMe Advent of Cyber 2 / Day 5 / Someone stole Santa’s gift list! as a practical scenario.

Challenge Description

After last year’s attack, Santa and the security team have worked hard on reviving Santa’s personal portal. Hence, ‘Santa’s forum 2’ went live.

After the attack, logs have revealed that someone has found Santa’s panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On MACHINE_IP:8000 you’ll find the copy of the website and your goal is to replicate the attacker’s actions by dumping the gift list!

Get OSCP Certificate Notes

Challenge Questions

  • Without using directory brute forcing, what’s Santa’s secret login panel?
  • How many entries are there in the gift database?
  • What did Paul ask for?
  • What is the flag?
  • What is admin’s password?

Answers / Day 5

Without using directory brute forcing, what’s Santa’s secret login panel?

Visit Santa’s secret login panel and bypass the login using SQLi

How many entries are there in the gift database?

What did Paul ask for?

What is the flag?

What is admin’s password?

Video Walkthrough