TryHackMe: Web Fundamentals (Supplements)
author: Nathan Acks
date: 2022-02-02
Game Zone
Obtain Access via SQLi
Another way to prevent the trailing space (after the comment marker “--”) from being eaten when trying to inject SQL is to add an additional character (i.e., “-- -”).
Using SQLMap
SQLMap supports a handy -r flag that loads the request from a file. When using a request file there’s no need to specify a URL or post data, as this information is (obviously) included in the request. This is particularly handy if you’re trying to inject SQL on a page behind a login form, and thus need to present a session cookie.
The easiest way to generate a request file is to simply capture the request you want to use as the template for your attack with Burp Suite and then save it off to a file (you can use “Copy to file” from the right-click menu to do this).
Exposing Services with Reverse SSH Tunnels
ss is a netstat-like tool with slightly nicer formatting; ss -tulpn will produce a nice list of open ports.
-t- Display TCP sockets-u- Display UDP sockets-l- Display listening sockets (not just established connections)-p- Show the process using the socket (broken?)-n- Show raw port numbers (not named services)
Privilege Escalation with Metasploit
Oof. The key to successfully running the Metasploit module here is to remember that even if you’re exploiting a hidden service on the target over an SSH tunnel, the exploit doesn’t know about that tunnel and will be connecting back to you over the regular network!