TryHackMe: Web Fundamentals (Supplements)

author: Nathan Acks
date: 2022-02-02

Game Zone

Obtain Access via SQLi

Another way to prevent the trailing space (after the comment marker “--”) from being eaten when trying to inject SQL is to add an additional character (i.e., “-- -”).

Using SQLMap

SQLMap supports a handy -r flag that loads the request from a file. When using a request file there’s no need to specify a URL or post data, as this information is (obviously) included in the request. This is particularly handy if you’re trying to inject SQL on a page behind a login form, and thus need to present a session cookie.

The easiest way to generate a request file is to simply capture the request you want to use as the template for your attack with Burp Suite and then save it off to a file (you can use “Copy to file” from the right-click menu to do this).

Exposing Services with Reverse SSH Tunnels

ss is a netstat-like tool with slightly nicer formatting; ss -tulpn will produce a nice list of open ports.

Privilege Escalation with Metasploit

Oof. The key to successfully running the Metasploit module here is to remember that even if you’re exploiting a hidden service on the target over an SSH tunnel, the exploit doesn’t know about that tunnel and will be connecting back to you over the regular network!

Jurassic Park

See my Jurassic Park CTF write-up.