TryHackMe: Web Fundamentals (Supplements)
- author:: Nathan Acks
- date:: 2022-02-02
Obtain Access via SQLi
Another way to prevent the trailing space (after the comment marker “
--”) from being eaten when trying to inject SQL is to add an additional character (i.e., “
SQLMap supports a handy
-r flag that loads the request from a file. When using a request file there’s no need to specify a URL or post data, as this information is (obviously) included in the request. This is particularly handy if you’re trying to inject SQL on a page behind a login form, and thus need to present a session cookie.
The easiest way to generate a request file is to simply capture the request you want to use as the template for your attack with Burp Suite and then save it off to a file (you can use “Copy to file” from the right-click menu to do this).
Exposing Services with Reverse SSH Tunnels
ss is a
netstat-like tool with slightly nicer formatting;
ss -tulpn will produce a nice list of open ports.
-t- Display TCP sockets
-u- Display UDP sockets
-l- Display listening sockets (not just established connections)
-p- Show the process using the socket (broken?)
-n- Show raw port numbers (not named services)
Privilege Escalation with Metasploit
Oof. The key to successfully running the Metasploit module here is to remember that even if you’re exploiting a hidden service on the target over an SSH tunnel, the exploit doesn’t know about that tunnel and will be connecting back to you over the regular network!