11 April 2021

Pentesting Fun Stuff

following the cyber security path…

Jurassic Park

Port scanning

Starting with a fast port scan to see which ports are open.

Then more options specific targeted on the open ports to get more information.

Not much information and a misspelled Jarassic Park as title of the website.

On the main page is again the misspelled name……maybe it’s not misspelled but a hint for JAR files?

In the source code there is a comment:

Some web enumeration shows a folder.

There is also a shop with a parameter in the URI. When replacing the number with a single quote, I get a very nice result.

And at the bottom the text: YOU DIDN’T SAY THE MAGIC WORD! Try SqlMap.. I dare you..

But when entering a double quote I get a better result, namely an SQL error.

Before continuing with the SQLi option, I first want to check out the parameter first.

So there is some useful information when entering id=5.

Ok….so let’s recap what we have so far.

There is a parameter which is vulnerable to SQLi, but there are some defensive settings in place. I have running a sqlmap with WAF tampering options running in the background, but it has not gotten anything viable. So until I can let sqlmap do the dumping of the database, I have to do some manual labor myself.

SQL Injection

#1 What is the SQL database called which is serving the shop information?

#2 How many columns does the table have?

That’s clear from the previous command: 5

#3 Whats the system version?

#4 What is dennis’ password?

Because there is a filter on ‘username’ I need to guess the table and column names a bit. After a little while I get a password.

#5 Locate and get the first flag contents.

#6 Whats the contents of the second flag?

#7 Whats the contents of the third flag?

#8 Whats the contents of the fourth flag?

But there is no /tmp/flagFour.txt. When reading the discord chatroom, this is confirmed by the creator of the room.

#9 Whats the contents of the fifth flag?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.