Another attempt to share walkthrough and this time it is Avengers Blog from Try Hack Me platform. THM describes this activity as “A beginner guide to SQL and Command Injection“.
Deploy the target machine
Q1. On the deployed Avengers machine you recently deployed, get the flag1 cookie value.
I performed a nmap scan against the target. Port 21[FTP],22[SSH] and 80[HTTP] was found to be open on the target. I loaded the http application at http://10.10.147.107:80 and used Inspect Element feature available in the browser to inspect cookie.
Q2. Look at the HTTP response headers and obtain flag 2.
Inspect Element to review header response. The flag was present as header.
Q3. Look around the FTP share and read flag 3!
As per the home page, Rocket posted a username and password combination. groot:iamgroot. Since port 21 was open, I attempted FTP access on port 21 as shown in below screenshot.
After successful authentication, I looked up for the files and was able to find the flag. I fetched the file from remote target machine to my machine.
Q4. What is the directory that has an Avengers login?
I used /usr/share/wordlists/dirbuster/dictionary-list-2.3-small.txt for identify the directory on the web server. /portal was found to be valid path. http://10.10.147.107/portal was an Avengers login.
Q5. Log into the Avengers site. View the page source, how many lines of code are there?
Authentication was enabled on the Avengers site. To login, SQL injection method was mentioned. I used ‘OR 1=1 — for bypassing the authentication prompt. Once, I logged in successfully, I used View Page Source to view the HTML source code of the application. The left most bar indicates the line#.
Q6. Read the contents of flag5.txt
The web page had a prompt where we can run command. I was able to execute the command but the web page was defaulting to the preset working directory. I had to chain the command to execute the full flow. cd ..;ls; list the flag file. When I attempted to cd ..;ls;cat flag5.txt , the command was not allowed. As an alternative, I tried cd ..;ls;head flag5.txt, but it was too blocked. Later on, I tried another alternative for cat i.e. less. cd ..;less flag5.txt; This command injection listed the flag contents.
The above questions complete this series. To summarize this activity, I performed nmap scan to identify the port ports and the services. To inspect cookies and header flags, I used the Inspect Element feature of the browser. Based on the web page content, I was able to authenticate the FTP prompt and fetched FTP flag.To identify the login page for Avengers, I used Gobuster to bruteforce the directory path. Since we had to inspect the HTML source, I had to authenticate to Avengers portal. using SQL injection, we bypassed authentication and inspection Page Source to find the length of the HTML Source Code. As last step, I had to do a bit of Google to find alternative of cat and head as both of the commands weren’t allowed.
I hope this tutorial will help you in understanding the questions and answering them if stuck on any of them.