SQL injection attack (10 Marks)
-
Reading about the lab information
-
Install Burpsuite for the lab :
-
Setup BurpSuite Proxy to intercept requests on burp ( default browser not working in arm64)
-
Intercept the request while visiting the Accessories page
-
So in here we can modify the parameter to retrieve username and password from users table cause column names also are given in the lab sheet
-
Log in as administrator using the password
6wc6uwakprvewyugfqrc
-
send username to intruder
-
Setting up the attack by adding configuration and all
-
So this proves ‘ar’ is the valid username so lets add ar as username and bruet-force password
-
add Candidate passwords and setup the attack
-
so we got the password
montanais the password because response have a session id, mean we successfully logged in -
Successfully logged in as user ar using password montana
Performing Passive Reconnaissance (10 Marks)
| Domain Name | IP Address | Location | Contact Person | Address and Phone Number |
|---|---|---|---|---|
| Tryhackme.com | 104.22.55.228 | USA | technical, administrator | 12061 Bluemont Way,Reston VA 20190 USA / +1 703 925-6999 |
| example.com | 23.192.228.80 | - | RESERVED-Internet Assigned Numbers Authority | - |
| www.hackthebox.eu | 104.18.8.132 | EU | Peter Janssen | Telecomlaan 9, Diegem 1831, Belgium |
╭─ ~ ──────────────────────────────────────────── 5s base 11:57:43 ─╮
╰─❯ ping tryhackme.com ─╯
PING tryhackme.com (104.22.55.228): 56 data bytes
64 bytes from 104.22.55.228: icmp_seq=0 ttl=54 time=176.460 ms
64 bytes from 104.22.55.228: icmp_seq=1 ttl=54 time=211.901 ms
^C
--- tryhackme.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 176.460/194.180/211.901/17.721 ms
╭─ ~ ───────────────────────────────────────────────── base 15:33:22 ─╮
╰─❯ ping example.com ─╯
PING example.com (23.192.228.80): 56 data bytes
64 bytes from 23.192.228.80: icmp_seq=0 ttl=48 time=289.484 ms
64 bytes from 23.192.228.80: icmp_seq=1 ttl=48 time=324.510 ms
64 bytes from 23.192.228.80: icmp_seq=2 ttl=48 time=212.180 ms
^C
--- example.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 212.180/275.391/324.510/46.929 ms
╭─ ~ ──────────────────────────────────────────── 4s base 15:33:45 ─╮
╰─❯ ping www.hackthebox.eu ─╯
PING www.hackthebox.eu (104.18.8.132): 56 data bytes
64 bytes from 104.18.8.132: icmp_seq=0 ttl=54 time=50.614 ms
64 bytes from 104.18.8.132: icmp_seq=1 ttl=54 time=48.501 ms
^C
--- www.hackthebox.eu ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 48.501/49.557/50.614/1.057 ms
╭─ ~ ──────────────────────────────────────────── 3s base 15:34:51 ─╮
╰─❯ whois example.com ─╯
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
domain: EXAMPLE.COM
organisation: Internet Assigned Numbers Authority
created: 1992-01-01
source: IANA
╭─ ~ ───────────────────────────────────────────────── base 15:45:54 ─╮
╰─❯ whois tryhackme.com ─╯
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.verisign-grs.com
domain: COM
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston VA 20190
address: United States of America (the)
contact: administrative
name: Registry Customer Service
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston VA 20190
address: United States of America (the)
phone: +1 703 925-6999
fax-no: +1 703 948 3978
e-mail: info@verisign-grs.com
contact: technical
name: Registry Customer Service
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston VA 20190
address: United States of America (the)
phone: +1 703 925-6999
fax-no: +1 703 948 3978
e-mail: info@verisign-grs.com
nserver: A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30
nserver: B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30
nserver: C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30
nserver: D.GTLD-SERVERS.NET 192.31.80.30 2001:500:856e:0:0:0:0:30
nserver: E.GTLD-SERVERS.NET 192.12.94.30 2001:502:1ca1:0:0:0:0:30
nserver: F.GTLD-SERVERS.NET 192.35.51.30 2001:503:d414:0:0:0:0:30
nserver: G.GTLD-SERVERS.NET 192.42.93.30 2001:503:eea3:0:0:0:0:30
nserver: H.GTLD-SERVERS.NET 192.54.112.30 2001:502:8cc:0:0:0:0:30
nserver: I.GTLD-SERVERS.NET 192.43.172.30 2001:503:39c1:0:0:0:0:30
nserver: J.GTLD-SERVERS.NET 192.48.79.30 2001:502:7094:0:0:0:0:30
nserver: K.GTLD-SERVERS.NET 192.52.178.30 2001:503:d2d:0:0:0:0:30
nserver: L.GTLD-SERVERS.NET 192.41.162.30 2001:500:d937:0:0:0:0:30
nserver: M.GTLD-SERVERS.NET 192.55.83.30 2001:501:b1f9:0:0:0:0:30
ds-rdata: 19718 13 2 8acbb0cd28f41250a80a491389424d341522d946b0da0c0291f2d3d771d7805a
whois: whois.verisign-grs.com
status: ACTIVE
remarks: Registration information: http://www.verisigninc.com
created: 1985-01-01
changed: 2023-12-07
source: IANA
# whois.verisign-grs.com
Domain Name: TRYHACKME.COM
Registry Domain ID: 2282723194_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-05-01T19:43:23Z
Creation Date: 2018-07-05T19:46:15Z
Registry Expiry Date: 2027-07-05T19:46:15Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: KIP.NS.CLOUDFLARE.COM
Name Server: UMA.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2025-02-11T10:15:44Z <<<
# whois.namecheap.com
Domain name: tryhackme.com
Registry Domain ID: 2282723194_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-05-01T19:43:23.31Z
Creation Date: 2018-07-05T19:46:15.00Z
Registrar Registration Expiration Date: 2027-07-05T19:46:15.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Redacted for Privacy
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: Kalkofnsvegur 2
Registrant City: Reykjavik
Registrant State/Province: Capital Region
Registrant Postal Code: 101
Registrant Country: IS
Registrant Phone: +354.4212434
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: a70a4ff6d25041a48378997194f9e834.protect@withheldforprivacy.com
Registry Admin ID:
Admin Name: Redacted for Privacy
Admin Organization: Privacy service provided by Withheld for Privacy ehf
Admin Street: Kalkofnsvegur 2
Admin City: Reykjavik
Admin State/Province: Capital Region
Admin Postal Code: 101
Admin Country: IS
Admin Phone: +354.4212434
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: a70a4ff6d25041a48378997194f9e834.protect@withheldforprivacy.com
Registry Tech ID:
Tech Name: Redacted for Privacy
Tech Organization: Privacy service provided by Withheld for Privacy ehf
Tech Street: Kalkofnsvegur 2
Tech City: Reykjavik
Tech State/Province: Capital Region
Tech Postal Code: 101
Tech Country: IS
Tech Phone: +354.4212434
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: a70a4ff6d25041a48378997194f9e834.protect@withheldforprivacy.com
Name Server: kip.ns.cloudflare.com
Name Server: uma.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2025-02-10T10:52:05.85Z <<<
╭─ ~ ──────────────────────────────────────────── 8s base 15:46:09 ─╮
╰─❯ whois hackthebox.eu ─╯
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.eu
domain: EU
organisation: EURid vzw/asbl
address: Telecomlaan 9
address: Diegem 1831
address: Belgium
contact: administrative
name: Peter Janssen
organisation: EURid vzw
address: Telecomlaan 9
address: Diegem 1831
address: Belgium
phone: +32 2 401 27 50
fax-no: +32 2 401 27 51
e-mail: domain-admin@eurid.eu
contact: technical
name: Technical Department
organisation: EURid vzw
address: Telecomlaan 9
address: Diegem 1831
address: Belgium
phone: +32 2 401 27 50
fax-no: +32 2 401 27 51
e-mail: domain-tech@eurid.eu
nserver: BE.DNS.EU 149.38.1.26
nserver: SI.DNS.EU 193.2.221.62 2001:1470:8000:100:0:0:0:62
nserver: W.DNS.EU 194.0.25.28 2001:678:20:0:0:0:0:28
nserver: X.DNS.EU 185.151.141.1 2a02:568:fe00:0:0:0:0:6575
nserver: Y.DNS.EU 194.146.106.90 2001:67c:1010:23:0:0:0:53
ds-rdata: 35926 8 2 89b9ef0445904e7c6074b5bece823c3e264fbd91c103d10bde603412343ce70c
whois: whois.eu
status: ACTIVE
remarks: Registration information: http://www.eurid.eu
created: 2005-04-28
changed: 2024-05-22
source: IANA
# whois.eu
% The WHOIS service offered by EURid and the access to the records
% in the EURid WHOIS database are provided for information purposes
% only. It allows persons to check whether a specific domain name
% is still available or not and to obtain information related to
% the registration records of existing domain names.
%
% EURid cannot, under any circumstances, be held liable in case the
% stored information would prove to be wrong, incomplete or not
% accurate in any sense.
%
% By submitting a query, you agree not to use the information made
% available to:
%
% - allow, enable or otherwise support the transmission of unsolicited,
% commercial advertising or other solicitations whether via email or
% otherwise;
% - target advertising in any possible way;
% - cause nuisance in any possible way by sending messages to registrants,
% whether by automated, electronic processes capable of enabling
% high volumes or by other possible means.
%
% Without prejudice to the above, it is explicitly forbidden to extract,
% copy and/or use or re-utilise in any form and by any means
% (electronically or not) the whole or a quantitatively or qualitatively
% substantial part of the contents of the WHOIS database without prior
% and explicit permission by EURid, nor in any attempt hereof, to apply
% automated, electronic processes to EURid (or its systems).
%
% You agree that any reproduction and/or transmission of data for
% commercial purposes will always be considered as the extraction of a
% substantial part of the content of the WHOIS database.
%
% By submitting the query, you agree to abide by this policy and accept
% that EURid can take measures to limit the use of its WHOIS services
% to protect the privacy of its registrants or the integrity
% of the database.
%
% The EURid WHOIS service on port 43 (textual WHOIS) never discloses
% any information concerning the registrant.
% Registrant and on-site contact information can be obtained through use of the
% web-based WHOIS service available from the EURid website www.eurid.eu
%
% WHOIS hackthebox.eu
Domain: hackthebox.eu
Script: LATIN
Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for the web-based WHOIS.
Technical:
Organisation: Gandi SAS
Language: fr
Email: eu-tech@gandi.net
Registrar:
Name: GANDI
Website: https://www.gandi.net
Name servers:
jill.ns.cloudflare.com
cody.ns.cloudflare.com
Please visit www.eurid.eu for more info.