Injectics TryHackMe Walkthrough | Medium + Unintended Way

In this video we are doing tryhackme's new ctf challenge - Injectics made by - [ https://tryhackme.com/p/1337rce ] and [ https://tryhackme.com/p/l000g1c ]. Here we have a basic website which has a leaderboard on its homepage, and 2 login endpoints, we found a script.js file which seems to filter out basic SQLi payloads like [ SELECT, OR, ', " ]. But we can bypass it either using burpsuite or using our browser's console and copying/pasting the entire js script but just removing out the filtered keywords, after that we got access to dashboard where we can edit leadboard data and we can execute stack based queries there in the input fields, we will look at the manual approach which is unintended way to solve the box and the intended way where we found mail.log file which states if the users table in the db got deleted or corrupted there's a service running which will reset the default creds in the db which we found in the mail.log, so we can just drop the users table and can login on the second login page we found with the superadmin creds, and after logging in we found another endpoint where we can update our profile and the input we put in the first name we see its reflecting on the Home page, it's basically pointing us to SSTI but there are filters that's blocking some php functions like exec, shell_exec, system, but passthru isnt' so we exploit SSTI in Twig Php Template Engine we can find out that its twig from a file we found while dirbusting /composer.lock and get the reverse shell on the box and complete the challenge. Hope you'll learn something new. 🙏🚀❤️

Please leave a comment!
[ tryhackme - https://tryhackme.com/r/room/injectics ]

Checkout 0xb0b's Writeup -
[ https://0xb0b.gitbook.io/writeups/tryhackme/2024/injectics ]

⭐️ Video Contents ⭐
⌨️ 0:00 ⏩ Intro
⌨️ 0:13 ⏩ Starting CTF (Initial Enumeration)
⌨️ 5:07 ⏩ SQLi Filter Bypass on /login.php
⌨️ 13:43 ⏩ Using Stack Query Attack and dropping users table so the Injectics service reset the creds to default
⌨️ 14:59 ⏩ Loggin in using superadmin default creds on /adminLogin007.php
⌨️ 18:41 ⏩ Gaining shell on the box by exploiting SSTI on /update_profile.php
⌨️ 22:06 ⏩ Unintended way by manually dumping the creds from users table using SQLi
⌨️ 34:52 ⏩ Final POVs


Follow me on social media:
● https://twitter.com/hoodietramp

Github:
● https://github.com/hoodietramp

Support This Tramp!
Donations are not required but are greatly appreciated!
💸Ko-Fi: https://ko-fi.com/h00dy

#tryhackme #ctf #boot2root #redteam #walkthrough #pentesting