Conquer Olympus Using SQL Injection and Claim the Throne in this CTF Found on TryHackMe

Conquer Olympus Using SQL Injection and Claim the Throne in this CTF Found on TryHackMe

Aug 4, 2023ยท

3 min read

Play this article

This walkthrough covers the Olympus CTF found on TryHackMe. The goal of this challenge is to exploit an SQLi vulnerability in a CMS, use sqlmap to acquire user credentials by extracting a database, identify a subdomain hosting a chat application, upload a reverse shell to establish a foothold on the system and take advantage of a poorly managed SUID binary to escalate privileges.

Step 1: What's Out There?

nmap -sS -sV -sC -p 22,80 olympus.thm --min-rate=1000

Step 2: FFUF

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://olympus.thm/FUZZ -fc 403

We discovered a directory named ~webmaster, which is where the CMS is located.

Step 3: SQLi

Testing the Victor CMS search field feature reveals an SQLi:

'SELECT * FROM users WHERE username='' and password='' OR 1=1;

Let's capture this with Burp Suite and plug it into sqlmap to automate our injection attack.

Copy this over to a text editor and run it through sqlmap.

We discovered a flag in olympus, let's dump it.

Let's obtain our first flag.

sqlmap -r req.txt --batch --dump -T flag -D olympus

Now let's see what that user's table can offer us.

Juicy credentials, we can crack the password hash to prometheus and use it to log in to the chat application.

Step 4: Enumerate Subdomain

We discovered three users: root, zeus, and prometheus. Additionally, we discovered a subdomain called chat that can be added to our /etc/hosts list.

Let's enumerate the newly discovered subdomain.

I'm sure the uploads directory will play an important role later, in the meantime let's see if we can log in with these credentials.

And we're in. There looks to be an upload feature, let's see if we can upload a reverse shell.

It looks to have been uploaded somewhere, but not sure where. Let's go back to sqlmap and dump the chats table to see if the file name was changed upon uploading.

sqlmap -r req.txt --batch --dump -T chats -D olympus

Looks like it did. Let's copy this and see if we can visit and go to it using the /uploads/ directory we found earlier.

Going to the path drops us into a shell. Searching for SUID binaries reveals cputils.

We can copy over zeus id_rsa key and then ssh in with it.

Crack it using ssh2john and john-the-ripper.

Step 5: Privesc and Root

After looking around the file system for a while we discovered this:

Inside the PHP file seems to be a backdoor.

Running uname -a; w; /lib/defended/libc.so.99 drops us into a root shell.

This box was very difficult for me. I don't consider myself to be that knowledgeable on SQLi attacks, so I had to resort to a lot of googling to help me through. I will definitely give this box several more runs as I need to sharpen my command injection skills. As always, Happy Hacking!

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!

ย