It looks like we are given a replica site of what the attacker had attacked dumping the gift list. We will need to see what is on port 8000 and try to dump the database.
First we need to locate the website, so let’s run an Nmap scan against our target.
nmap -p- -T4 10.10.1.129
We can see that the website is hosted on port 8000. Let’s check it out.
Looks pretty simple, but there isn’t anything indicating a login page. The question wants you to find it without directory brute forcing. After some tries of secrentpanel, panel, secret, santa, we finally try santapanel, which leads us to a login page.
Here we need to attempt to bypass the login. Head over to PayloadAllTheThings to try out some SQL Injection payloads. (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
A pretty common payload for SQL injection is
‘ OR 1=1 so let’s try that. This doesn’t let us into the page. Sometimes you can end the SQL query with a command to avoid password checking by adding 2 dashes to the end of your statement, –. New payload is now ‘ OR 1=1–
This now let’s us in and we have successfully bypassed the login page.
We can intercept the request and response in burp to see a redirect and a session token being assigned. Some applications will assign you a general session token without be logged in, but in this case it only happens once you have successfully logged in.
Now we have access to the SantaPanel!
We need to discover how many gifts are in the database, as well as what Paul asked for. We can see there is a search option that we can try. Let’s attempt to make the SQL statement true and dump the database by inserting ‘ OR 1=1– into the search field.
We were able to dump the tables for Gift and Child. This is because we made a statement that just resulted in True, which shows us the entire contents of the database.
Now there may be other tables that we aren’t seeing here, so let’s use burp and SQLmap to dump the entire database.
First intercept a search request in burp and save it to a folder, by right clicking the request and hitting save.
Now send that into a sqlmap command by entering sqlmap -r FileName into a terminal. We also need to bypass the Web Application Firewall (WAF) and tell SQLMap what kind of database we are attacking.
sqlmap -r databaserequest –tamper=space2comment –dump-all –dbms sqlite
As you are asked if you want to continue answer y.
This dumps out the entire database and gives us the rest of the flags.
SQLMap can help automate SQL injection attempts. If you gain access like this, you could get a wide variety of information like we did in this challenge. These kinds of attacks can dump entire databases, which can house sensitive information, which is why all input fields need to be checked to avoid attackers gaining access to sensitive information.