Lesson Learned? Tryhackme Machine Writeup
Lesson Learned? is an easy level CTF room made by TryHackMe | Tib3rius. Machine link:
On starting the machine, I got a <MACHINE_IP>. I tried using nmap to scan for the ports and it confirmed that only port 80 and 22 were working.
I tried using gobuster to find out any hidden files or directories, but didn’t get anything special.
On opening the website in the browser, there is a simple login page:
I used the whatweb tool to see what all web technologies are being used in this website. You can use wappalyzer for this as well.
If you want to install whatweb, run the following command in your terminal:
sudo apt install whatweb
So, I tried the default credentials admin:admin, but got a message saying “Invalid username or password”.
So, I thought of trying SQL Injection payloads.
payloadbox/sql-injection-payload-list: 🎯 SQL Injection Payload List (github.com)
On trying payload:’ OR 1=1-- - , we get:
According to this error message, to bypass the login page I need only one record from the users table. So, I had to get at least one correct username.
So, after terminating and starting the machine again (as the error message says the flag is deleted and we have to reset the box), I tried to use hydra for brute-forcing and get the valid usernames.
hydra -L /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -p rockyou <MACHINE_IP> http-post-form "/:username=^USER^&password=^PASS^:Invalid username and password."
I tried using the username ‘martin’ and got an error message as:
So, now I got a valid username: martin.
So, I crafted a payload: martin’; -- -
On passing this payload on the username field:
