HackTheBox Web Challenge: EzPz

HackTheBox Web Challenge: EzPz

We will be having a look at the HackTheBox web challenge “ezpz“. This is definitely an under rated challenge, however it is a good one.

As soon as you visit the instance url, you are greeted with the below page having different errors.

ezpz errors

This first error is easy to get around as it’s just because the server expect obj parameter in the request.

obj parameter

However, we are still left with the second error. At first, it looks like the obj is expected to contain some serialized object data but we cannot transport that without encoding it.

However, it seems like that the server expects the obj parameter value to encoded as base64, we can verify this by supplying obj parameter as different data type.

base64_decode(obj)

It seems obvious now that the server must be accepts some kind of serialized object encoded with base64 encoding. The error also explains that the application expects “non-object” having property ID.

Non-object OBJ

Perfect, now we need to base64 encode this data and send it across but we have to serialize it before.

Well, it still didn’t worked. We don’t know that whether the application code actually deserializes the data. What else can we try

Great, now we can try to base64_encode json data and see if it works.

Perfect, we can now try to change the ID values and see if we can get different output.

Good advice

We can continue to keep brute-forcing the ID value and see if it works. However, that’s not the case here. Let’s try to put something else

SQL Injection

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.

Acunetix
SQL error

Ermm, that looks like some mysql query has failed at the application side. Let’s try to write a simple python code which can ease this process for use

SQLi helper script

Well, it looks like our 2nd query in the screenshot worked. Now it’s time to retrieve the data.

WAF

A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

Wikipedia
Whoopsie, application firewall kicks in

Well, now we have to figure out what the application WAF filters. We can identify this by splitting up the above string into different chunks and see what is getting blocked.

WAF results

It can be seen that the application’s WAF detects keywords and characters like comma, information_schema.tables which are required to retrieve the tables name from server. We can still enumerate table names etc and overcome comma limitations but that’s something which you’ve to figure out yourself.

All I can help you with is by pointing you to right direction https://github.com/s0wr0b1ndef/PayloadsAllTheThings/blob/master/SQL%20injection/README.md

One Reply to “HackTheBox Web Challenge: EzPz”

  1. Hi I have issues to get any output from my SQL injections. I think I have syntax issue. Can someone give a small example to get something like the version of the SQL ?

Leave a Reply

Your email address will not be published. Required fields are marked *