The topic TryHackMe | Battery | WALKTHROUGH is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
LAB:** Battery
DIFFICULTY: Medium
TARGET: flag1.txt, flag2.txt, root.txt
TOOLS: Nmap, Gobuster, BurpSuite
VULNERABLE: SQL Truncation Attack, XML External Entity Injection
Here we have a webpage but nothing interesting here. So we need to use Gobuster to find hidden directories.
I tried some fake credentials to make sure if it has Information Disclosure, Rate Limiting, or SQL Injection. But what I found instead is that the login page has a 12-character input limit on the username field. We will come back here but first let’s register and check how admin panel looks like.
I discovered reflected XSS in the Account Number parameter of the Transfer Money endpoint. The app fails to encode or validate my input before reflecting it in the HTTP response. This allowed me to execute alert(document.cookie) and view John’s (which we registered as) session cookie.
I also discovered that the app is vulnerable to HTML injection. By inserting HTML tags into the input field, I was able to alter the page’s content and inject custom messages — including the ‘HACKED!!!’ notice shown in the transaction failure message.
When you visit http://{LABS_IP_ADDRESS}/report it gives you a file called report. It’s an executable file. We can just hit strings or go with Ghidra. I always start with simple, so let’s use strings:
I found a hardcoded admin email (admin@bank.a) inside the update() function. The code compares whatever email I give it with that hardcoded value. If they match, I get to update the password. If not, I’m denied. This means anyone can extract this email from the binary (using Ghidra or strings) and then use it to gain admin access — no authentication needed. Now still we need password to login.
Remember that we had some flaws. We found that there is 12-character limitation in login form. We can use it to register as admin@bank.a . We’re going take advantage of SQL Truncation Flaw.
You can use Chromium in BurpSuite or FoxyProxy to capture the request. Go to Proxy tab in BurpSuite and Intercept the request to modify it.
If we go to command tab, there is another form. Let’s check what happens in the background.If we go to command tab, there is another form. Let’s check what happens in the background.
This is an XML request. Let’s simply try XXE (XML External Entity).
After sending request. It shows us Linux system file that stores user account information.
Looking that we got usernames called cyber and yash. We can login SSH server using this credentials.
But first, I couldn’t read /acc.php directly because the server executes PHP files instead of returning their source code. So I used php://filter/convert.base64-encode/resource= to read the file as Base64-encoded text, then decoded it to see the actual PHP code and look for passwords.
Now lets decode it (you can use online decoders just browsing it).
After logged in, we have flag1.txt. Now lets find others. We got also python file called run.py. But it requires admin privilege. So let’s keep digging.
We don’t have other interesting files but but run.py. Now let’s run sudo -l and check what permissions does Cyber has.
Looking the output, if we can edit or change the run.py file, we can run any python file as root.
The owner of the file is root. But we can edit or run files with sudo rights. So, let’s create new run.py and use it to get root access.
First, you can run mv run.py run.py.hack and create new file and run.
If we go to /home/yash we got flag2.txt. There is also root.txt in the same folder but it throws a message. Let’s go to /root and finish the lab.
Hope you found it useful. If you have any other questions. I’m happy to help!!
Templates let you quickly answer FAQs or store snippets for re-use.
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment’s permalink.
For further actions, you may consider blocking this person and/or reporting abuse
Thank you to our Diamond Sponsors for supporting the DEV Community
Google AI is the official AI Model and Platform Partner of DEV
DEV Community — A space to discuss and keep up software development and manage your software career
Built on Forem — the open source software that powers DEV and other inclusive communities.
We’re a place where coders share, stay up-to-date and grow their careers.
