<!--SPOILER ALERT! THIS IS A DETAILED WALK-THROUGH-->Freelancer is a web challenge on Hack the Box that shows us our way through an online portfolio that we are in charge of breaking into.
The source code shows us one very long line of HTML code that I decided to beautify with a simple web tool, and then searched for any comments or useful information. I did come across some interesting things:
- There is a comment pointing to a .php file
<!-— To configure the contact form email address, go to mail/contact_me.php and update the email address in the PHP file on line 19.--> But.. further investigation shows that there is no data on that page.
- There is a button hidden from certain screen sizes
<!-- Scroll to Top Button (Only visible on small and extra-small screen sizes) -->That button doesn’t lead to anything of interest either.
- I ran a gobuster directory bruteforce attack to see if there were any directories of interest and I find a directory that catches my attention.
/administratBrowsing to this directory I’m brought to an admin login page, but again.. nothing more of interest.
- I decide to take some time to get some more information behind the infrastructure of the portfolio. I know that they are running a .php backend and further looking at the source code I found a file:
/portfolio.phpRunning through a couple of the ID’s, I’m seeing that some of the response is altered depending on the ID of the request.
Through some trial and error I found that sqlmap could enumerate this for us.
I run:
sqlmap -u http://$IP:$PORT/portfolio.php?id=1 --tablesTo see if I could enumerate any tables behind the portfolio.
I was able to grab a couple tables, one particularly that caught my attention was the safeadmin table. I want all of the contents of this safeadmin table so I use a similar command to dump this information.
sqlmap -u http://$IP:$PORT/portfolio.php?id=1 -T safeadmin --dumpDoing a little digging will reward you with a juicy .php file containing our flag!
