Writeup was a box listed as “easy” on Hackthebox.eu. While it was technically easy, its use of fail2ban had the potential to slow down one’s progress toward user, and getting the root flag required careful enumeration under particular circumstances.
On a recent capture-the-flag event, I came across a web app that had a somewhat troublesome SQL injection vulnerability. Identifying that the query was vulnerable was easy enough, but fingerprinting the underlying database was troublesome. No matter what I tried to do to find the version or even just identify tables, usernames, etc. using standard MySQL and PostgreSQL queries and tables, I kept getting errors.
Eventually, it occurred to me to try sqlite, which is what it turned out to be. The really frustrating thing was a most of the sql injection references I found didn’t deal with sqlite, and developer tips for finding database metadata focused on using commands in the sqlite command-line tool, rather than SQL queries. Eventually I found a post on stackoverflow that gave me the SQL I needed to find the data I was looking for.
Finding the sqlite version:
Finding tables and columns:
SELECT name FROM sqlite_master WHERE type = ‘table’;