1. Upon viewing the website and reading the blog posts you get two important clues:
    1. Someone logs in and views your comments as soon as their posted.
    2. They programmed a delay into the login SQL query to try and stop bruteforce attacks and also have complicated and long passwords.

2. When the site first loads a call is made to /api/posts to build the list of blog posts. This is done from blogger.min.js which is heavily obfuscated. But in here is some code which says if an option is set to true then add ?set_limit=LIMIT%200,10 to the end of the /api/posts requests. This is where we discover an endpoint which is vulnerable to SQLi.

3. Using a UNION based attack we can dump the data that we have access to which in this case is the blog posts and the users table which contain usernames and hashed passwords ( uncrackable )

4. Going back to the clues above about visiting the page when a comment is made and the SLEEP delay in the SQL query. We can post a comment and then UNION the information_schema.processlist table which will show the user paula logging in with her unhashsed password.

http://10.10.X.X/api/posts?set_limit=UNION%20SELECT%201,2,info,4%20from%20information_schema.processlist

5. While we’re here we can also list all of the INNODB files in the MySQL server using the below injection. This allows us to discover the database “servermanager” with the table admins ( we’ll hold onto this information for the next step )

http://10.10.X.X/api/posts?set_limit=UNION%20SELECT%201,2,PATH,4%20from%20information_schema.INNODB_DATAFILES

6. Now you have paula’s login details you need somewhere to login… viewing the robots.txt file you see /blogger_user_area end points and can now login. This is where you get your first flag.

7. In this dashboard you see some config information this is been retrieved using the blogger.min.js script from the endpoint /api/config?file=config.json the contents of the config.json are based64 encoded. Using this endpoint we can include any file on the system to be included ( apart from *.log and *.php ) remembering the servermanager database we discovered earlier we can download /var/lib/mysql/servermanager/admins.ibd decode it from base64 and run “strings” against it to reveal a plain text username and password for logging onto the server manager.

The config mentions the portal http://x3p78x-management-portal.thm adding this to your /etc/hosts file you can navigate to the site and using the admin username and password you found above you can login and get the admin flag.