Writeups
  • Table of contents
  • 🦌Hack@10 2021 Writeup
  • 📰Hack The Box (HTB) Paper
  • 🦨ICA1 Vulnhub Writeup
  • 🐣Lazy Status Web Pentest
  • 🐃Pico CTF 2021 Writeups
  • 🐈‍⬛🐈⬛ 🐈⬛ UnderTheWire Century
  • 🕊️UnderTheWire Cyborg
  • 📍Battle Of 1337
Powered by GitBook
On this page
  • Reconnaissance
  • Vulnerabilities
  • Privilege Escalation

Lazy Status Web Pentest

We were given a website at REDACTED , the task is to find out all the vulnerability in the website.

PreviousICA1 Vulnhub WriteupNextPico CTF 2021 Writeups

Last updated 2 years ago

Reconnaissance

Port scanning

First thing I did is scanning the ip address for any open port. From the scan we discovered:

  • two open port, ssh and http

  • robots.txt disallowed pages

  • server OS(linux)

Web Fuzzing

Then, i proceed to fuzz the directory of the website using ffuf and onelistforall wordlist to find any valuable directory or files.

Vulnerabilities

1) Information Disclosure

From the fuzzing process, we found several files and php configuration including:

  • phpinfo page

  • sql database

2) Command Injection

One of the function in the website is to add a url and ping the website. However, the function does not validate the input and accept any command inserted allowing us to exploit it by piping the url alongside other command.

We also found out that the website uses their own firewall called as AumWAF.class.php.

3) LFI (Local File Inclusion)

One of the page parameter, /page.php?page= is vulnerable to local file inclusion attack. LFI works by exposing the files on the web server. We can use a base64 php wrapper to bypass input filters page=php://filter/convert.base64-encode/resource= . Then, we can decode the base64 output to get the code for any page.

4) Secret admin page

We'll also be able to view the code for /s3cretadm1n. It seems that only admin can visit and use the system and eval parameter while other users will be redirected to home page.

We found a file called save_session.php in the server, here we can use the debug parameter to produce session based on the request we made. From my understanding what it it will do is:

  • If there is no session existing or it already expired, it will start a new session.

  • the session will be created by taking the inputted $_REQUEST which was submitted by the user at login.

  • we can add our own value to the session.

We can set the debug parameter to whatever we want including as admin.

After setting the session as admin, we can now visit the website and use the parameter.

5) SQLI BLIND TIME BASED

The login page of the website is vulnerable to blind time based sql injection. Since I failed to get any error regarding mysql using the basic query ', OR 1=1; etc I decided to use Sqlmap and automate the process.

Using sqlmap, we can put the data that is sent from our browser into the --data option. Sqlmap will automate the process to any sqlli vulnerability in the data parameter we specified. Then, we can proceed to get the databases and dump data from the tables. Since we know that the website uses a WAF(Web Application Firewall), we need to set a random-agent to bypass the protection.

6) STORED XSS

All of the input box in the website is vulnerable to stored xss. XSS works by executing javascript payload on user's browser. Since one of the function in the website allows us to send a message to other users, we can use xss to steal other users cookie by sending xss cookie stealer payload. Whenever the other users view their inbox, their cookies will be sent to our cookie grabber.

7) COOKIE BASED AUTHENTICATION

Each user is given their own user_id cookie, however the cookie was not validated by the backend and anyone can change the user_id cookie to whoever they want to view the user's profile.

8) IDOR(Insecure Direct Object Reference) VIA COOKIE AUTHENTICATION

IDOR works when a user is able to modify the website database without being properly validated by the backend.

We can take over and change someone's password by using the update profile function in the website. Simply set the user_id to whoever we want and set the a new password.

9) UNRESTRICTED FILE UPLOAD

The website allows each user to upload their own image as avatar, however it does not filter the input type of the uploaded file. Any uploaded file will be renamed to /avatar/"usercookies".png.

I successfully uploaded a php shell and it was renamed to 34.png.

Although it shows up as errors, we can still download and see the content of the file.

Possible XXE

I found a api.php file that seems to be vulnerable to XXE( XML Enternal Entity) however I failed to trigger the exploit.

Privilege Escalation

A hint was given regarding zip file. We use command find / . -type f -name "*.zip" to find all the accessible file in the server.

Among the files we can see a backup.zip file in s3cretadm1n directory. We can access the browser through our browser and download it. Extracting the backup.zip file will give us a config.php file.

The config.php file contains the config file for the mysql database of the website. I first tried to mysql server of the website but failed. According to the tip from my sv, lots of website uses the same credentials for their mysql and ssh login. So I then tried to log into the ssh server of the website using the same credentials.

By using id command we found out that we have more access compared to www-data as user such as sudo command.

Then, we proceed to search for suid exec using command find / -perm -u=s.

Then we can use gtfobins to find any suid binaries that can be exploited. We found out that we can exploit pkexec binary if we have sudo by using command sudo pkexec /bin/sh.

🐣