search

Padelify

  • Ran a TCP scan using Nmap on the target and found two open ports i.e 22 and 80.

nmap -sC -sV -p 22,80 10.48.132.157
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Padelify - Tournament Registration
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds

  • Next, the webpage on port 80 showed the following

  • Next, I tried to run a directory scan via Gobuster but the WAF was blocking the requests with a 403 Forbidden error.

  • I manually added a fake user-agent in GoBuster and successfully carried out the directory scan.

  • You can use any user-agent to mimic a legitimate source and to bypass the firewall.

  • I found the following directories in the scan.

  • /logs and /config seemed interesting.

  • /config had an app.conf file which the WAF was restricting me to open.

  • /logs opened the following directory having a file error.log

  • The error.log file had the following contents.

  • If we check the error logs then we can learn that there was an XSS attempt made previously. From this we can learn that maybe the site is vulnerable to XSS and we can make use of it if we use the correct payload despite having a WAF.

  • I went to the login page and tried using XSS payloads.

  • It was clearly written on the page that a moderator would approve our registration, hence we could attempt to steal moderator cookies and get elevated access.

  • I first started a HTTP server on my attacker machine as port 8000.

  • Next, I used the following payload to check XSS.

  • So basically, I had a burp.json file in my working directory and the above payload would execute in the moderator's page due to XSS which would send a GET request to my HTTP server. This was just to verify the vulnerability of XSS.

  • After that, I tried several different payloads to steal moderator cookies and realized that

    • <script> tags are blocked

    • cookie word is specifically blocked

    • <img> tag with onload or onerror attribute wasn't working

  • I even tried using HTML Entity Encoding on the payloads but they got detected by the WAF as well.

  • Next, I tried using <iframe> tags along with onload attribute.

  • I used document['coo'+'kie' specifically to evade the WAF blocking the term cookie . The above payload was injected to steal the moderator cookies and return them to my machine.

  • As you can see, I had successfully stolen the moderator cookies using XSS which I could use to elevate my privileges.

  • You can use several different variations of the XSS payload above. In some write-ups you will see <body> tag being used instead of <iframe>.

  • Now, I went to the Storage tab in Inspect elements and replaced the normal cookie with the moderator's.

  • Upon doing so, I was redirected to the dashboard and received the first flag.

hashtag
Admin Flag

  • I clicked on the Live option on the navigation bar from the dashboard.

  • The link had a GET parameter page with the value as match.php. This instantly gave me an idea of trying out SSRF (Server-Side Request Forgery) on the target.

  • I used a very generic /etc/passwd payload but it got flagged by the WAF.

  • Next, I recollected seeing an app.conf file inside the config folder which I couldn't open due to WAF restrictions.

  • I tried using /config/app.conf in the GET parameter and again got blocked by the WAF.

  • But then I used URL encoding in Burp Suite as follows.

  • I converted /config/app.conf to a URL encoded format and sent the request to which I got the following result.

  • Here you can see we have admin_info = "bL}8,S9W1o44"

  • I went to /login.php and used the credentials admin:bL}8,S9W1o44

  • And as you can see, we successfully elevated to the admin dashboard and got the admin flag.

PreviousWonderlandNextHard

Last updated