HackTheBox - Web Attacks - Skills Assessment Walkthrough

Scenario

You are performing a web application penetration test for a software development company, and they task you with testing the latest build of their social networking web application. Try to utilize the various techniques you learned in this module to identify and exploit multiple vulnerabilities found in the web application.

Try to escalate your privileges and exploit different vulnerabilities to read the flag at '/flag.php'.

Walkthrough

Navigating to the target URL displays a login screen:

With the provided credentials, we can proceed to log in

Navigating to Settings takes us to a screen with a password change feature:

Let’s test this functionality and inspect the requests using Burp:

It appears the token returned is directly associated with the ID specified in the request.

There are two key requests: a GET request that fetches a token using a user ID, followed by a POST request that uses both the uid and the retrieved token to change the user's password. The uid value matches the ID from the GET request, indicating it's the current user's identifier

With Burp intercept active, navigating to the Profile page reveals this request:

The response received is:

Our assumption that the value 74 represents the user ID is confirmed, as it is used in the endpoint /api.php/user/{ID} to retrieve user data. Furthermore, testing different ID values returns data corresponding to those IDs, indicating an IDOR vulnerability in both GET /api.php/user/{ID} and GET /api.php/token/{ID} endpoints.

This allows us to enumerate user IDs and retrieve information for each user based on their ID.

Using Burp Intruder, we perform GET requests for user IDs ranging from 1 to 100 to identify any interesting findings.

Once the scan completes, we can search the responses for relevant keywords. Since our user lacks additional privileges in the application, the next step is to test functionalities available to higher-privileged users, such as admins.

After searching, we found that user ID 52 is an administrator:

With the uid and username obtained, we can exploit the previously identified vulnerable endpoints to take over the account.

First, retrieve the token for the user with ID 52:

Next, use the token to reset the password. Update the uid value in both the cookie and the body parameter, and include the token obtained from the previous request:

When attempting to change the password, we receive an 'Access Denied' message, likely due to a mismatch between the PHPSESSID and our user ID. To bypass this, let's try changing the POST request to a GET request (HTTP Verb tampering):

The change was successful ! password updated without restrictions !

We can now log in as the admin:

While exploring, we discovered a functionality that was previously unavailable - Add Event.

Clicking it navigates us to a screen where we can create a new event:

Fill in the fields, enable Burp intercept, and submit the form:

A POST request with an XML payload is sent, which opens the possibility for XXE injection.

Send the request to Repeater and insert a basic XXE payload to extract the contents of /etc/passwd:

The XXE injection was successful, allowing us to retrieve data from the server. Next, we will attempt to extract the /flag.php file to obtain the flag:

Our attempt to retrieve flag.php failed, likely due to content that breaks the output. To safely transmit the data, we will apply Base64 encoding to the file contents:

Having retrieved the content, we’ll now highlight it and decode it using Burp Decoder:

The flag has been obtained 🙌