HackTheBox - Using Web Proxies - Skills Assessment Walkthrough

Scenario

We are performing internal penetration testing for a local company. As you come across their internal web applications, you are presented with different situations where Burp/ZAP may be helpful. Read each of the scenarios in the questions below, and determine the features that would be the most useful for each case. Then, use it to help you in reaching the specified goal.

Walkthrough

Q1 - The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

Solution:

Navigate to the /lucky.php page and try clicking the button, but it doesn't respond:

Right-click in the browser and select 'Inspect' to view the HTML:

Notice that the button has the disabled attribute. Let’s remove it and refresh the page.

Then, click the button again:

And we got the flag !

Q2 - The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer.

Solution:

Navigate to the /admin.php page, then right-click and select 'Inspect' → go to the 'Storage' tab → Cookies:

"Take the cookie and paste it into Burp Decoder. The first part appears to be ASCII Hex, so after decoding it, we get another string that looks like Base64 (the == padding is a clear indicator). Decoding it again reveals a 31-character string:

We’ve found the 31-character value !

Q3 - Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

Solution:

Open the /admin.php page and intercept the GET request.

Then, send the request to Burp Intruder:

We will create a list of all alphanumeric characters (lowercase, uppercase and digits - 62 characters total). The payloads will be processed in the following order for each character:

• Add the string we found in Q2 as a prefix.

• Encode the resulting string in Base64

• Encode it again as ASCII Hex.

• The final payload will be placed in the cookie and sent to the server.

Start the attack !

We observe several requests with the same length, but starting from request #13, the length changes. Let’s examine its content to see what changed:

After reviewing the response, we confirm the flag has been obtained !

Q4 - You are using the 'auxiliary/scanner/http/coldfusion_locale_traversal' tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the 'XXXXX' directory being called in '/XXXXX/administrator/..'?

Solution:

Launch Metasploit by running msfconsole:

Then use:

use auxiliary/scanner/http/coldfusion_locale_traversal

Then options:

Next, specify the target details:

Enable Burp intercept, then type run to capture the request:

And we can see the desired directory !