Headless
!!! note
The only information we have is that we can submit both a user and the root user flags.
We also know that the IP address of the victim we have to work on is 10.10.11.8.
We can ping the machine
ralsei@DESKTOP-6VGJ0G9:~$ sudo ping 10.10.11.8 -c 1
PING 10.10.11.8 (10.10.11.8) 56(84) bytes of data.
64 bytes from 10.10.11.8: icmp_seq=1 ttl=62 time=91.7 ms
--- 10.10.11.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 91.699/91.699/91.699/0.000 ms
running an nmap scan we find 2 open ports: 22 & 5000
ralsei@DESKTOP-6VGJ0G9:~$ nmap 10.10.11.8
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-18 19:10 CEST
Nmap scan report for 10.10.11.8
Host is up (0.091s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
an sshd server is listening on this port.
ssh version: SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
ralsei@DESKTOP-6VGJ0G9:~$ telnet 10.10.11.8 22
Trying 10.10.11.8...
Connected to 10.10.11.8.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
we have a web server listening on port 5000
ralsei@DESKTOP-6VGJ0G9:~$ telnet 10.10.11.8 5000
Trying 10.10.11.8...
Connected to 10.10.11.8.
Escape character is '^]'.
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code: 400</p>
<p>Message: Bad request syntax ('a').</p>
<p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
</body>
</html>
Connection closed by foreign host.
ralsei@DESKTOP-6VGJ0G9:~$
An atempt to find out more information about webserver and webapp versions
ralsei@DESKTOP-6VGJ0G9:~$ curl -X GET -I 10.10.11.8:5000
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.11.2
Date: Thu, 18 Apr 2024 17:15:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2799
Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
Connection: close
Here we undestand that:
- Werkzeug version 2.2.2 is the webserver in use
- Python version 3.11.2 is use to build the webapp, which is a recent version
- A
Set-Cookieheader is set and the value seems very dubious ?!
The parameter is_admin, from its name, seems like a kind of switch: "true" or "false"; 1 or 0; "user" or "admin"; etc...
also is_admin=InVzZXIi and uAlmXlTvm8vyihjNaPDWnvB_Zfs seems to be seperated information
Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
This format seems to be base64, decoding the first part gives us
"user"
The next part is not decoded, its probably not base64...
Some questions i asked myself from here:
- Is the first part used to grant privileges ?
- Is the second part a signature ?
- If so, any way to sign my own cookie ?
- If so, is the signature part actually in use ?
I could not find an answer to theses questions from here.
I'll move on and keep all of theses questions in mind for later.
Here i had to spoil myself to make sure i would not loose hours for nothing...
I did run ffuf on many seclist but none of them gave me something interesting.
Writeups where referencing a /dashboard route, which i never succeded to find by myself.
So i kept digging and using many seclists.
TODO lets use FUZZ to understand better the attack surface
sudo apt install ffuf -y
curl "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt" > wordlist/common.txt
curl "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-small.txt" > wordlist/small.txt
curl "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-medium.txt" > wordlist/medium.txt
curl "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/big.txt" > wordlist/big.txt
ffuf -w wordlists/big.txt:FUZZ -u http://10.10.11.8:5000/FUZZ -o result.txt -ci -v