The following post by anthonyjsaab is licensed under
0 - Introduction
Use your server exploitation skills to take control of a web app.
1 - Port Scans
1a - Discovery
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sS -T4 -p- include.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 07:10 EEST
Stats: 0:08:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 66.93% done; ETC: 07:22 (0:04:09 remaining)
Stats: 0:10:18 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 81.70% done; ETC: 07:22 (0:02:19 remaining)
Nmap scan report for include.thm (10.10.122.153)
Host is up (0.11s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
4000/tcp open remoteanything
50000/tcp open ibm-db2
Nmap done: 1 IP address (1 host up) scanned in 764.84 seconds
1b - Versioning and OS fingerprinting
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sC -sV -O -p22,25,110,143,993,995,4000,50000 include.thm
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 07:32 EEST
Nmap scan report for include.thm (10.10.122.153)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 64:63:1d:47:82:6d:db:ce:89:f6:8c:b6:a8:90:87:1a (RSA)
| 256 80:f6:68:89:c8:fa:8b:0b:96:62:b7:e0:77:6e:88:9b (ECDSA)
|_ 256 4d:25:d1:05:06:83:69:6b:07:00:fc:c6:a0:cc:0c:69 (ED25519)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after: 2031-11-08T16:53:34
|_smtp-commands: mail.filepath.lab, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA SASL AUTH-RESP-CODE PIPELINING RESP-CODES STLS TOP UIDL
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after: 2031-11-08T16:53:34
|_ssl-date: TLS randomness does not represent time
143/tcp open imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after: 2031-11-08T16:53:34
|_imap-capabilities: SASL-IR more have post-login listed LOGINDISABLEDA0001 capabilities OK STARTTLS ENABLE LOGIN-REFERRALS ID IDLE Pre-login IMAP4rev1 LITERAL+
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after: 2031-11-08T16:53:34
|_imap-capabilities: SASL-IR more AUTH=LOGINA0001 have AUTH=PLAIN post-login capabilities OK IDLE ENABLE listed LOGIN-REFERRALS ID Pre-login IMAP4rev1 LITERAL+
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: CAPA SASL(PLAIN LOGIN) AUTH-RESP-CODE PIPELINING RESP-CODES USER TOP UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal
| Not valid before: 2021-11-10T16:53:34
|_Not valid after: 2031-11-08T16:53:34
4000/tcp open http Node.js (Express middleware)
|_http-title: Sign In
50000/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: System Monitoring Portal
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: mail.filepath.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.16 seconds
1z - What we know so far
No easy wins (critical CVE exploits or other)
We have 2 HTTP servers, SSH enabled and multiple ports for email
We now have credentials to the ReviewApp (port 4000) and the SysMonApp (port 50000. We know that by simply visiting port 50000).
3 - SysMonApp
3a - Exploring and first flag
3b - LFI
It looks like the web app is using the parameter img to access a specified file on the filesystem. Maybe it is vulnerable to a directory traversal.
To test this potential attack vector, we intercept a normal request to the profile picture using Burp:
For the payload, we will use the one built into Burp:
Now that we uncovered the proper way to exploit the directory traversal vulnerability, we need to find a way to access the mysterious flag file located in /var/www/html (as specified in the room on TryHackMe). If we knew the filename, it was probably game over. But we don't. We need to find a way to ls into /var/www/html.
Landing page. We do as it is written and login using guest guest
Dashboard after login
View Profile
Submitting test1 and test2 adds it directly to our profile properties
Overwrote isAdmin property with something different than false.By doing so, we exploited a mass assignment vulnerability. We now have access to new admin-only sections of the website
API documentation shows a server is bound to 127.0.0.1:5000. It means the server is not publicly exposed. We need a way to do an SSRF and get the results
Settings page. It seems we can let the server make requests on our behalf.
Landing page of port 50000
Using the credentials retrieved from the private server on port 5000
First flag!
It seems PHP is including the PNG file (aka rendering it). That is why the rendering is terrible
Make sure you are logged in to port 50000 before intercepting the request. Trying to send requests without proper cookies will always redirect you to the login page
Voila! Sorting by length, we notice that one of the attempts successfully returned the /etc/hosts file. This is amazing!
This is the request that successfully returned the contents of /etc/hosts.
We will send requests to retrieve well-known files on Debian.
Suprisingly, there was no log file for Apache. Luckily, there is one for SSH! (shown above)
Executing ls in /var/www/html. We found the filename!
After submitting as Banner Image URL, we get this output in base64
