The BodgeIT Store Series #2, Find Hidden Content as a Non-Admin User – #bodgeit #infosec #pentest #appsec #webapp

Happy Hacking!

Today’s post is #2 in a series of solving the BodgeIt Store vulnerability.

If you want to read the initial post, click HERE.

As the title says, we’re going to solve the vulnerability of finding hidden content as a non-admin user.

Let’s begin.

Going back to the Scoring Page (About Us –> Scoring Page Link) we see the following. Pay attention to our username, right now we’re logged in as a guest user.

bodgeit_scoring_2

Going to the home page we see the following:

bodgeit_home_1

What would happen if we view the HTML source of the page? Let’s try it.

Right clicking the page, and select View Page Source we see:

bodgeit_home_page_source_1

Hmm… we see a commented code on line 41 (green line) that shows a link to an admin page. What will happen if we navigated to this page?

Navigating to this page we see the following:
bodgeit_admin_1

We found a hidden page! This page lists the different user, and their role. Along with their BasketId, ProductId, and Quantity.

Let’s bookmark this page because I am sure we will need this page later for the other vulnerabilities.

Going back to the scoring page we see:
bodgeit_scoring_3

The hidden content as a non admin user is now complete (green)!

 

Advertisements

The BodgeIT Store Series #1, Level 1 XSS – #bodgeit #infosec #pentest #appsec #webapp #XSS

First post of 2018!

This post will be a first in a series to solve the BodgeIt Store.

I am running the BodgeIt store from an ISO (disk image) on a virtual machine (I am using VM Workstation Player 12 which is free). I have a previous post that describes how to install ISO’s in virtual machines (VMs). Link here.

Now on to the hacking!

After installing the ISO, and powering on the VM, you will be presented with the login page:

owaspbwa_login

Navigating to the IP you will see OWASP BWA (Broken Web Application) homepage:

owaspbwa_homepage

Clicking on the BodgeIt link we’re presented with this homepage:

owaspbwa_bodgeit_homepage

Going to the “About Us” we see there’s a scoring page.

Clicking on the scoring page, we see:

bodgeit_scoring_1

By the end of the series, these challenges will be green (completed).

Let’s get started!

I’m going to start with “Level 1: Display a popup using: alert(“XSS”)”

Note: I am using Google Chrome which has XSS auditor pre-installed in the application.

If you’re using Chrome you will need to temporarily disable this for the XSS vulnerability.  Make sure to close ALL instances of Chrome before entering the below command.

To disable xss auditor, open a command prompt (run –> cmd.exe), and enter (or copy) the following: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-xss-auditor

Once you press Enter, a new instance of Chrome will open.

OK, now a new instance of Chrome has opened, and we’ve navigated to the BodgeIt store.

Going to the Search link we see the following:

owaspbwa_bodgeit_level1_XSS

Entering the following line in the search input: alert(“XSS”)

owaspbwa_bodgeit_level1_XSS_search_1

And pressing the “Search” button we see:

owaspbwa_bodgeit_level1_XSS_search_2

We have successfully simulated a XSS attack!

Navigating back to the scoring page (About Us –> Scoring Page) we see:

bodgeit_scoring_2

Level 1 is complete (green)!!!

 

New Info Sec Website Alert! – White Hat Academy

Hello All,

It’s been a LONG time since I have blogged. What can I say? Life happens.

Anyway, I have enrolled into a program called White Hat Academy.

This website is great for n00bs as there are lessons to learn about different topics such as bash scripting, stenography, forensics, and mobile.

After completing the lessons there is a Capture the Flag (CTF) challenge that will incorporate what you have learned.

Check it out (https://whitehat.academy/) and enroll today!

OverTheWire: Natas Level 8 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s challenge we’re going to solve level 8 from the Natas wargame.

Let’s begin.

Going to the following link, and entering the username “natas8” and password “DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe” we get the following:

Natas8_WarGame_1

Natas8_WarGame_2

OK, we see a page that is asking for an input secret. Clicking the view sourcecode link we see:

Natas8_WarGame_4

Looking at the screen, there’s PHP code with an encoded secret variable that seems to be in hexadecimal. There’s also a function titled “encodeSecret” that does the following steps:

  1. Change the binary to hex (bin2hex)
  2. Reversing the string (strrev)
  3. Base64 encoding (base64_encode)

From there the code is checking to see if our input secret equals the encoded secret. If it does then we get the code for level 9, otherwise we need to try again.

So, how are we going to solve this?

Going to Google and looking for a PHP interpreter, we’re presented with the following link.

From there, We’re going to do the reverse the steps of above. Our new steps are:

  1. Convert the hex to binary (hex2bin)
  2. Reverse the string (strrev)
  3. Base64 decode (imap_base64)

Below is the screenshot that depicts the above steps.

Natas8_WarGame_5

Doing the steps, we are presented with the decoded secret which is “oubWYf2kBq”

Going back to the level 8 page, and entering our decoded secret we get the following:

Natas8_WarGame_6

We found the flag!

OverTheWire: Natas Level 7 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we will solve level 7 from the Natas wargame challenge.

Let’s begin.

Going to the following link, and entering username “natas7” and password “7z3hEENjQtflzgnT29q7wAvMNfZdh0i9” we see the following:

Natas7_WarGame_1

Natas7_WarGame_2

Hmm… we see a Home and About links. Let’s click the links and see what happens.

Natas7_WarGame_3

Natas7_WarGame_4

After clicking the links we see there’s not much that’s showing on the screen.

Let’s view the source and see if there are any hints there.

Doing a right click, view page source we see:

Natas7_WarGame_5

Hmm… we see a comment that says, “password for webuser natas8 is in /etc/natas_webpass/natas8”

How can we use this information?

Looking at the above screenshots of Home and About – we notice that at the end of the URL it’s referencing a page. For instance for the home page it’s “page=Home” and for About it’s “page=About”. Let’s try to change the page name to the hint that was provided to us.

Changing the URL to: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8, we see…

Natas7_WarGame_6

the flag!

OverTheWire: Natas Level 6 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going t solve level 6 in the Natas wargame.

Let’s begin.

Going to the following link and entering the username of “natas6” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Natas6_WarGame_2

Natas6_WarGame_3

Doing a right click, view source we see:

Natas6_WarGame_4

Hmm… there’s not much in here, except there’s a view sourcecode. Let’s see what this source code will yield us…

Natas6_WarGame_5

Looking at the middle of the page, we see that there’s php code (code between <?…?>), we notice that there’s an include/secret.inc. Let’s see if we can access this file and see what’s inside the file.

Changing the URL to “natas6.natas.labs.overthewire.org/includes/secret.inc” we see:

Natas6_WarGame_6

… a blank page. Let’s do a right click, view page source to see if there are nuggets hidden beneath the surface.

Doing a right click, view page source we see the following:

Natas6_WarGame_7

Hmm… looks like we find the secret.

Let’s enter this into the input box and see if this unlocks the level.

Entering the secret above into the input box we get:

Natas6_WarGame_8

Natas6_WarGame_9

We found the flag!

OverTheWire: Natas Level 5 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post, we’re going to solve level 5 from the Natas wargame challenge.

Let’s begin.

Going to the following link and entering username of “natas5” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Natas5_WarGame_1

After pressing “OK” we see:

Natas5_WarGame_5

Hmm… we see that we’re not logged in and access is disallowed.

Using Tamper Data, let’s see if the request headers show us a way to bypass the login feature.

Opening the Tamper Data application and refreshing the website we see:

Natas5_WarGame_2

Hmm… we see inside the Cookie that there is a loggedin that is currently set to zero. What if we change it to 1?

Changing the loggedin feature to 1 and pressing Enter we see:

Natas5_WarGame_4

Natas5_WarGame_3

We received the flag!

OverTheWire: Natas Level 4 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

Today’s blog post we’re going to solve level 4 from the Natas wargame.

Let’s begin.

Going to the following link we see:

Natas4_WarGame_1

After entering the username of “natas4” and password of “Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ” we get the following:

Natas4_WarGame_2

Hmm… we’re not allowed access because we’re coming from an invalid URL. Let’s see if we can change that.

In a previous blog, I explained how to user Tamper Data. Tamper Data allows you to modify HTTP requests and responses to see if the web page will behave differently.

We’re going to use Tamper Data for this challenge.

 

Starting Tamper Data, and going to the level 4 we see:

Natas4_WarGame_4

We see that the referrer shows natas4, what happens when we change it to natas5?

 

Changing the referrer to natas5, and clicking OK we see:

Natas4_WarGame_5

Natas4_WarGame_6

We found the flag!

OverTheWire: Natas Level 3 – #appsec #webapp #websecurity #wargames

Another day, anther challenge…

In today’s challenge we will solve level 3 from the Natas wargame. Let’s begin.

Going to the following link, and entering the username of “natas3” and password we retrieved from the second challenge we see:

Natas3_WarGame_1

Password from level 2:

Natas2_WarGame_6

Pressing Enter we see:

Natas3_WarGame_2

Doing a right click, view source we see:

Natas3_WarGame_3

Hmm… we have a hint. “No more information leaks!! Not even Google will find it this time…”

Knowing a thing or two about how Google indexes websites, I know that some websites use a robots.txt file. Let’s see if this website is using that.

Entering “robots.txt” at the end of the URL we see:

Natas3_WarGame_4

OK – the first parameter user-agent specifies that any agent is allowed. We’re disallowing the /s3cr3t/ folder. Let’s go to this folder and see what’s there…

Entering the /s3cret/ folder we see:

Natas3_WarGame_5

Hmm… there’s a users.txt file. Let’s see what’s there.

Natas3_WarGame_6

We found the password for level 4!

OverTheWire: Natas Level 2 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going to solve level 2 from the Natas wargame.

Let’s begin.

Going to the following link we see:

Natas2_WarGame_1

We’ve acquired the password for level 2 from the level 1 challenge (screenshot below):

Natas1_WarGame_3

Entering the username of “natas2” and password from the above screenshot we see the following:

Natas2_WarGame_2

Nothing on the page, eh… I don’t believe that.

Let’s try, right click view source and see what we get.

Natas2_WarGame_3

We notice there’s an image source of a pixel.

Clicking this link we see:

Natas2_WarGame_4

It truly is just a pixel. What if we remove the “pixel.png”? Maybe there are other files on the system. Let’s try it.

Removing the “pixel.png” and pressing Enter we see:

Natas2_WarGame_5

We see an extra file – users.txt. I wonder what’s in it.

Clicking users.txt, we noticed that it lists the different username and passwords. The one we want is the fourth row – natas3. We’ve found natas3 password!