xml, and feroxbuster -u -x java,jsp,xml,class I’ll run feroxbuster again on this path, and because it’s a backup directory, I’ll look for source and other files like. Interestingly, visiting the url returns 404: backups returns a 301, which curl shows is just a redirect to add the trailing /. Directory Brute Forceįeroxbuster returns a good number of paths, but the most interesting is feroxbuster -u This must be the special auth the page was talking about. This is an attempt to fingerprint my browser. ![]() If I set a break point at the return MD5(fingerprint) line, I can see that the navigator object is a bunch of information about my browser: This function takes a ton of properties from the navigator object and combines them into a string and hashes them using that MD5 function. Login.js up to this point is just defining an MD5 function. The function is defined in resources/js/login.js: The second is some JavaScript that’s setting that value to the output of getFingerPrintID(). Going into the dev tools and searching for it, there are two matches: Uid and auth_primary are the entered username and passwords. POST /login HTTP / 1.1 Host : 10.10.11.127:8080 User-Agent : Mozilla/5.0 (X11 Ubuntu Linux x86_64 rv:93.0) Gecko/20100101 Firefox/93.0 Accept : text/html,application/xhtml+xml,application/xml q=0.9,image/avif,image/webp,*/* q=0.8 Accept-Language : en-US,en q=0.5 Accept-Encoding : gzip, deflate Content-Type : application/x-www-form-urlencoded Content-Length : 78 Origin : Connection : close Referer : Cookie : JSESSIONID=240bc5f774b68ff4a93d870007e6 Upgrade-Insecure-Requests : 1 The site is for a authentication provider: If I play around with the login form on 8080, there are logs generated here: HTTP - TCP 8080 Site The blue eye button leads to /admin/view/auth.log. I’ll add a “match/replace” rule in Burp under Proxy -> Options -> Match and Replace to set the response to 200 so I can view the site: This is an execute after redirect (EAR) vulnerability. However, looking at the request in Burp, it is returning a 302, but it’s also returning the page: Visiting /admin in Firefox ends up at /login. feroxbuster shows it returns a 302, which makes sense as I’m not logged in. □ Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt ![]() The site is for a log management feroxbuster -u The webservers are Werkzeug and GlassFish, both of which I’ll look at in more depth. Nmap done: 1 IP address (1 host up) scanned in 56.46 secondsīased on the OpenSSH version, the host is likely running Ubuntu 18.04 Bionic, which is old, but still supported. Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-open-proxy: Proxy might be redirecting requests |_ Potentially risky methods: PUT DELETE TRACE Nmap done: 1 IP address (1 host up) scanned in 15.09 nmap -p 22,80,8080 -sCV -oA scans/nmap-tcpscripts 10.10.11.127Ģ2/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux protocol 2.0) Nmap found two open TCP ports, SSH (22) and two HTTP (80, nmap -p-min-rate 10000 -oA scans/nmap-alltcp 10.10.11.127 ![]() To get root, I’ll need to abuse a new version of one of the initial webservers, conducting a padding attack on the AES cookie to force a malicious admin cookie, and then use the directory traversal to read the root SSH key. To get to the next user I’ll need to brute force an SSH key character by character using a SUID program, and find the decryption password in a Java Jar. ![]() I’ll generate a custom Java serialized payload and abuse a shared JWT signing secret to get execution and a shell. To get a shell, I’ll abuse a execute after return (EAR) vulnerability, a directory traversal, HQL injection, cross site scripting, to collect the pieces necessary for the remote exploit. For each step in Fingerprint, I’ll have to find multiple vulnerabilities and make them work together to accomplish some goal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |