Let’s solve the third machine in QUICK series.
The IP of the target machine(Quick-3) is 192.168.0.209.
Let’s start enumerating the open ports with the nmap scan. It has couple of ports open 22(SSH) and 80(HTTP).
Let’s open the website in the browser. I used burp’s integrated browser for this. After visiting the contact section, added the host ‘quick.hvm’ entry in my hosts file. Let’s visit the website again with the hostname.
When you clicked on Schedule an appointment, an user registration from opens.
I registered a user called ‘quickuser’. In the background I also performed the directory brute-forcing using wfuz, but unable to found anything.
After login, I can see below screen.
I visited different tabs and tried injection attacks like XSS, command injection,SQL injection etc. but failed. Then I saw the “My Profile” tab, visited it and able to access below page.
I noticed the parameter id in browser’s address bar which is really interesting.I sent the request to the Burp’s repeater tab and started to check IDOR(Insecure Direct Object Reference) issue.
When I changed the value of id parameter from 29 to 9 I received the information for other user. This confirms it is vulnerable to IDOR.
Interesting part is the response has old as well as new passwords and username too which is not encrypted. I tried to use burp’s intruder which gave me required information but it become difficult to export it from there. So I wrote couple of python scripts which helps me to extract usernames and passwords.
Below are scripts those I used to extract the information.
Similarly, used another python script to extract passwords.
The usernames we extracted are email IDs, we need to remove the quick.hmv and email.hmv and make the username list. Also need to create couple of lists where only first name is there and in another combined username is there.
Extracted some meaningful names from the list and created username list.
Let’s use hydra to brute-force the ssh service.Hydra found the password for one of the users.
Let’s try to ssh with the user and password.
When I tried to change the directory, I got rbash: cd: restricted error. The I used python to escape from the rbash shell and able to change the directory.
I used linpeas to find vector to escalate my privilage, but unable to found anything. Then I start checking directories manually to find interesting files. In /var/www/html/customer directory it shows config.php file.
config.php has creds for root.
Let’s use to to login with root.Success…….
This is how the box was. It teaches us about the IDOR, bruteforce etc.
Bye! See you next time with new box.
