Admin email - [email protected]
Review over
We are reviewing weak passwords in high priv accounts
Forgotten password pages
For this section we are using a password list from the best1050 used passwords, this can be obtained by running:
apt-get install seclists
You can load the list from:
Here we are essentially going to do some good ol' OSINT on our friend Jim
When we go to our forgot password page, we notice that it provides the information on the user's security questions. For Jim, the security question is "what is the middle name of your eldest sibling".
From one of our previous tasks we find out that Jim enjoys the show Star Trek. So now time for some Googling, Binging, Duck Hunting, whatever suits your fancy.
For this one, direct link associated with the file is of some interests
We view the About Us page, hover over the "terms of use" link, and see the URL goes to an openly available FTP (File Transfer Protocol) server
Here we see a few folders / directories which are now ours for the taking
Now we are going to do some recon on MC SafeSearch, and it seems that we are provided information by the peeps over at TryHackMe who have kindly linked us the CollegeHumor video associated with this account:
In the video MC Safe Search mentions the format of his password, so now we log ourselves right on in!
So our goal is to download the .bak file from the FTP directory. However, we are now getting a 403 due to the inability of downloading this certain filetype / extension.
We will use what's called a Poison Null Byte
Poison null byte looks like this %00. Note that we can download it using the url, so we will encode this into a url encoded format.
Giving us %0025
We then append the URL encoded poisoned null byte to the end of our URL to gain access to the .bak file
In this section we are reviewing broken access control. Essentially we are going to try and pivot from a normal user into someone who has privileged permissions. There are two known types of access control, vertical and horizontal.
Vertical Privilege Escalation
Occurs when a user can perform an action or access data of another user with a higher level of permissions.
The TryHackMe site tells us to go through and look at a specific Javascript file for "admin".
They look for "app-administration", however this is not the actual value / URL we are wanting to go to.
I ended up searching a little while longer and found the following information:
This is the actual site we will be looking to get access to. So we do the following:
Login to the admin user [email protected]
Go to [box IP]/#/administration
Boomski's you should now have you flag
Check this out now Super Shopper's we are swapping our carts out for someone else's sweet basket of Raspberry Juice!
Essentially we go through and do the following:
Make sure that you are currently intercepting traffic with either Burp or Zap
Top right, click on Basket
Go through and forward your intercepts until you get the following URL
Go back to the [box ip]/#/administration/ page, and remove the only 5-star review
There are three major types of XSS attacks:
DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script> HTML tag.
Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts.
Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn't sanitise search data.
We are going to perform DOM level XSS.
Top right click the search glass
type in:
Press enter, this will give you teh answer
There are several other "methods" for DOM XSS as well, however this specific one did not work for this flag:
You can also attempt to run javascript as URL encoded XSS
From here we are going to store XSS into the IP Login section of the user profile for admin
Top right, go to Account > Privacy and Security > Last Login IP
We see 0.0.0.0 as the "last login" ip
Turn your intercept on in Burp / Zap
Top right, go to Account > logout
Go to your intercept > headers
Add the new header for:
Forward the request
Sign back into admin
Go to the last IP login
See the XSS alert occur
Login into the admin account and navigate to the 'Order History' page.
We will use the iframe XSS,
in the place of the order id, for exaple 5267-f73dcd000abcc353
Start by:
Clicking the truck
Cliking "track the order"
Where you see an image tracking your order, we are going to manipulate the URL as the following: 10.10.55.113/#/track-result?id=5267-0252e4000e720f70
I ended up just doing a URL-encoded format for the XSS:
Paste this URL into the bar, and refresh the page and your XSS will appear
I used to get the URL-Encoded value
For more info on broken access controls we can view the official
Similar to
We can manipulate the number following basket to be another "userid" similar to as an example the intercepted request for userid 2 would look like:
More information: