Using Web Proxies:

Link to challenge: https://academy.hackthebox.com/module/110

(log in required)
Class: Tier II | Easy | Offensive

Before we begin: throughout the module we will often use the tool ‘burpsuite’.
From the pwnbox, it can be either opened from the marked application:

Or by entering in the terminal:

burpsuite

the burpsuite has built in browser, which can be seen in proxy tab:

Throughout the module – it will be the default used browser, unless specified
otherwise, and it will be referred as the burpsuite browser.
Web Proxy
Intercepting Web Requests:
Question: Try intercepting the ping request on the server shown above, and
change the post data similarly to what we did in this section. Change the
command to read 'flag.txt'
Answer: HTB{1n73rc3p73d_1n_7h3_m1ddl3}
Method: lets open the target website from the burpsuite browser:

We have this ping IP service to ‘127.0.0.xxx’:

The input field can accept only numbers, as expeted.
So lets enter a random number, enter ‘Ping’ while setting the burpsuite proxy
interceptor on:
This is the intercepted request, we can see the ip last octet value set to 232
(line 15).
Here we can do what we could not do in the browser – manipulate the
parameter to invalid value to call command injection.
For that we will add ‘;’ to the value, and then add the command ‘ls;’:
So the ip modified value will be ‘232;ls;’:

When done - we enter ‘Forward’ to pass the intercepted, modified request.

Lets see the result on the browser:

Here is the flag’s file. Lets get it.

Lets use the same technique to obtain it:
‘232;cat flag.txt’

And Forward..
Repeating Requests:
Question: Try using request repeating to be able to quickly test commands.
With that, try looking for the other flag.
Answer: HTB{qu1ckly_r3p3471n6_r3qu3575}
Method: continuing from the previous section - getting a IP request to the
proxy. Lets right click the request and select ‘Send to Repeater’:

With that, lets open the repeater tab:

With that, we can hit ‘Send’ and manipulate the request faster and more
efficiently, lets see an example:

That’s the same ‘232;ls’ from the previous section, and we can see the flag’s
name in the response in the right window.

Lets look for another flag. For that we will run linux ‘find’ command to locate
the flag within the system.
*there are various mathods to confirm that the server is linux, but that’s
outside the scope of this module’. *
Anyway this this the command itself:
find / -type f -name flag.txt 2>/dev/null
lets attach it to the ip value:
‘232; find / -type f -name flag.txt 2>/dev/null’ - And send:
We can observe the other flag is located in ‘/flag.txt’. lets get it:
‘232; cat /flag.txt’ – and Send:
Encoding/Decoding:
Question: The string found in the attached file has been encoded several times
with various encoders. Try to use the decoding tools we discussed to decode it
and get the flag.
Answer: HTB{3nc0d1n6_n1nj4}
Method: for this question we are provided with this encoded flag. Lets
download it to the pwnbox:
wget
https://academy.hackthebox.com/storage/modules/110/encoded_f
lag.zip

unzip encoded_flag.zip

Now lets read the ‘encoded_flag.txt’:

cat encoded_flag.txt

Lets take this string to the burpsuite decoder, and decode. We will have to
base64 decode the string 4 times, and then decode it as URL:
Here is down below the flag:

* yellow mark means base64 encode/decode. Yellow means URL

encode/decode. *
Proxying Tools:
Question: Try running 'auxiliary/scanner/http/http_put' in Metasploit on any
website, while routing the traffic through Burp. Once you view the requests
sent, what is the last line in the request?
Answer: msf test file
Method: first lets open the burpsuite proxy settings:

And there we confirm we have a listener on ‘127.0.0.1:8080’:

Now to Metasploit, lets start Metasploit:

msfconsole

and in the Metasploit CLI we enter:

use auxiliary/scanner/http/http_put
set RHOST <target-IP>
set RPORT <target-port>
set PROXIES HTTP:127.0.0.1:8080
*note – the solution is based on the target machine provided by previous
sections, and tested on those as well. But works on any functioning website
(http and https). However in this write the demonstration will be based on the
target machine. *:
And when it start running, the burpsuite will intercept the request:

The line 8 ‘msf test file’ is the answer.

Web Fuzzer
Burp Intruder:
Question: Use Burp Intruder to fuzz for '.html' files under the /admin directory,
to find a file containing the flag.
Answer: HTB{burp_1n7rud3r_fuzz3r!}
Method: First lets go to the target website from the burpsuite browser,
intercept the request on proxy, then right click it  select ‘Send to Intruder’:

Now lets open the request in the intruder:

The first thing we do is to change the path ‘/admin/’ to

/admin/§FUZZ§.html
Now we need to choose a payload. Our payload will be the wordlist:
‘/usr/share/seclists/Discovery/Web-Content/common.txt’. first lets copy that
file from its original location to the user’s main directory:
cp /usr/share/seclists/Discovery/Web-Content/common.txt
common.txt

when that sorted, lets go to the payload tab:

Lets load our ‘common.txt’ to the Payload Simple list:



Here it is loaded. Now we can start the attack:

And the attack begins, a new window will be opened - We will select the filter,
and check in only the 2xx box, then -we enter ‘Apply’.

Now, only the payloads which their path return 200 will be shown (the rest will
return 404 not found).
After several minute – a path that is returning 200 will be displayed:

The scan found a page – 2010, which means the URL:

http://<target-IP>:<target-port>/admin/2010.html
should be accessible, lets test it from the browser (here we will use the normal
firefox browser):
ZAP Fuzzer:
Question: The directory we found above sets the cookie to the md5 hash of the
username, as we can see the md5 cookie in the request for the (guest) user.
Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz
the cookie for different md5 hashed usernames to get the flag. Use the "top-
usernames-shortlist.txt" wordlist from Seclists.
Answer: HTB{fuzz1n6_my_f1r57_c00k13}
Method: *note – the ZAP wasn’t installed properly on the pwnbox so I used
burpsuite instead. *
Upon entering
http://<target-IP>:<target-port>/skills
for the first time, we receive a cookie from the server

the screenshot is the intercepted response. It contains the property ‘Set-

Cookie’, and in it the cookie parameter ‘cookie’, and the value is the md5
hashed ‘guest’.
Lets accept the response, and refresh the page:
Here is the intercepted new request, now we send the given cookie from the
first session, to the server.

Now what we have to do, is to fuzz that cookie value, on the wordlist
‘/usr/share/seclists/Usernames/top-usernames-shortlist.txt’.
Lets copy it to the home directory:
cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt
top-usernames-shortlist.txt

now, we will use the burpsuite intruder. First lets set the buzzed request:
Cookie: cookie=§FUZZ§

Now to payload tab:

We load the list.

And in processing:

We add HashMD5 rule

This is how it should look like:

And we can begin the attack:

We can quickly notice a payload which resulted with larger payload size than
the usual – lets:
Show the response in the browser.
We get a link to copy, lets do that:

 and enter:

And it takes us right to the flag.

Web Scanner
ZAP Scanner:
Question: Run ZAP Scanner on the target above to identify directories and
potential vulnerabilities. Once you find the high-level vulnerability, try to use it
to read the flag at '/flag.txt'
Answer: HTB{5c4nn3r5_f1nd_vuln5_w3_m155}
Method: ok lets install ZAP (yea in the previous section I didn’t sucssed and
went for burpsuite, but in here I has no choice and make another attempt:
sudo apt install snapd
sudo snap install zaproxy --classic

then, when installed – start zap:

/usr/bin/zaproxy

We go for ‘Tools’  ‘Ajax spider’:

We enter the target server IP and port in starting point, and start scan:

The result appears either in the terminal in the bottom of the screenshot, or
the left side.
Here on the left side we can see ‘ping.php’.

Lets see if we can get anything on it in active scan (tools  active scan):
We get this alert from the results:

The page is vulnerable to command injection. That’s excellent.

Lets enter the URL on browser:

Its empty.
We will add to the url ‘;cat /flag’:
http://<target-IP>:<target-
port>/devtools/ping.php?ip=127.0.0.1;cat%20/flag.txt
Skills Assessment
Skills Assessment - Using Web Proxies:
Question: The /lucky.php page has a button that appears to be disabled. Try to
enable the button, and then click it to get the flag.
Answer: HTB{d154bl3d_bu770n5_w0n7_570p_m3}
Method: lets enter in the burpsuite browser:
http://<target-IP>:<target-port>/lucky.php

And there open web developer tools  Inspector:

We remove the ‘disabled’, turn interceptor on and click the button. The
burpsuite will intercept the request:

Lets send it to a repeater:

And send 

We got the same original button. Lets hit couple more times (and check every
response) until we get something different:

After several attempts, we will get the flag:

Question: The /admin.php page uses a cookie that has been encoded multiple
times. Try to decode the cookie until you get a value with 31-characters. Submit
the value as the answer.
Answer: 3dac93b8cd250aa8c1a36fffc79a17a
Method: lets move to the next page
http://<target-IP>:<target-port>/admin.php

Here is the intercepted request. Lets intercept the response as well (right click
 Do intercept -> Response to this request:

Here is the response, and in line 8 the cookie value. Lets take it to a decoder:

Lets decode it as ‘ASCII hex’, and then decode it again as base64:

Question: Once you decode the cookie, you will notice that it is only 31
characters long, which appears to be an md5 hash missing its last character. So,
try to fuzz the last character of the decoded md5 cookie with all alpha-numeric
characters, while encoding each request with the encoding methods you
identified above. (You may use the "alphanum-case.txt" wordlist from Seclist
for the payload)
Answer: HTB{burp_1n7rud3r_n1nj4!}
Method: as instructed – we will use the wordlist
‘/usr/share/seclists/Fuzzing/alphanum-case.txt’.
Lets copy it to the pwnbox user’s home directory:

cp /usr/share/seclists/Fuzzing/alphanum-case.txt alphanum-
case.txt

and in burpsuite proxy, lets refresh the browser to intercept a new request with
the cookie:
We will change the cookie value to the output 31 chars string from the
previous question:

When that’s done: we select ‘send to intruder’:

Now we need to replace the string with §FUZZ§:

cookie=§FUZZ§
And now to Payloads tab – we load the ‘alphanum-case.txt’ in the payload
settings (simple list), and in the rules we first add the 31 chars string (the result
from the previous question):
‘3dac93b8cd250aa8c1a36fffc79a17a‘
as prefix, encode it as base64, and then ASCII hex (reverse order):

Lets commence the attack:

Among the 5,6 responses received, there is a request with 10 responses
received.
Lets open that request on the browser (right click the request then ‘Show the
response in the browser’):

*note – after rerun the challenge, I found out that some times the number of
responses can be 0 or 1, and almost every iteration response shown on
browser displays the flag. *

Question: You are using the

'auxiliary/scanner/http/coldfusion_locale_traversal' tool within Metasploit, but
it is not working properly for you. You decide to capture the request sent by
Metasploit so you can manually verify it and repeat it. Once you capture the
request, what is the 'XXXXX' directory being called in '/XXXXX/administrator/..'?
Answer: CFIDE
Method: lets start Metasploit:
msfconsole

*
*
And in it we set:
use auxiliary/scanner/http/coldfusion_locale_traversal
set RHOSTS <target-IP>
set RPORT <target-port>
set PROXIES HTTP:127.0.0.1:8080

before we run, we confirm that the proxy setting is set on Metasploit proxy as
well:

It does. Lets run the Metasploit:

run

once the Metasploit started running, the burpsuite proxy intercepts the
following request:

With the path in it.