InfoSec LAB

Base_Web_80

Created: 5 min read

Webroot

Webroot of the target port 80

Email under the contact tab indicates that there is a domain; base.htb

Added to the /etc/hosts file for local DNS resolution

Login page discovered; login/login.php

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u http://base.htb/FUZZ    
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v1.5.0 Kali Exclusive <3
________________________________________________
 
 :: Method           : GET
 :: URL              : http://base.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [Status: 200, Size: 39344, Words: 8989, Lines: 741, Duration: 61ms]
.htaccess               [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 55ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
upload.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 88ms]
:: Progress: [35325/35325] :: Job [1/1] :: 1219 req/sec :: Duration: [0:00:42] :: Errors: 1 ::
 
 
┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://base.htb/FUZZ/ -ic         
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v1.5.0 Kali Exclusive <3
________________________________________________
 
 :: Method           : GET
 :: URL              : http://base.htb/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
_uploaded               [Status: 200, Size: 743, Words: 52, Lines: 16, Duration: 30ms]
assets                  [Status: 200, Size: 1685, Words: 112, Lines: 21, Duration: 41ms]
forms                   [Status: 200, Size: 1136, Words: 74, Lines: 18, Duration: 37ms]
icons                   [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 32ms]
login                   [Status: 200, Size: 1342, Words: 91, Lines: 19, Duration: 34ms]
server-status           [Status: 403, Size: 273, Words: 20, Lines: 10, Duration: 90ms]
:: Progress: [20476/20476] :: Job [1/1] :: 1175 req/sec :: Duration: [0:00:21] :: Errors: 0 ::

Fuzzing the web root reveals a number of interesting files/directories directories Files:

  • logout.php
  • upload.php Directories:
  • _uploaded
  • forms
  • login

/form/ Notice the directory indexing is also present

/login/ Interesting file, login.php.swp is present on the directory It appears to be a backup file or original default file of login.php

login.php.swp

┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ wget http://base.htb/login/login.php.swp                      
--2022-10-07 13:12:21--  http://base.htb/login/login.php.swp
Resolving base.htb (base.htb)... 10.129.95.184
connecting to base.htb (base.htb)|10.129.95.184|:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 16384 (16K)
saving to: ‘login.php.swp’
 
login.php.swp                   100%[======================================================>]  16.00K  --.-KB/s    in 0.08s   
 
2022-10-07 13:12:21 (190 KB/s) - ‘login.php.swp’ saved [16384/16384]

I downloaded the file via wget for further examination

┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ cat login.php.swp 
3210#"! Utp[        ^\ ad [    X   oeXin/login.php
                                      	 
  
  z
   y
    a
      
 
      c
       %
         
}
-
 	 	b	a	        nm&  :  Y     {zO    O@?    X/                    <input type="text" name="username" class="form-control" style="max-width: 30%;" id="username" placeholder="Your Username" required>                <div class="form-group">              <div class="row" align="center">            <form id="login-form" action="" method="POST" role="form" style="background-color:#f8fbfe">          <div class="col-lg-12 mt-5 mt-lg-0">        <div class="row mt-2">        </div>          <p>Use the form below to log into your account.</p>          <h2>Login</h2>        <div class="section-title mt-5" >      <div class="container" data-aos="fade-up">    <section id="login" class="contact section-bg" style="padding: 160px 0">    <!-- ======= Login Section ======= -->  </header><!-- End Header -->    </div>      </nav><!-- .navbar -->        <i class="bi bi-list mobile-nav-toggle"></i>        </ul>          <li><a class="nav-link scrollto action" href="/login.php">Login</a></li>          <li><a class="nav-link scrollto" href="/#contact">Contact</a></li>          <li><a class="nav-link scrollto" href="/#pricing">Pricing</a></li>          <li><a class="nav-link scrollto" href="/#team">Team</a></li>          <li><a class="nav-link scrollto" href="/#services">Services</a></li>          <li><a class="nav-link scrollto" href="/#about">About</a></li>          <li><a class="nav-link scrollto" href="/#hero">Home</a></li>        <ul>      <nav id="navbar" class="navbar">      <!-- <a href="index.html" class="logo"><img src="../assets/img/logo.png" alt="" class="img-fluid"></a>-->      <!-- Uncomment below if you prefer to use an image logo -->      <h1 class="logo"><a href="index.html">BASE</a></h1>    <div class="container d-flex align-items-center justify-content-between">  <header id="header" class="fixed-top">  <!-- ======= Header ======= --><body></head>  <link href="../assets/css/style.css" rel="stylesheet">  <!-- Template Main CSS File -->  <link href="../assets/vendor/swiper/swiper-bundle.min.css" rel="stylesheet">  <link href="../assets/vendor/remixicon/remixicon.css" rel="stylesheet">  <link href="../assets/vendor/glightbox/css/glightbox.min.css" rel="stylesheet">  <link href="../assets/vendor/boxicons/css/boxicons.min.css" rel="stylesheet">  <link href="../assets/vendor/bootstrap-icons/bootstrap-icons.css" rel="stylesheet">  <link href="../assets/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">  <link href="../assets/vendor/aos/aos.css" rel="stylesheet">  <!-- Vendor CSS Files -->  <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i|Raleway:300,300i,400,400i,500,500i,600,600i,700,700i|Poppins:300,300i,400,400i,500,500i,600,600i,700,700i" rel="stylesheet">  <!-- Google Fonts -->  <link href="../assets/img/apple-touch-icon.png" rel="apple-touch-icon">  <link href="../assets/img/favicon.png" rel="icon">  <!-- Favicons -->  <meta content="" name="keywords">  <meta content="" name="description">  <title>Welcome to Base</title>  <meta content="width=device-width, initial-scale=1.0" name="viewport">  <meta charset="utf-8"><head><html lang="en"><!DOCTYPE html>?>}    }        print("<script>alert('Wrong Username or Password')</script>");    } else {        }            print("<script>alert('Wrong Username or Password')</script>");        } else {            header("Location: /upload.php");            $_SESSION['user_id'] = 1;        if (strcmp($password, $_POST['password']) == 0) {    if (strcmp($username, $_POST['username']) == 0) {    require('config.php');if (!empty($_POST['username']) && !empty($_POST['password'])) {session_start();<?phpad        </html></body>  <script src="../assets/js/main.js"></script>   
┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ file login.php.swp 
login.php.swp: Vim swap file, version 8.0, pid 1648, user root, host base, file /var/www/html/login/login.php

It’s a SWP file which contains a bunch of unsaved changes

┌──(kali㉿kali)-[~/archive/htb/starting-point/base]
└─$ vim -r login.php.swp

Attempting to restore it to the original state of the file

Managed to somewhat restore the file except for a few lines There are a few particularly interesting lines

strcmp

<?php
//...[REDACTED]...
    if (strcmp($username, $_POST['username']) == 0) {
        if (strcmp($password, $_POST['password']) == 0)
           $_SESSION['user_id'] = 1;
           header("Location: /upload.php");
        }}
//...[REDACTED]...

It’s using the PHP’s strcmp() method.

strcmp() in PHP is known to be vulnerable to bypassing authentication if implemented wrong

Here is an online article that explains it The correct way to implement the function would be using the triple equal signs ===, instead of ==

This was taken from a presentation slide

Authentication Bypass

I intercepted the POST request above through Burp Suite

Changed the keys to arrays in order to bypass the authentication method The source code written doesn’t sanitize user’s input properly by using == operator instead of === to check the types of data rather than values alone. This issue allows attackers to bypass the strcmp() function entirely by converting the variables to arrays that eventually returns the null value in the comparison

Successfully bypassed the authentication I can see that there is a file upload feature

Moving on to the exploitation phase

Interactive Graph View

Backlinks