InfoSec LAB

Doctor_Web_80

Created: 3 min read

Web

Nmap discovered a web server running on the target port 80 The service running is Apache httpd 2.4.41

Webroot It appears to provide a medical service

In the contact section, I see information about the domain; doctors.htb

It’s been appended to the /etc/hosts file on Kali for local DNS resolution

There is a section that reveals 3 potential usernames

There is also a section dedicated for news and updates. I see 3 posts made by a user; admin

doctors.htb

Attempting to browse to doctors.htb over HTTP results a completely different website I got re-directed to a login page at /login?next=%2F It appears to be a communication platform for employees as the title suggests

Wappalyzer identified web technologies involved It’s built on Flask 1.0.1 using Python 3.8.2

/reset_password

The Forgot Password? button leads to /reset_password, where users can request for password reset by providing a registered email

/register

The Sign Up Now button leads to /register I will create a testing account; test:qwe123

The account has been created, but the notification shows that there is a time limit of 20 minutes

/login

Logging in…

The Web Application

I logged in to the web application using the testing account and got re-directed to /home

There is a button, 1 , which leads to /home?page=1, but it doesn’t seem to display anything for now

archive

There is a very interesting comment present in every file It goes archive still under beta testing and points to /archive

However, /archive seems rather empty

Not much going on in the source code as well

Post

The New Message tab leads to /post/new, where I am able to upload a post

The post is now displayed at /home This screams XSS vulnerability, and I should test that out

By clicking the post that I just created, I am able to update the post

XSS

I will put the XSS payload through the update feature

The generic alert() function doesn’t seem to work. I will keep test out other XSS payloads

After many trials and errors, I discovered something very interesting, yet so simple When I post a link to a web server hosted on Kali

I get a hit. It is technically XSS, but it seems rather that the web server is mimicking a user behavior by clicking links posted by other users

There might be a few things that I should be able to do by exploiting the XSS here such as token stealing or session hijacking

I also see a new entry at /archive The XSS testing that I made is displayed here as well. I am now sure the purpose of this place, but it seems that the title of all the posts are displayed here as well

I got eventually logged out as 20 minutes went past I will create another testing account to continue the assessment

SSTI

Testing for SSTI (Server Side Template Injection) return negative on the index page.

But checking /archive confirms code execution SSTI is confirmed to be present

Interactive Graph View

Backlinks