InfoSec LAB

Mentor_Web_api.mentorquotes.htb_admin

Created: 3 min read

Assessment

It’s been [[Mentor_SNMP#[snmpbrute.py](https //github.com/SECFORCE/SNMP-Brute/blob/master/snmpbrute.py)|identified]] that the target SNMP server is configured to support 2 community strings; public and internal While the public community string appears to provide the most basic information about the target system, the internal community string offers a comprehensive overview of the target system encompassing a broader range of MIB and OID structures. This includes details about system resources, networks, and running processes.

moreover, an authentication string has been identified and provided to a running process: /usr/local/bin/login.py kj23sadkj123as0-d213. Although the exact nature of the Python script is unclear, the furnished authentication string could potentially be leveraged in alternative attack vectors.

Examining the web aspect of the engagement, a fuzzing operation revealed a virtual host / sub-domain, hosting an API server, powered by uvicorn at api.mentorquotes.htb. While this API server provides a diverse range of endpoints associated with the personal blog featuring quotes on the mentorquotes.htb host, it does so using the dedicated API endpoints for authentication and authorization. During this process, it was determined that both creation and deletion of quotes could be achieved via the /quotes/ API endpoint, but it requires admin privileges.

Given exposure of the website admin user, james, and the unidentified authentication string, kj23sadkj123as0-d213, in a running process of the target system, it is reasonable to assume that the credential pair may match

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ curl -x post http://api.mentorquotes.htb/auth/login \
  -h 'accept: application/json' \
  -h 'content-type: application/json' \
  -d '{
  "email": "james@mentorquotes.htb",
  "username": "james",     
  "password": "kj23sadkj123as0-d213"
}'
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0"

It does match The API server responded with the Authorization string; eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0

Assuming that the james user is indeed an admin user, I now should be able to perform creation and deletion

Creation and Deletion

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ curl -X 'POST' \  
  'http://api.mentorquotes.htb/quotes/' \  
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0' \
  -d '{
  "title": "test",
  "description": "This is a testing quote"
}'
{"title":"test","description":"This is a testing quote","id":6}

Testing quote created with "id":6 and it can be seen in the personal blog application at mentorquotes.htb

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ curl -X 'DELETE' \
  'http://api.mentorquotes.htb/quotes/6/' \                                           
  -H 'Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0' \
  -H 'accept: application/json'
{"title":"test","description":"This is a testing quote","id":6}

That would also mean that I can delete it

Users

The /users/{id}/ API endpoint support fetching user data and this was initially enumerated through fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ curl -X 'GET' \
  'http://api.mentorquotes.htb/users/1/' \
  -h 'authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0' \
  -h 'accept: application/json'
{"id":1,"email":"james@mentorquotes.htb","username":"james"}
 
┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ curl -X 'GET' \
  'http://api.mentorquotes.htb/users/2/' \
  -h 'authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0' \
  -h 'accept: application/json'
{"id":2,"email":"svc@mentorquotes.htb","username":"service_acc"}

There appears to be another user; service_acc or svc@mentorquotes.htb

/admin/ API Endpoint

Another API endpoint that was initially discovered through fuzzing was /admin/

It would appear that the /admin/ API endpoint contains 2 additional endpoints; /check and /backup

/admin/check API Endpoint

The /admin/check API endpoint claims to be not implemented yet

/admin/backup API Endpoint

The /admin/check API endpoint doesn’t appear to support the GET method

POST

Changing the request method to POST reveals a different error message, which follows the same HTTPValidationError schema It would appear that the API backend expects the "body" parameter with JSON data

JSON Parameters

The error message indicates that the "path" parameter is required

Arbitrary data was provided to the /tmp directory for testing and the server responded positively; "INFO":"Done!" Could this be a write operation? or perhaps an archiving operation provided the name of the API endpoint is “backup”

OS Command Injection

OS command injection is possible Moving on the exploitation phase

Interactive Graph View

Backlinks