CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Recon
  • tips and general things to try
  • wfuzz
  • gobuster
  • nmap
  • Summary
  • XSS
  • Vulnerable endpoint
  • User-Agent
  • Id parameter
  • Hidden parameter
  • H1 tag
  • Other hidden parameter
  • Open Redirect
  • Parameter 1
  • Parameter 2
  • CSRF
  • csrf_protect token analysis
  • Exploitation
  • IDOR
  • Address
  • Orders
  • LFI
  • SSRF
  • COMING SOON
  • Resources
  1. Writeups
  2. TryHackme Writeups

TryHackMe - Nahamstore

PreviousTryHackMe - Looking GlassNextTryHackMe - Overpass3

Last updated 11 months ago

Recon

tips and general things to try

  • You can browse all the website with burp you can even make a crawl scan.

  • You can make an account and browse again with burp

wfuzz

  • You can subdomain enum with wfuzz wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://nahamstore.thm/' -H "HOST:FUZZ.nahamstore.thm" inspecting the results we can see that we need filter it with --hw 65

┌─[✗]─[gabrielle@parrot]─[~]
└──╼ $wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://nahamstore.thm/' -H "HOST:FUZZ.nahamstore.thm" --hw 65
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://nahamstore.thm/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                      
=====================================================================

000000001:   301        7 L      13 W       194 Ch      "www - www"                                                                                                                  
000000037:   301        7 L      13 W       194 Ch      "shop - shop"                                                                                                                
000000254:   200        41 L     92 W       2025 Ch     "marketing - marketing"                                                                                                      
000000960:   200        0 L      1 W        67 Ch       "stock - stock"                                                                                                              

Total time: 206.7410
Processed Requests: 4989
Filtered Requests: 4985
Requests/sec.: 24.13163
  • Once we get our results we need to add the to the /etc/hosts file

  • shop and www redirects to the website we already have

  • Marketing gives this

  • Stock gives this really interesting results worth keeping aside for further investigation

  • And if we access /product from there we get this

gobuster

┌─[✗]─[gabrielle@parrot]─[~]
└──╼ $gobuster dir -u http://nahamstore.thm/ -w /usr/share/seclists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://nahamstore.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/06/23 15:33:55 Starting gobuster in directory enumeration mode
===============================================================
/basket               (Status: 200) [Size: 2465]
/css                  (Status: 301) [Size: 178] [--> http://127.0.0.1/css/]
/js                   (Status: 301) [Size: 178] [--> http://127.0.0.1/js/] 
/login                (Status: 200) [Size: 3099]                           
/logout               (Status: 302) [Size: 0] [--> /]                      
/register             (Status: 200) [Size: 3138]                           
/returns              (Status: 200) [Size: 3628]                           
/robots.txt           (Status: 200) [Size: 13]                             
/search               (Status: 200) [Size: 3351]                           
/staff                (Status: 200) [Size: 2287]                           
/uploads              (Status: 301) [Size: 178] [--> http://127.0.0.1/uploads/]
                                                                               
===============================================================
2023/06/23 15:45:45 Finished
===============================================================
  • We did not have the page staff let's check it out

  • Pretty juicy, let's keep it in mind for later

nmap

I wanted to make an nmap scan to make sure I did not miss anything

nmap nahamstore.thm -sC -sV
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 13:33 EDT
Nmap scan report for nahamstore.thm (10.10.186.158)
Host is up (0.38s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 846e52cadb9edf0aaeb5703d07d69178 (RSA)
|   256 1a1ddbca998a64b18b10dfa939d55cd3 (ECDSA)
|_  256 f63616b7668e7b350907cb90c9846338 (ED25519)
80/tcp   open  http    nginx 1.14.0 (Ubuntu)
|_http-title: NahamStore - Home
| http-cookie-flags: 
|   /: 
|     session: 
|_      httponly flag not set
|_http-server-header: nginx/1.14.0 (Ubuntu)
8000/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.96 seconds
  • This way we get this page on port 8000 http://nahamstore.thm:8000/admin/login

Summary

Subdomains

  • Here is what I have in my hosts file so far

10.10.186.158 nahamstore.thm something.nahamstore.thm www.nahamstore.thm shop.nahamstore.thm marketing.nahamstore.thm stock.nahamstore.thm
  • nahamstore.thm

  • www.nahamstore.thm (same as the 1st one)

  • shop.nahamstore.thm (same as the 1est one)

  • marketing.nahamstore.thm

  • stock.nahamstore.thm

Pages to keep aside for later and notes

  • http://nahamstore.thm:8000/admin/login

  • http://nahamstore.thm/staff

Using gobuster, I did not find anything under marketing and under store I only got the page product that I had already found.

I just could not find the answer for the first question (I think I missed a subdomain or something) so I moved to the next one planning on getting back to it later.

XSS

Vulnerable endpoint

If we play around in marketing when we tamper with the url of one of the campaign we get an url with an interesting parameter that reflects its value in the page.

If we inject there, we get a reflected xss

User-Agent

When we place an order it stores the user agent in the database and it is reflected to us

So if we inject in this header we get a stored XSS

Id parameter

When looking for XSS we can see that the parameter id is vulnerable to both XSS and SQL injection. URL with injection point http://nahamstore.thm/product?id=%3Cscript%3Ealert(1)%3C/script%3E&name=blah

  • Javascript executed

  • SQL Error

This way we know it is using MySQL We can keep this aside for the SQLi question later.

Hidden parameter

  • There's a question asking about a hidden parameter in the home page. If we check in the code using F12 we can find a form with a hidden q parameter.

Let's try to make it pop an alert.

Our brackets are removed but if we use double quotes we move away form the search box

  • Request

  • Response

What ended up to work was trying to inject in the search field ';alert(1);' don't forget the last semi-colon it kinda drove me crazy lol

H1 tag

When trying a few things out and tampering with the url we get a Page Not Found 404. If we inject inside the h1 tag we get an XSS

Here is the edited response

Note that if we inject like this it also works http://nahamstore.thm/%3Cscript%3Ealert(1)%3C/script%3E

Other hidden parameter

Even though this tool is really good, it is not how I found the hidden parameter. When we order an item we can try to add a discount code in the dedicated field. This sends a post parameter discount we can try to use it as a GET method in the url and see if it is injectable like this http://nahamstore.thm/product?discount=<script>alert(1)</script>. And it works!

Open Redirect

Parameter 1

This one was found using the previous results I got from arjun The parameter r can produce and Open Redirect. If we use burp collaborator to generate and url and we paste it in the parameter like this http://nahamstore.thm/?r=https://ccswimp6q43ue36mhiqkujheh5nwbmzb.oastify.com we get redirected. If we open this link and a private tab (or another firefpx container) it works as well. This proves it is vulnerable.

Note: We do not have to use the collaborator we can paste in any website

Parameter 2

As I browsed a lot in the website I had a pretty decently populated sitemap. I filtered it to show only redirections and found the redirect_url that is the other parameter vulnerable to open redirection. Now we can look it up in our proxy history and see where it is used to try and exploit it. We can see that it is used after the registering and after adding a new address. Let's connect and try to exploit after adding an address to our address book. Let's do the whole workflow.

  • We make an account on the shop

  • We put something in the basket

  • We add a new address

  • After validating the form the process is to redirect the user to the basket. This way we can use the parameter and modify the request to change the redirection location.

=> Original request

=> Modified request

=> Response making the redirection

CSRF

Using burp to show the hidden fields we can quickly see which page has a csrf protection or not.

  • Email page with csrf protection

  • Password page without csrf protection

csrf_protect token analysis

With further analysis we can see that the token is using base64

  • Orignal token eyJkYXRhIjoiZXlKMWMyVnlYMmxrSWpvMExDSjBhVzFsYzNSaGJYQWlPaUl4TmpnM09EQXlPVGc0SW4wPSIsInNpZ25hdHVyZSI6ImE2NjNmZWIyYTcxNGYzZDA5Njc2OGYyNDNmNjY4YWUwIn0=

  • Decoded token {"data":"eyJ1c2VyX2lkIjo0LCJ0aW1lc3RhbXAiOiIxNjg3ODAyOTg4In0=","signature":"a663feb2a714f3d096768f243f668ae0"}

  • Decoded data parameter {"user_id":4,"timestamp":"1687802988"}

Exploitation

Password field

Our attack worked

Email field

For the email field we can process the same way we just need to remove the csrf_protect hidden field that is not used anyway by the app as we can see here in burp repeater. We were able to change the password without the csrf token.

IDOR

Address

We can see that the orders are fetch with an id like this /account/orders/4 Let's check other orders Using the post request to validate an order we have an address_id field that we can tamper with to get other peeps address.

If we put 1 we get the address of another customer

To answer the question we can play with the parameter until we find the address in NY.

Orders

If we get the pdf receipt of an order it will use an endpoint pdf generator. The request will look like this

LFI

When I see and image on a website I always use the open image in new tab to see what we can do and play around with it. Here we can see that the image is fetched using a parameter file=.

SSRF

When looking around the app, we can see that if we click on the check stock for an item it actually requests a server.

COMING SOON

Resources

To answer this question I used to fuzz for possible hidden parameter. It was a good opportunity to try it out. It is quite efficient as it found really quickly the other hidder parameter that we found before.

We can use burp to generate a csrf poc for us from the request to change the password. We can right click on it and select generate csrf poc in engagement tools. We copy the html and paste it in a file. Now we can open it in our browser, send the request and see if our attack worked.

However here we get a pdf that says the order does not belong to us and it mentions something that could be a parameter. We could try to add user_id in our request. We need to do this lively (not with repeater). user_id 1 and 2 do not work. We are successful with 3. I struggled a little and figured that it need to be url encoded otherwise it would not work. Like this:

We can try the usual payloads they mention the file path /lfi/flag.txt first I tried the usual dir traversal with ../ but it did not work, sometimes if you double the chars you can bypass the filters. that is how I got the file. You have to try one dir at a time until you find at which you level you need to go up to to find it. Here's what worked for this context

Room
arjun
Using burp for open redirect - Portswigger
Using Burp to Test for Cross-Site Request Forgery (CSRF) - Portswigger
Generate CSRF PoC - Burp
marketing
stock api
products
staff
admin login
error
Injected Alert executed
user agent
Edited request
Pop up
alert popped
SQL error
hidden parameter
Request
Response
alert
Page Not Found
Edited response
arjun
Discount parameter
redirected
modified
Response
csrf protected email
not csrf protected password
poc
pass changed
csrf protect
field address
other customer address
request
encoded parameter
file
stock check
Coming soon