CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Deploy and launch it
  • Good to know
  • Hack it
  • GET /healthcheck
  • GET /menu
  • PUT /menu
  • DELETE /menu/id
  • POST /orders
  • GET /orders
  • GET /orders/id
  • auth
  • GET /admin/stats/disk
  • Bola
  • /profile
  • User enumeration
  • Resources
  1. Writeups
  2. Vulnerable APIs

Damn Vulnerable RESTaurant

PreviousDamn Vulnerable Web ServiceNextVarious Platforms

Last updated 6 months ago

Deploy and launch it

You need to install docker first, here is the process for ubuntu:

# Install requirements
sudo apt install -y ca-certificates curl gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update -y
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
  • Get docker desktop deb package from (here)[https://desktop.docker.com/linux/main/amd64/docker-desktop-amd64.deb?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-linux-amd64]

# Install the deb package
sudo apt install ./docker-desktop-amd64.deb
# Install Damn Vulnerable Restaurant
git clone https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game.git
cd Damn-Vulnerable-RESTaurant-API-Game
# Launch it in ethical hacker mode
./start_app.sh

Good to know

The API service will be exposed at http://localhost:8080 by default. API documentation can be found at the following endpoints:

  • Swagger - http://localhost:8080/docs

  • Redoc - http://localhost:8080/redoc

To close the restaurant at the end of the hacking day, just run: ./stop_app.sh Data will persist between stops and starts.

Hack it

  • Here is our token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJnYWJyaWVsbGUiLCJleHAiOjE3MzEzMzA0MjJ9.K8nCkRo3kK341PyWz-zmj4IYIzfgdl2q2KkDffcuiG0

We can now add our token in a request. Let's try this in the /profile endpoint

GET /profile HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJnYWJyaWVsbGUiLCJleHAiOjE3MzEzMzA0MjJ9.K8nCkRo3kK341PyWz-zmj4IYIzfgdl2q2KkDffcuiG0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:8080/
Origin: http://127.0.0.1:8080
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site:

Then we get a response with infos about our user, so we can authenticate properly

HTTP/1.1 200 OK
date: Mon, 11 Nov 2024 13:27:48 GMT
server: uvicorn
content-length: 109
content-type: application/json
access-control-allow-origin: *
access-control-allow-credentials: true

{"username":"gabrielle","phone_number":"string","first_name":"string","last_name":"string","role":"Customer"}
  • We get a 500 with our token and a non authenticated without token if we try with the role "admin".

  • We could try to find a way to get a list of the roles or at least what other roles with have besides customer. Let's try out other requests from the swagger to check out what it does and enumerate further.

GET /healthcheck

  • works with and without authentication

GET /menu

  • works with and without authentication

PUT /menu

  • does not works without authentication

  • We get a forbidden with a customer token

  • Same with PUT /menu/id

DELETE /menu/id

  • Does not seem to work with my token or without a token, the request seems to time out

POST /orders

  • Does not work without token but works with a customer token

GET /orders

  • Works only with token

GET /orders/id

  • Works only with token

Note: it would be worth checking if I can get another user's order here.

auth

For the auth categorie of requests we should be good to go for now. I will at some point to check what happens with the password reset.

GET /admin/stats/disk

This one seems interesting. Let's check it out. Without a token it returns a response that said we are unauthenticated and with a token we get this:

HTTP/1.1 403 Forbidden
date: Mon, 11 Nov 2024 16:53:40 GMT
server: uvicorn
content-length: 63
content-type: application/json
access-control-allow-origin: *
access-control-allow-credentials: true

{"detail":"Only Chef is authorized to get current disk stats!"}

So here we get another role "chef".

Let's try to use again the update role endpoint with chef as role and see what we get. We still get a 500, and if we try with "Chef" we get this response:

HTTP/1.1 401 Unauthorized
date: Mon, 11 Nov 2024 17:37:36 GMT
server: uvicorn
content-length: 54
content-type: application/json
access-control-allow-origin: *
access-control-allow-credentials: true

{"detail":"Only Chef is authorized to add Chef role!"}

I also wanted to try mass assignment by adding a role in the PUT /profile but did not get me anywhere either. So let's explore other things.

Bola

First let's create another user to see if we can access other users' orders.

So now let's check to see if we can see order 1 (the order with our former user) with our new user. And it works! So here we have a bola also known as idor:

/profile

User enumeration

With burp community the intruder is too slow. Let's try another fuzzer.

Resources

If we go to the docs, we can find an endpoint to register a new user. Let's do this first. We can intercept the request via burp to modify the infos (we can also use swaggerui).

So now we can try to login with the post request get token, this way we get a jwt token

So there's an enpoint that can update a user, let's try to see if we can update our user with it

Let's place an order as this user. To do this we first need a token, and then we can put our token in the POST /orders request. Our order is created with id 2:

So now I want to have a look at the /profile endpoint. I can modify my own information. How about the other users info. Let's see if the user csbygb has beed modified with the "pwned" strings in the fields. It did work. Before I had tried to add a Chef role on my own user but not on another, but this did not work either. What's interesting here is that if we have a valide user our user info get sent back to us but if not, we get a 500. So we could try to enumerate users

Web API Security Champion - Krzysztof Pranczk (the creator of the API)
Official repo
Damn Vulnerable restaurant
Register another user
bola
Coming Soon