MISCHIEF! - HackMD

# MISCHIEF! ## CTFRoom! ## @Author : M3tr1c_r00t ### Enumeration... Gobusterscan... After the scan, we were able to identify the server running on php.... ``` ┌──(kali㉿kali)-[~/Desktop/ctfroom] └─$ ffuf -u http://176.32.72.206/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc all -fw 2 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.5.0 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://176.32.72.206/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: all :: Filter : Response words: 2 ________________________________________________ .htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 248ms] .swf [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 263ms] [Status: 200, Size: 2910, Words: 187, Lines: 73, Duration: 264ms] .profile [Status: 200, Size: 442, Words: 34, Lines: 5, Duration: 1947ms] .hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 3954ms] .htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4258ms] build [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 239ms] crossdomain.xml [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 252ms] favicon.ico [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 587ms] forgot [Status: 200, Size: 2641, Words: 187, Lines: 66, Duration: 524ms] home [Status: 200, Size: 1550, Words: 74, Lines: 18, Duration: 420ms] index [Status: 200, Size: 2910, Words: 187, Lines: 73, Duration: 422ms] index.html [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 420ms] index.php [Status: 200, Size: 2910, Words: 187, Lines: 73, Duration: 418ms] javascript [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 343ms] login [Status: 200, Size: 2716, Words: 173, Lines: 70, Duration: 416ms] phpmyadmin [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 333ms] player.swf [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 487ms] profile [Status: 200, Size: 1553, Words: 73, Lines: 18, Duration: 528ms] robots.txt [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 260ms] server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 389ms] sitemap.xml [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 402ms] swfobject.js [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 425ms] temp [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 422ms] themes [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 386ms] vendor [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 385ms] web.xml [Status: 404, Size: 275, Words: 23, Lines: 10, Duration: 323ms] :: Progress: [4614/4614] :: Job [1/1] :: 118 req/sec :: Duration: [0:00:57] :: Errors: 0 :: ``` After that, we can now visit the site and we find a signup page.... We can create an account and proceed to the next stage... ![Screenshot_2022-12-21_23_49_19](https://user-images.githubusercontent.com/99975622/209120416-0c75f3b5-d3e9-4a1d-b5b2-05a034dec9e7.png) Login ![Screenshot_2022-12-21_23_50_13](https://user-images.githubusercontent.com/99975622/209120782-1960cec6-0a59-4a28-a122-f87f1988c628.png) After a quick look at the source code, i saw that there we some fields that were hidden... ![Screenshot_2022-12-21_23_50_28](https://user-images.githubusercontent.com/99975622/209121130-fafbf147-d13d-4c98-a8c0-9e909704a2b1.png) And with that we've finally found our foothold..... This is because the userid parameter is visible and is also included when sending the request to change the email and the user id can be manipulated to change the email of a different user.... So now we are gonna capture the request using burp suite and change the userid which was base64 encoded..... ![Screenshot_2022-12-21_23_51_13](https://user-images.githubusercontent.com/99975622/209121564-545c716f-c077-490e-9c1e-e6689e99bcc6.png) So on burp request, change your email, then change the userid, ![Screenshot_2022-12-21_23_51_39](https://user-images.githubusercontent.com/99975622/209121755-d1b01f1f-029d-40dd-bb13-c4ff4f304ba3.png) Next, forward the request..... ![Screenshot_2022-12-21_23_52_01](https://user-images.githubusercontent.com/99975622/209121821-e72fb9e7-350c-4654-8df4-4cd12987ff53.png) After that, log out then go to the forgot password section and enter the new email.... ![Screenshot_2022-12-21_23_52_47](https://user-images.githubusercontent.com/99975622/209121923-8a2fc00b-c318-4182-b2a2-9d3dcf27b08f.png) Reset the password..... ![Screenshot_2022-12-21_23_53_04](https://user-images.githubusercontent.com/99975622/209121977-9338bf3f-2b18-42b3-976e-410bac8aee09.png) Then login with the new creds that you have.... ![Screenshot_2022-12-21_23_53_16](https://user-images.githubusercontent.com/99975622/209122070-21ad4165-1b10-4273-9d06-54e533d26c3a.png) And boom!, we've gotten our flag.... ![Screenshot_2022-12-21_23_53_28](https://user-images.githubusercontent.com/99975622/209122149-d81639a3-4cdc-4536-b4a5-a3adfde77fac.png) ## My socials: @ twitter: https://twitter.com/M3tr1c_root @ instagram: https://instagram.com/m3tr1c_r00t/