Quote: “Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism & difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc”
Web apps to crack are:
Challenges don’t seem to be broken down into parts so I will break them over several posts.
iMac running vmware fusion 7, owasp broken apps image running its own vm, second vm running kali 2.0.
Intro to the challenge tells you to edit your /etc/hosts file so that you can access the email web app for your next instructions.
On my kali vm I edited /etc/hosts and added 172.16.227.145 owaspbwa cloaknet gghb hub71 utrack wraithbox wraithmail
Connect to webmail app at http://wraithmail
Two emails within ‘inbox’.
Read the first email subject:trace job.
Get the name and address of the hacker behind the attack.
GET http://utrack/cat.jsp?id=1 union select null,load_file('/dev/random'),null,2000 into outfile '/a' Host: www.utrack.info User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:220.127.116.11) Gecko/20100401 Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://wraithbox:80/htmlisland.jsp?messageid=2849902671918618960
Attack looks like SQL injection.
OK so my first instinct is to replay this http request in Burp proxy, but the challenge states to “get the name and address of the attacker behind this”. If we look down the request we see a referer header that looks like previous to this request the request was reading an email and then clicked a link cat.jsp. Could the requestor be a victim of CSRF?
Question to self, is the mail application vulnerable to ‘Direct Object References (OTG-AUTHZ-004)’
Copy n paste referer header into browser and yes I can access the email message directly.
To email@example.com From firstname.lastname@example.org Subject Check this out! I finally uploaded those pictures of you from the other night: http://www.photobucket.com?id=321085
Email was sent from email@example.com
The wraithmail app also has a history feature
This is also vulnerable to an authorization bypass allowing our algo user account to access rwilson’s login history by changing the id get param to rwilson which will show us the IP address that rwilson used to login to the system.
GET /history.jsp?id=rwilson HTTP/1.1
Recent login attempts:: Date IP User-Agent Successful? Abuse contact 09/07/01 18.104.22.168 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:22.214.171.124) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13 Yes abuse@cloaknet
Our first suspect hacker is R Wilson, using IP address 126.96.36.199