hackxor – part 1- OWASP Broken Web Apps v1.2


hackxor web application is one of the applications contained within the OWASP Broken Web Applications project which is a downloadable virtual machine image.

Quote: “Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism & difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc”

Web apps to crack are:

Challenges don’t seem to be broken down into parts so I will break them over several posts.


iMac running vmware fusion 7, owasp broken apps image running its own vm, second vm running kali 2.0.


Intro to the challenge tells you to edit your /etc/hosts file so that you can access the email web app for your next instructions.

On my kali vm I edited /etc/hosts and added owaspbwa cloaknet gghb hub71 utrack wraithbox wraithmail

Connect to webmail app at http://wraithmail

Two emails within ‘inbox’.

Read the first email subject:trace job.

Get the name and address of the hacker behind the attack.

GET http://utrack/cat.jsp?id=1 union select null,load_file('/dev/random'),null,2000 into outfile '/a'
Host: www.utrack.info
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wraithbox:80/htmlisland.jsp?messageid=2849902671918618960

Attack looks like SQL injection.

OK so my first instinct is to replay this http request in Burp proxy, but the challenge states to “get the name and address of the attacker behind this”. If we look down the request we see a referer header that looks like previous to this request the request was reading an email and then clicked a link cat.jsp. Could the requestor be a victim of CSRF?

Question to self, is the mail application vulnerable to ‘Direct Object References (OTG-AUTHZ-004)’

Copy n paste referer header into browser and yes I can access the email message directly.

To hkoch@wraithmail.net
From rwilson@wraithmail.net
Subject Check this out!

I finally uploaded those pictures of you from the other night: http://www.photobucket.com?id=321085

Email was sent from rwilson@wraithmail.net

The wraithmail app also has a history feature


This is also vulnerable to an authorization bypass allowing our algo user account to access rwilson’s login history by changing the id get param to rwilson which will show us the IP address that rwilson used to login to the system.

GET /history.jsp?id=rwilson HTTP/1.1


Recent login attempts::
Date IP User-Agent Successful? Abuse contact
09/07/01 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13 Yes abuse@cloaknet

Our first suspect hacker is R Wilson, using IP address

Thank you