Untitled

Foothold

First of all, i started with enumerating network (port scanning) using nmap

sudo nmap -sS -sV -sC -A earlyaccess.htb

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 e4:66:28:8e:d0:bd:f3:1d:f1:8d:44:e9:14:1d:9c:64 (RSA)
|   256 b3:a8:f4:49:7a:03:79:d3:5a:13:94:24:9b:6a:d1:bd (ECDSA)
|_  256 e9:aa:ae:59:4a:37:49:a6:5a:2a:32:1d:79:26:ed:bb (ED25519)
80/tcp  open  http    Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to <https://earlyaccess.htb/>
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: EarlyAccess
| ssl-cert: Subject: commonName=earlyaccess.htb/organizationName=EarlyAccess Studios/stateOrProvinceName=Vienna/countryName=AT
| Not valid before: 2021-08-18T14:46:57
|_Not valid after:  2022-08-18T14:46:57
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 172.18.0.102; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are 3 open port, 22 for ssh, 80 and 443 for web services.

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631879636024_image.png

When i tried to access the webservices using port 80, it always redirect me into port 443. There are login and register page. Tried using sql into login page but it failed. So let’s register

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631879850004_image.png

After registered from that page, we’ll redirected into dashboard page

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631879945162_image.png

There’re Messaging feature that always readed by the admin

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631880174064_image.png

Then i tried to input xss payload there and see if something hit my http server.

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631880277275_image.png

but nothing happend, even after the admin read my message 😞

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631880473957_image.png

go deeper into the website and i see this discussion on forum page

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631880586160_image.png

it mentioned about invalid username.. maybe we can input xss payload there?

https://paper-attachments.dropbox.com/s_DE2A0005587F414AF5A2BAAC2C2F3D9050CB19CD3E81CDFC69FC471FBF7FCB71_1631881310510_image.png