TryHackMe Harder - Part 1 (PHP Code Review, bypass Nginx )

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone this is decrypt so today i'm going to show you how to solve the try hacking machine harder let's get started i have the machine ip so let's make sure that we are able to ping the machine and we are so next step is to run the nmap command to kind of see what ports and services running on the host so to nmap dash pn for probe not dash sv for sending version probes dash sc for sending uh doing a script scan and i'm going to save it in a script but i will not do it now because i have already saved it once so i will just type the full command and the ip and that should be it so it's going to take some while so i have already run it and save it in the file called holder core nmap so let's cut the file so we have port 22 and 80 open and it's running open ssh 8.3 on both 22 and it doesn't look like we will have any vulnerable uh it it doesn't look like it's running a vulnerable version or we'll have any exploits that we can exploit the port 22 so let's move on to port 80. so upon navigating the boat we see this the next natural step is to look for pages like admin slash login and we could do this forever or just run go buster on this one so i'm going to run a new tab switch to europe and run go buster on this url so let's put it in dirt mode dash u it says hw is the word list that we're going to use i'm going to use the standard word list as we typically use let's see turnbuster directory list 2.3 million however we did find a note on the instructions for this box to run cichlids so let me actually run the cyclist one so i have checklists here and it's uh let's go it's gonna be discovery list and we're gonna discover web content and let me run the common dot text file and let's run it at 50 threads and let's see okay it's saying it has a wild card match so let's try running with this okay so looks like it's showing a bunch of 200 messages and 403 which is the 4-minute message so before moving anything from here uh let's let's just load it via burp suite and see what's exactly happening on this like you can take a look into the source uh but let's just load burp suite first so i'm going to open applications and open burp suite okay so i have uh the burp sheet running on port 8080 i'm going to point it to the burp and load the page again send it to repeater and turn the intercept off and also turn burp off here so let's go back to the burp suite and send the request again and we don't find anything unusual like commons or any other new pages uh let's look at all href equals and we can take so we have vendor and that's it so no other links except this one i don't think this one is useful for us because it's going to be having all the static files that are required to display uh you know the good view that you're looking at and at the browser but looking at the headers we see that it's running nginx 1.18 so we can quickly check if it's if there's a vulnerable software if it's an exploit for that so let's use search flight nginx and looks like we don't have any uh exploits for this so let's move on and we see the cookie and here so here we have the domain for the cookie which is pwd hardware harder.local so looks like this this host might be running uh multiple domains or sub-domains so internet engine x is like a proxy that usually uh you know uh it's you know it's it's like a front end to the back end right so let's try and load this domain here copy this and let's add it to our host file so we gotta keep the ip as well so copy that and let's see what we have at this address so oh let's copy that and paste it hmm so looks like i haven't what did i do yeah so i missed the one here so that makes sense okay so we have password manager harder corp uh take a look at the source and again we don't see anything particularly useful right up front and this is the css components and that's it so let's go back and try the usual admin admin okay it's saying our source code will be reviewed soon let's do this uh let's copy this um probably you know what let's send it through burp and see what uh you know what we see there and take it from there so let's send it to burp and where's that it's intercepts on okay so we have a session id which means that our password worked uh well let's see okay so it's saying bad request again what if we don't have we haven't locked on right so copy this let's load a new private window so that we don't have a session and turn the intercept on and i'm not sure if it's going to need its own private yeah so unfortunately i don't know what happened i think we will need a session id to even see this message because both in private view and uh both in both of these views we we have load loaded the index.php page so let's close it so let's assume that we have the credentials admin admin uh we want to make a note of that so i'm going to create new file called crits dot text and note it down so let's move on next step is to find and try and brute force this uh sub domain uh let's do that with go booster again like uh the mentioned like they have mentioned in this uh the notes for this box we're gonna use the sec list that we used here uh i guess i closed this but yeah so i have it type down in my history and i have it saved i will have it saved in a file with dash o and right off the bat we see a dot git directory present so let's try and load let's minimize the burp suite right now and load this file here okay i need to disable the the interception here so turn it off and what do i do with the file uh okay it's saved here open it looks like we do have a valid uh directory there which is dot get naturally we want to be able to dump the git directory because usually git is uh where the source code for the applications are stored and looks like it's a there's a form configuration there to have the git directory under the web root so we're going to take advantage of that so let's uh get directory let's search for this enumerate kit directory and uh let's see we have how did they automate it we need to okay to use this git tools and we have tool called dumper let's take a look on that and it's a shell script um okay so let's first read and see what they're doing with that uh so okay this is the one that's actually getting the script uh the directories and we have a bunch of if statements and then download uh nothing mulches from what i've seen so far so it's kind of actually safe to use this let's download this one onto our attacker machine using double get and we have let's run this file get jumper.show and we have a usage information and we need uh okay so we need a destination directory to dump all of this so let's create a new directory called git and we need to provide the url we know the url was this so take that and let's give get is it all let's see okay we have a bunch of colors all good let's cd to the directory and take a look what's inside sometimes it could be hidden so do adjust la and we'll find the hidden files let's go to the hidden directory dot get okay so let's put it this way and the comment message is somewhere you know something that we would want to look at because that's somewhere where the developers might leave some usage user information passwords all those kinds of search so let's take a look and we don't find anything here let's not say that let's look into description okay nothing there and let's look into config okay let's uh i think index will be the one that we are looking at here with the username and password so since we are logged in then we are not getting the login prompt here but the yeah so let's go to info and see what we have there and we have exclude nothing interesting there so i don't know actually how to i didn't know actually to how go forward from here so for that i used google search to kind of uh maybe say dump dot get directory actually dump is not i think i want to check out because if if you have a git repository on your local which i do here uh when you did the dump it basically created a whole new copy of the repository on your local so let's treat that as a repository and and check out the code check out actually it retrieves the code from the repository and the syntax for that i guess is git checkout and how do i get uh everything in the file so let's okay i'm here on this uh group directory where i have the dot kit so let's run check out and let's say star okay we have four new files take a look and we have a bunch of new files which could be interesting so the first step is to take a look at auth.php and i think this is the function this is a page that is responsible for authentication we see the message we saw earlier and let's expand this one we have an authorized function which is authorizing so if the cookie is set it's taking it and okay if not it's taking the username and password doing the hash comparison uh we don't have to worry about this one because we already know the username password is admin admin and this is the redirect to prompt so what is prompt uh okay check and prompt is basically uh i think the basically the page we we looked at because here we have the label username and password field so i think prompt is where it prompts you for the credentials so that makes sense nothing interesting so we can search for password here by hitting right right slash and password and that's it so we don't have really anything that's useful so let's quit and take a look on the next one which is the hmac.php and before that let's take a quick look into index because i was imagining the index.php would have the login information the login page but we saw that in the auth.php so let's take a look into this one and see what it has so it's initiating the session and okay that makes sense so this file here loads the auth.php onto this so that's why we have the login information on slash index.php and it is also loading hmac and it's loading credentials.php as well so but i don't find i did not find any credentials.php in here let's take a second look so let's take a look at dot ignore and it ignored credentials.php and secret.php so which means that whenever the developer uh wants to commit or check uh or add the files to the repository it's not gonna really uh copy these two files from his machine so that's why it's not showing up on this directory right here so that makes sense so let's go back and take a look into hitch mac okay and here we have some information so if get h which is it's getting the parameter h from our request so it should be like something like this oh my bad like this so i'm gonna have this here on so let's see i don't know what's happening with my keyboard here but so it's going to get a parameter with call h and let's take a look at the next one and our empty uh host so we need another header called host let's have another parameter so let's add that here equals i'm just noting it down so that it may easier for us when we won't actually send something so and next thing is it's getting host and h and then what's the next one and we have another parameter called n so let's use this and okay so now we know we have three parameters let's take a look into the logic here so if both h and host are empty it's going to display a bad request which we find you know that's what exactly is being displayed here so we are hitting this logic here when we browse to dot index.php so let's go to the next one so here it's where it slows the secret.php and okay there's a comment saying set secret dot secret var so it's taking a secret variable from the secret.php so it goes into this logic if n is set and if n is set it's going to take n and take secret from the secret.php and compute a shaw 56 hash out of it which and which is an hmac and store it in in the variable secret so finally what it's doing is creating a new hmac from the host which is the parameter right here and the secret which is this and storing it in hm and if hm it's not equals h then we will have forbidden again so we don't see what if they are equal to right uh we only have the error condition here uh i am not sure uh let's i think we can take a look into the index.php file for that um i don't know so looks like okay so what makes sense is uh when the php runs it's like a script so it's gonna run line by line so if if if it succeeds in this line it's going to go ahead and do this so which i guess is might have interesting files that you want like the credential files or even the plain text credentials or whatever so what's happening in our cases uh we are failing at uh at this line here that hmac and because they have a die here if there's no dye what would happen is regardless of what happened here it's going to continue getting the credential.php file so since we have a well coded logic we might not move to the next one so let's see how to bypass this one uh i didn't really know how this worked so what i did is uh do a quick search for phph bypass okay and looks like it was in it was a challenge uh it was you know it was inspired by a challenge that was created before and this code looks exactly or more or less similar to the hmac.php here if you take a look uh it's getting h and host and here it's hmac host bad request same and same again we're gonna get uh it's gonna getting it's gonna get us secret from the environment variable but we're getting it from the secret.php so that's the only change we have and rest are all same so n for nons we have nones here same thing happening so with that said let's see how they have solved this one if see okay let's walk through the code line three to six require hmac which we already know what we didn't know is h right we need to provide a mac or hmac value or a hash that should be equal to the host um compared with when the you know whatever the hmac we're going to provide is going to should be equal to the hmac uh you know obtained by getting the host and secret uh we could do that because we could we could do that if there is no secret here because we would be computing a hmac for the host and since we are sending the host in our request here we can basically compute uh let's say host equals anything right google.com we can create a hmac for this one and send it send here but it won't work because they have another secret so we need the secret for us to move forward but that's why i have it i have google this one here let's see how to bypass that one that logic i'll put the link to this page on the video you can take read so i'm gonna move forward really fast and just jump to the logic where they're going to bypass okay let's see where's that we need and return files i don't know why it's going to turn false because they're passing an array okay to get right to the vulnerability we observe the behavior or hmac function when an array is applied as a message let's run the code locally let's actually run this uh let's let's actually run this in our machine and see what's happening i know it's kind of a little bit of research so hang on so i'm going to create a file called test.php and then hit go hmac and see okay i missed something i think i missed the semicolon i'm not too familiar with uh php so let's put that semicolon right there not executing anything that's maybe you need to have the php enclosed within it okay expects 2 to be string array given ok that's the warning but we don't have the hmac uh as false okay so what they're doing is is it false is what the comparison is so let's do the comparison here and see if it's if it's false if it's false it should be returning true so hmac equals false if it's one equals it means we are assigning it a value if it's two equals it means we are actually asking if it's equal or not and we see the same error okay we have the same year error here as well so hits max just to go to warning and return false so looks like it's returning a false and we have we are seeing one here which we did not see before one is true in php so if you remember what we did here we asked if hmac equals equals false it's saying yes it's equals false and that's why i'm printing one so we did not find it because you know obviously we have this next line overlapping it so we are having this result right there so what we need is basically send an array in in the place of nons so if you took where is that yeah so if you look here we need to send a array here so that when h mac is computed out of an array right like we are exactly right there we have shaft of 2v6 and we get the we need to supply an array here and we need to supply a secret here so how to supply an array in so we cannot just supply supply array like this right it shouldn't work it's not going to work uh we need to find let's load the page i'm not sure why it's not coming up i'm not sure how we can set the value for nons as hurry and for that i'm going to uh do a good bit of search php declare array uh i don't know what the array variable should look like declare let's say variable yes array okay so a bit of search okay so looks like we can declare an array with this square brackets all right and let's try and do this and see uh so what we're going to do is leave this empty and make n an array with this so that we are making this uh hmac function uh this secret a false so what we will end up having is i'm going to create a new file so we're going to end up having this one so let me take this real quick just 2 dot php so we're going to have false here because uh we sent an array it should set the output to false and it's it's going to create an hmac of the host so let's see uh let me pass google.com as the host and let's create an hmac value for this all right we need that to be printed out so echo dollar hmac and let's run the test2.php and we have the mac value for that so let's copy this and go down here to h and we have hex equals the hmac we computed and host is google.com and array okay so why am i doing all that because that's what okay so they have actually showed us how to make a parameter array here so my bad but looks like this should succeed because if you remember from the logic uh from here if you look the logic here it's saying if hmac not equals the h so the hmac that it is going to compute will should be equal to the hmac that we are going to send if that's not equal it's going to send a 4b 4034 button if it's equal it's going to load the credentials.php page so fingers crossed let's send this one and see if it works uh looks like it worked but i'm going to show response in browser so that we are able to take a look into the page so i'm going to paste this and we have the password for username ebs we also have a new url so let's copy that and actually let's copy the host name alone and add it to our host file and save it okay i think i missed the yellow at the last so let's save that and go to this page right here and we know the evs the username so we can just type it and log in okay so we have another roadblock here it's saying your ip is not allowed let's pass this to burp again turn the intercept on and load this again just real quick i'm going to turn off the proxy because it's gonna keep accumulating traffic that is not required for us so okay so it's saying basically you don't have uh the source ip equals this so we are not allowed if you remember what i said nginx is a front end to a backend service so front end is like a server in front of another server so usually these rules where the ip white listing all that is implemented at the proxy nginx is a proxy so we have to fool this nginx to actually believe uh make it believe that we are coming from this ip and there's a really good way to do that using x forwarded for header i'm not sure if i got header uh details correct but let's let's just find it out so it says it needs to be 10 10 10 10 and let's say send and we'll have the command of the web show so it's saying it's taking command equals during using a post method so let's convert this to post method change request method and i'll say command equals but let's see what we can do who am i should work let's let's do that and do we have an output i guess we have uh the www so let's try to print something that usually takes a lot more space than that so that we exactly know if it worked or not so yeah we have the ip address of the machine printed and that confirms that we have code execution on this machine so now we have an initial foothold we just need to convert this to a reverse shell and to privileged explanation and grab the root flag so since this video has been run running for quite a while now i'm going to stop this video at this time and create another video as a part 2 for this video so that you're not watching it at the stretch so with that said i'm gonna end this video right now i'll see you on the next video uh real soon until then decrypt
Info
Channel: decrypt
Views: 661
Rating: undefined out of 5
Keywords: php bypass, tryhackme
Id: cdUWk9vmjzM
Channel Id: undefined
Length: 38min 14sec (2294 seconds)
Published: Sat Sep 19 2020
Related Videos
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1.1M
Git Tutorial for Beginners: Command-Line Fundamentals
Corey Schafer
1.8M
Docker Tutorial for Beginners | Docker Container | What is Docker? | Learn Docker | Edureka
edureka!
429K
Spring Boot - Getting started with Spring Boot (EASY)
Amigoscode
418K
Python Programming
Derek Banas
5.3M
Java Tutorial for Beginners - Made Easy - Step by Step
Patrick WashingtonDC
6.2M
What is DevOps? - In Simple English
Rackspace Technology
2.1M
h@cktivitycon 2020: WAF Bypass In Depth
HackerOne
8.3K
The Ultimate RetroPie Setup and Install Guide (2022)
TheGeekPub
8.9K
PHP Programming
Derek Banas
1.9M
REST API concepts and examples
WebConcepts
5.5M
HTTP/2 request smuggling (explained using beer)
PortSwigger
2.7K
Exceptions in Laravel: Why/How to Use and Create Your Own
Laravel Daily
45K
Visual Basic .Net : Search in Access Database - DataGridView BindingSource Filter (Part 1/2)
iBasskung
13M
Kubernetes Concepts Explained in 9 Minutes!
KodeKloud
615K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.