Orlando Cyber Studies

 Here I have to exploit SSRF The first thing I will do is look at the requests  that the web page makes with Burpsuite The website has an option to check the stock of an item. This has to connect to the backend. If i am able to change this request with the loopback address which is often trusted then I can access a page that I don’t have normal access to. Here is the request and as can be seen it is accessing the backend. By changing the request to http://localhost/admin i was able to gain access to the admin page and delete a user. After looking at the request I saw that the path to delete Carlos was to go /admin/delete?username=carlos I then added this to my original path and sent it, I then followed the request and it worked. The user Carlos was deleted and the lab was done.

 I got two usernames and passwords. My credentials:  wiener:peter Victim's credentials  carlos:montoya I started by testing the first one to see how it worked and what pages I could access when logged in to then try to access those pages I am now gonna try to use IDOR to change the reference to Carlos to see if it would allow me but it didn’t. At this point, I still think that I might be able to change into Carlos. As I was logging into Carlos i used the reference to then change to Carlos.

I began by going to the login page and sending the request when I entered a username and password into Burpsuite After this then I sent it into intruder and gave it the word list of usernames that was provided and got the username announce. After doing this I sent the request again to Burpsuite and put a wordlist of the password and looked for a different length in the Intruder page. As can be seen, the hunter password has a different length which means there has been a change. Now when i look at the status it is a 300 which means it is a redirect. Now I plugged in the username and password and got in.

 I have to gain access to an admin account by using horizontal escalation I logged in I then saw my id and tried to transfer to admin but it failed. Lastly I tried to transfer to the other user carlos because he might have some extra privilege using Burpsuite I changed the id value to administrator and it worked. I looked at the password the administrator had and then signed in with it. After signing into the account I was able to delete Carlos.

I entered the site and logged in with the credentials given to me. The first thing that stood out to me was the API key. After getting this I decided that it was best to look at the request with Burpsuite after doing this I went to all the posts and checked that the blog ID had a reference to the user id and that I could change this ID to gain access to other users. After doing it with Admin I found a post by Carlos that had a reference to his account and used it . Here is Carlos Account and the API key.

 I need to access the admin site and delete Carlos but to do this I need to change the parameters to then gain access into the admin page. I went into my account and logged in using the credentials that were provided for me I then went into cookies and found the Admin cookie set to false, so I changed it to true and then I went into the admin panel After doing so I was able to delete Carlos. Another way I could of done this was by using Burp I could have sent the request to the proxy and taken a look at the cookies. Here I could have changed the cookie to true and then it would have worked the same way

 I opened the page and took a look at it. I again tried find the admin page again but now with another method. After looking at the HTML code i found that they had some javascript in there and they had the /admin-0p1j64 I put that in the URL and then i was able to get to the admin page and delete Carlos

  Like usual I start by opening the page and seeing what it has to offer in terms of any vulnerabilities. I then go to robots.txt because it often has information about admin pages that could be found. If it not found there then I would probably try to brute force the admin pages. In the robots.txt I found that they don’t want crawlers on the /administrator-panel. This is an admin panel that a normal user might not have access to. But it is always good to try in case the website doesn’t have any verification or security when it comes to accessing unauthorized pages. The page is not checking to see if I am authorized to access the page as such it gives me full admin access right away. I then deleted the user without ever having to sign in or have any type of admin authorization.

  This lab 1 is to change the request to then be able to access another file on the web application. I began by loading the page to see what the page contains and if I could see any obvious vulnerabilities. I then turned on my burpsuite to see the requests. Here I can see the image request. As I previously learned on this section, this request can be changed to traverse the file system and get information on another file. I know the server gets the image from /var/www/image so I would have to backtrack to the root directory and then try to access the passwd file that is in /etc here is the content of the passwd file.