- Subdomain Discovery
dnsrecon -d vulnforum.co.uk -D ~/wordlists/subdomains.txt -t brt
- 0 Records Found
- Searching on crt.sh
- Just found
*.auth.vulnforum.co.uk
but is shows nothing when accessed from the web
- Just found
- Content discovery on www.vulnforum.co.uk
- Through surfing I found the username of a user that commented on a forum, so maybe we can do password bruteforcing on the login page.
- While bruteforcing, I noticed the
POST
request that was sent to login and it contained amethod
parameter that was set tolocal
and this showed when I changed it toremote
. Found Flag 1 - Now, investigating this URL that was sent back from the server. It shows
Invalid Domain
when I visit it so may be it is a remote authentication server. Tried password bruteforcing through the remote auth server but same results as the local. - We need to investigate this
Server Error
. I tried enumerating passwords to the usertoby
with thismethod=remote
parameter but it also failed. - Tried to
dig
this domainxczz3rvw.auth.vulnforum.co.uk
and it showed that it is aCNAME
tovulnauth.co.uk
- Visited
http://vulnauth.co.uk/
and it this HAPPENED!Found Flag 2 - This site only accepts Auth Domains that have not been yet registered. And since our
technical_msg
says thatServer \"http:\/\/xczz3rvw.auth.vulnforum.co.uk\/auth\" responded with a 404 error
, this might mean that this domain is not registered. I tried to register it with a testing email I have[email protected]
and a password of123456
, in case they send it a verification email but they did not. And then I was redirected to a/complete
page. - I visited
http://xczz3rvw.auth.vulnforum.co.uk
and now it redirects me to a/login
that shows content after it was showing anInvalid Domain
response. - Now I logged on with the credentials I provided and it shows this.
- Played with this interface a little and tried to create a new
admin
user with0
as Remote UUID and a password of12345
, then when I logged on to the main website withadmin:12345
andmethod=remote
, it responded with atechnical_msg
So this might mean that something may happen if we have the UUID of the admin on the system. - Remember, we have the UUID of the user
toby
linked with its name when someone clicks on ithttp://www.vulnforum.co.uk/user/1ac9c036aaf12a755084dc6a326ed7f5
. So the idea may be we create a usertoby
with our password of choice, say1234
, and this UUID1ac9c036aaf12a755084dc6a326ed7f5
? Then we login withtoby:1234
and see what happens - Voila! As we expected.
Login Successful
! - Took the
token
inset-cookie
response header and put it in the browser, and then I logged on totoby
's account! (ATO)Found Flag 3 - Found this user
john
so I changed his password with the same previous way (Step 13) and logged on to his account. It showed thatjohn
is the ADMIN! - I surfed through the website being logged on as
toby
and found the this around the comment function and by visiting this plugin code on GitHub, it says that by providing [script]alert(true)[/script], it will produce<script>alert(true)</script>
to the client. So, may be it is an XSS?No. It shows the comment as is! - I looked in the code and found that it replaces
(", <, >)
with their HTML variants("e, <, >)
so this will prevent XSS! But then tried again adding an<img>
tag using BBCode by writing [img]https://fileinfo.com/img/ss/xl/jpg_44.png\[/img\], it worked!Now this may have an XSS, or a CSRF! - According to (Step 16), the password of user
john
(the admin) is changed but doesn't allow the login process whenmethod=remote
(shows"technical_msg":"Admins must logon locally"
), and whenmethod=local
(shows"display_msg":"Invalid Username or Password"
). But we have a local password change function that makes a user change his password locally, and when I am logged in astoby
and used the hash of userjohn
it did not work so it must be validating with thetoken
cookieSo here comes the CSRF! - So I tried this payload
[img]http%3a//www.vulnforum.co.uk/settings/password%3fpassword%3d123456%26hash%3d76887c0378ba2b80f17422fb0c0791c4[/img]
in the comment box but it did not work because the code of the BBCode plugin used has this validation for the[img]
tagSo the link must end with one of these formats.jpg, .jpeg, .gif, .png
. - Submitted this
[img]http%3a//www.vulnforum.co.uk/settings/password%3fpassword%3d123456%26hash%3d76887c0378ba2b80f17422fb0c0791c4%26img=test.png[/img]
waited forjohn
to see it and tried to login locally and Voila! - Logged in as
john
and saw the confidential section that has the last flag.Found Flag 6