Pen Test Labs Notes

admin 好物分享

PentesterLab provides two free exercises every month. This post is to record some interesting ones I have been done. 

  • https://pentesterlab.com/exercises

 

API 18

In this challenge, your goal is to retrieve the key. However, the user you are logging in with does not have permission to access it. Your task is to identify a vulnerability in the authorization middleware. Upon logging in, you will see part of the application's source code. Audit the code carefully to uncover the vulnerability.

Burpsuite
Turn intercept on then open buit-in browser to open this page 

Click forward a couple of times until we got post 

Change post content by adding health=health, then forward 

You should be able to bypass the following check, which is checking if there is "health" at the end of url, and if the username is admin. If any of those condition not met, it will give you an error to show you dont have access to the key. 
 if !strings.HasSuffix(r.URL.String(), "health") && claims.Username != "admin" { http.Error(w, "You don't have access to the key", http.StatusUnauthorized) return }

Directory Traversal 01

Directory Traversals

Directory traversals come from a lack of filtering/encoding of information used as part of a path by an application.

As with other vulnerabilities, you can use the "same-value technique" to test for this type of issue.

For example, if the path used by the application inside a parameter is /images/photo.jpg. You can try to access:

  • /images/./photo.jpg: you should see the same file.
  • /images/../photo.jpg: you should get an error.
  • /images/../images/photo.jpg: you should see the same file again.
  • /images/../IMAGES/photo.jpg: you should get an error (depending on the file system), or something weird is going on.

If you don't have the value images and the legitimate path looks like photo.jpg, you will need to work out what the parent repository is.

Once you have tested that, you can try to retrieve other files.

On Linux/Unix the most common test case is the /etc/passwd.

You can test: images/../../../../../../../../../../../etc/passwd

If you get the passwd file, the application is vulnerable. The good news is that you don't need to know the number of ... If you put too many, it will still work.

Another interesting thing to know is that if you have a directory traversal in Windows, you will be able to access test/../../../file.txt, even if the directory test does not exist.

This is not the case on Linux.

This can be really useful where the code concatenates user-controlled data, to create a file name.

For example, the following PHP code is supposed to add the parameter id to get a file name (example_1.txt for example).

On Linux, you won't be able to exploit this vulnerability if there is no directory starting with example_, whereas on Windows, you will be able to exploit it, even if there is no such directory.

$file = "/var/files/example_".$_GET['id'].".txt";

In these exercises, the vulnerabilities are illustrated by a script used inside an <img tag.

You will need to read the HTML source (or use "Copy image URL") to find the correct link, and start exploiting the issue.

The first example is a really simple directory traversal. You just need to go up in the file system, and then back down, to get any files you want. In this instance, you will be restricted by the file system permissions, and won't be able to access /etc/shadow, for example.

In this example, based on the header sent by the server, your browser will display the content of the response. Sometimes the server will send the response with a header Content-Disposition: attachment, and your browser will not display the file directly. You can open the file to see the content. This method will take you some time for every test.

Using a Linux/Unix system, you can do this more quickly, by using wget or curl.

The objective of this exercise is to find the directory traversal and retrieve the key in the following file: /pentesterlab.key


For example, you find a file or image url is 
  • https://i.51sec.org/2025/chrome_fMjzra75Wa.png
You should be able to try to add . or .. into the url to go to other folders, but it will still show same result. 
  • https://i.51sec.org/././2025/chrome_fMjzra75Wa.png
  • https://i.51sec.org/../../../../../2025/chrome_fMjzra75Wa.png
If this vulnerability exists on the website, we should be able to construct a url like this to get the key:
  • https://i.51sec.org/../../../../../pentesterlab.key
In this exercise, you can use existing file.php to view this php file's content by right clicking page and viewing  source since it will show an empty page.

It is also possible to use a new constructed url to view /etc/passwd as show from following screenshot in Linux:
  • https://netsec.libcurl.me/file.php?file=../../../../../../../../../etc/passwd

On windows, you might be able to get the file boot.ini from c:/ drive. 

Videos

 

References

https://blog.51sec.org

版权声明:
作者:admin
链接:https://www.techfm.club/p/228242.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>