This challenge includes a web application generally designed for image hosting. The application has a few vulnerabilities. The challenge is to exploit the application’s vulnerability and find the hidden message for a date arrangement that Bob sent to Alice.

Host the virtual machine and let’s start by identifying the target IP. We will run an Nmap ping scan for detecting all live hosts.

As can be seen in above figure, nmap detected three hosts: The IP 192.168.0.1 is my router, the IP 192.168.0.100 is my system’s IP, and the IP 192.168.0.103 is our target. Try to open this IP from browser.

There is an application that seems to be for image hosting. First, we will start enumerating the whole application try to find all possible URLs of this application. For enumeration we will use Burp Suite’s spider option.

After spidering the application, we now have some internal URLs for the application. We can see some PHP files over there. The upload.php file is used for file upload functionality, but what is that myphp.php file? Let’s find out what is hidden in that page. Open the URL in the browser and add an id parameter with some integer value. For example, we added id=100 and the URL looks like this: http://192.168.0.103:8880/myphp?id=100

The application is showing a message, it is giving us a hint that we should dig more. Let’s try some more values in the id parameter; this time, we will pass 101 as the id parameter.

The PHP version disclosed some sensitive information. Try with another value, like 102:

No such information is showing, only a “PHP Credits” banner. Change the id value to 104:

Now this time we have some juicy information; the full PHP configuration is disclosed. We can see all PHP functions that are disabled from configuration file. Again we changed the id value to 108.

This time we get the Apache server details, such as the server version, installed modules, etc. That is enough for our enumeration phase; we now have much information about our target. Now go back to the application home page and try out the application’s functionality to see how it works? We can see that there is a file upload functionality there, so try to upload an image file.

For an example, we will upload an image named fishy.jpg. After successfully uploading the image, it will redirect to image.php which is showing our uploaded image.

Let’s check out the source code for the page from which the image comes. Right-click in the browser and select “View Source.”

As can be seen above, the uploaded image is coming from the images directory and our uploaded image name is changed to some kind of hash value. We identified that this is a MD5 Hash because it is 32 bytes long and contains only numbers and a-f characters. So let’s verify that this MD5 hash value matches with our file name. First, we calculate the MD5 value for “fishy” and the output was “29c3a60c13d1e0eda25d65f65a761b47″; this value does not match the current value. Next, we use the full name of the file, “fishy.jpg,” and calculate the MD5 hash value; the output is “e1a9d5f33b65b29243ca47bd3f5fd3af,” which is the correct value.

fishy = 29c3a60c13d1e0eda25d65f65a761b47 fishy.jpg = e1a9d5f33b65b29243ca47bd3f5fd3af

It means the application calculates the MD5 hash with the full file name, including the extension.

Now we know where the application stores an uploaded file and the name it uses. Let’s try to upload a PHP file.

It does not allow us to upload a PHP file. We tried some different techniques to bypass this restriction. Finally, we added a double file extension like this: “k.jpg.php” and tried to upload it.

The file is successfully uploaded. But we can’t see any image.

We checked the source code and there is nothing:

But there is no need to worry. We know where our image is and the current name of the PHP file. We can access our PHP file by changing the file name into a MD5 hash. First, calculate the MD5 for k.jpg.php:

Now we have the MD5 hash; let’s try to access our uploaded PHP file by calling from the URL: http://192.168.0.103:8880/images/f6af844136a85c964355ae9578923323.php

Yes, our PHP file is successfully executed: It shows “www-data” because, in the PHP file, we used the “whoami” command. Now it is confirmed that we are able to execute a PHP file on the server. So let’s upload another PHP file, but this time we will use execute all Unix commands on the server; that’s why we have written this small piece of code:

Now upload this PHP file by using the same technique. Locate the file and access it from the URL. Whatever command we want to execute on the server, we just have to pass the command as a c parameter. For example, we want to check which directory we are currently in, so we passed “c=pwd.”

And it shows that the current directory is images. We want to see all the files in this current directory with the file permissions, so we use this command: “ls -la ./ > dirlist.txt”:

After executing the command we know that the result is in the dirlist.txt file so let’s open the dirlist.txt file from images directory, which is: http://192.168.0.103/images/dirlist.txt

We can see the all files in the images directory. Here we can see there is nothing that will help us to find the hidden files. So we will now check the root directory files. Type in “ls -la /var/www > dirlist.txt”:

Open the dirlist.txt from the same location as we previously did.

We can see the all the application files , but we are searching for a hidden file. What’s the .proof file? Let’s see type in “cat /var/www/.proof > proof.txt”:

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Access the proof.txt file from the images directory.

Yeah! We finally found something, a Secret code: TGglMUxecjJDSDclN1Ej , this code looks as if it’s Base64 encoded, so we decoded this; the output is “Lh%1L^r2CH7%7Q#.” We can see there is a small conversation is between bob and an unknown person. Now who is bob? Is bob a user? Let’s check the home directory: Type in “ls -la -R /home > bob.txt”:

After executing the command, open the bob.txt file to check out the home directory files.

We can see that bob is a user on this server and we can see his all directories. There is a public_html folder, which means he has a web application. We tried to open his application by calling this URL: http://192.168.0.103/~bob/

The application is asking for a Secret. We already have that secret code, we provided this code: Lh%1L^r2CH7%7Q#

We can see there is a message if we write we write these number into Google Maps, we get the secret location:

Coast Tombazis 7, Chania Crete, Greece.

References:

https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/