# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260611181242.png]] - `nmap` scan - light ![[images/Pasted image 20260611181259.png]] - `nmap` scan - detailed ![[images/Pasted image 20260611181338.png]] - `nmap` scan - UDP --- # Service Enum ## Port 80 (http): nginx ### Initial Enum - visit site ![[images/Pasted image 20260612190914.png]] - `request:response` in burp ![[images/Pasted image 20260612183649.png]] - source code - `hall of fame` is interesting; maybe an IDOR? ### Secondary Enum - garbage page > redirects to `/404` ![[images/Pasted image 20260612193319.png]] - `robots.txt` and `sitemap.xml` > both redirect to `/404` - `index.html` and `index.php` > both redirect to `/404` - tech stack fingerprint - `whatweb` scan ![[images/Pasted image 20260612193521.png]] ### Fuzzing - directory ![[images/Pasted image 20260612193805.png]] - `/api` recursive - had issues with `feroxbuster` > maybe because it's using GET method by default - subdomain ![[images/Pasted image 20260612194518.png]] - vhost ![[images/Pasted image 20260612194454.png]] ### `/login` - Visit page ![[images/Pasted image 20260612191028.png]] - `request:response` in burp ![[images/Pasted image 20260612191103.png]] - forgot password appears broken ### `/api` - initial visit to home page had api indications > both 301 redirects ![[images/Pasted image 20260612191232.png]] ### `/invite` - looks very inviting > based on text: "hack your way in :)" ![[images/Pasted image 20260612191939.png]] - `request:response` in burp ![[images/Pasted image 20260612192043.png]] - view source ![[images/Pasted image 20260612192232.png]] - looks like it sends a POST to `/api/v1/invite/verify` with json payload to verify ![[images/Pasted image 20260612192927.png]] ### `/register` - visit page ![[images/Pasted image 20260612192345.png]] - looks like this may need a valid invite code ![[images/Pasted image 20260612192451.png]] - NOTE: interesting that the `invite code` field is blanked out > input readonly type ![[images/Pasted image 20260612193137.png]] - send a POST to `/api/v1/user/register` ![[images/Pasted image 20260612192544.png]] - also, the error page correspond to a GET request with the `error` parameter ![[images/Pasted image 20260612192650.png]] --- # Things to try - default creds against `/login` - SQLi against `/login` - test API endpoints --- # Revisit`/invite` - View js files in dev tools - De-obfuscate `htb-frontend.min.js` and `inviteapi.min.js` > `.min` indicates that the code is minified or obfuscated ## Inspect `inviteapi.min.js` - Deobfuscated version reveals a `verifyinvitecode` and `makeinvitecode` functions ![[images/Pasted image 20260612201706.png]] - Obviously we need to generate ourselves an invite code ## Interact with `/api/v1/invite/how/to/generate ` - send a request with a blank json payload ![[images/Pasted image 20260612202157.png]] - this gives us ROT13 encrypted data - try to decrypt the ROT13 encrypted data ![[images/Pasted image 20260612202344.png]] ## Interact with `/api/v1/invite/generate` - let's send a POST request to `/api/v1/invite/generate` ![[images/Pasted image 20260612202439.png]] - base64 decode the code ![[images/Pasted image 20260612205718.png]] - after base64 decoding and entering into `/invite`, we are redirected to `/register` where the readonly invite code field is now populated ![[images/Pasted image 20260612202635.png]] --- # Foothold - After using the invite code to register an account, we are in a dashboard ![[images/Pasted image 20260612204856.png]] - Looks like there's a security bug at play ![[images/Pasted image 20260612205201.png]] - Maybe it's in `/home/access` ![[images/Pasted image 20260612205314.png]] - Connection pack hits `/api/v1/user/vpn/generate` --- # Privesc - xxx