IDOR Vulnerability

By on

In this blog:

  • NMAP.
  • Inspecting page source.
  • Hash-identifier.
  • Crackstation.net and Cyberchef.
  • Link to the room at the end.

Running NMAP


Starting the attackbox, we can start an nmap scan with the supplied IP address which shows that the http service on port 80 is open.

Scanning for hosts using nmap.
Scanning for hosts using NMAP.



Inspecting page source

So when accessing the website, all we see is a generic website with an image. 

Home page.


Clicking CTRL+U (or right click + view page source) takes us to this page which shows some hash values seemingly pointing to each of the doors. 



Image showing website page source.
Viewing the page source.



Hash identifier


I will be opening up my Kali Linux machine in virtual box to try and test the hashed values to identify the hash algorithm so I can find out what value (if any) the hashed strings are referring to in the Query component of the URL. 


Trying one of the strings shows us that it is in fact an MD5 hash. 


Image showing hash-identifier.
Using hash-identifier.




Crackstation.net and cyberchef


Trying one of the strings in crackstation.net, we get that they are referring to certain values that are given to each door. The value for this door is 2. 


Image showing Crackstation.
Crackstation.net. Click to go to the website.


We can use Cyberchef to input custom values and output an MD5 hash that we can inject into the query and find the flag. 

Typing 2 into the input gives us the same hash as the one we see in crackstation.net. 


So trying the number 0 we get this hash ➡️


Image showing Crackstation.
Checking other values.


Putting the string in crackstation.net confirms that the value is 0. 

 

Image showing Crackstation.
Checking the hash value in Crackstation again.

Copying this into the Query after the IP address in the URL, retrieves us our flag. 


Image showing flag.
Finding the flag.





Try the room yourself here ➡️


Shone is a Cyber Security student at the Manchester Metropolitan University. Shone started writing blogs to document his own learning and help others along the way.

Comments

Post a Comment

Popular posts from this blog

Connecting Metasploitable to Kali Linux

By on
Image
  In this blog: Pre-text. Setting up NAT Network. Connected. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to fix a common timer error that occurs during bootup .  Pre-text This blog comes after the tutorial on creating a Metasploitable virtual machine and solving the kernel timer error. Setting up a NAT Network In our Linux machine, I checked the network interfaces on the system and I have a tunnel connection that I set up earlier for Openvpn access.  To terminate this connection, type ➡️  sudo killall openvpn . Killing Openvpn connections. Now to connect the metasploitable machine to the kali Linux machine we must create a NAT Network.  We want to make sure that the machine is not able to communicate with connections outside the host. Go to file ➡️...
Read more

Fixing kernel timer error in Metasploitable

By on
Image
In this blog: Disclaimer. Fixing the kernel timer error. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to set up a Metasploitable lab . Click here to see how to connect Metasploitable with Kali Linux . Disclaimer The solution given in this blog is for the kernel timer error that is caused by a misconfiguration in the kernel boot settings in the BIOS. The solution is not permanent and you must complete the steps each time you start a new session. Fixing timer errors To start the virtual machine, go back to VirtualBox and click start. When starting, if you get this kernel panic – not syncing error message, follow these steps ➡️  Kernel panick error message. Go to settings, system and double the base memory to 2048MB. Doubling base memory. Provide the machine with two processors instead of one and click OK.  Doubling p...
Read more

Wireshark alternative ➡️ tcpdump (Linux)

By on
Image
In this blog: What is tcpdump? Installation. Usage. Saving captures to a file. Filtering output. Expressions. Understanding the output. Packet content.   The end? See my Wireshark blog here. See my blog on uncovering network attacks using Wireshark here.                                   What is tcpdump? Tcpdump is a command line alternative to Wireshark and runs natively on Linux based operating systems.  The tool is not as feature rich as Wireshark but can be faster and more efficient in capturing and displaying packets, hence why many network admins and security professionals like using tcpdump for quick analysis.  Being a command line tool allows it to be run on remote servers to troubleshoot networks where a gui may not be available. The .PCAP files can then be analysed with Wireshark later. Most Linux distributions come with tcpdump installed, so your distro might already have it d...
Read more