FluxCapacitor – HacktheBox

With 1 day left until the box has retired this is the first time I’ve looked at this box. I will give it a go to see how far I get.

START

Quick scan to see what ports are open.

[root:~/Desktop/FluxCapacitor]# nmap -F 10.10.10.69
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-11 11:06 BST
Nmap scan report for 10.10.10.69
Host is up, received echo-reply ttl 63 (0.031s latency).
Not shown: 99 closed ports
Reason: 99 resets
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

Port 80 is open, lets kick off a more detailed scan while I poke about to see what I can see through port 80. The scans I started are listed below.

I loaded up a browser and got this webpage

The source looked like this. Notice the tags starting with <em> – very funny.

<!DOCTYPE html>
<html>
<head>
<title>Keep Alive</title>
</head>
<body>
	OK: node1 alive
	<!--
		Please, add timestamp with something like:
		<script> $.ajax({ type: "GET", url: '/sync' }); </script>
	-->
	<hr/>
	FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br>
	<em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em>
</body>
</html>

While I was poking about I ran Dirbuster, Gobuster and Dirsearch one after another all came back with 3 pages which I didn’t have permission to view.

[root:~]# dirsearch -u 10.10.10.69 -e php -w /usr/share/wfuzz/wordlist/general/megabeast.txt -t 100

_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 100 | Wordlist size: 20469

Error Log: /pentest/intelligence-gathering/dirsearch/logs/errors-18-05-11_13-52-07.log

Target: 10.10.10.69

[13:52:17] 403 - 577B - /synchronism
[13:52:17] 403 - 577B - /synchronization
[13:52:17] 403 - 577B - /synchronizer
[13:52:17] 403 - 577B - /synchronize
[13:52:17] 403 - 577B - /synchronizers
[13:52:17] 403 - 577B - /synchronized
[13:52:17] 403 - 577B - /synchronizes
[13:52:17] 403 - 577B - /synchronizing
[13:52:17] 403 - 577B - /synchronously
[13:52:17] 403 - 577B - /synchrony
[13:52:17] 403 - 577B - /synchrotron
[13:52:17] 403 - 577B - /synchronous
[13:52:17] 403 - 577B - /syncopate

Task Completed

I browsed to all pages listed here and got a 403 forbidden error. Just a note, if anyone knows a script that can take the input of a file say the list of directories above and check to see what message you get from the website, let me know.

I opened Burp and checked the responses. As you can see the Server is SuperWAF – some sort of Web Application Firewall. Google does not tell me what exactly is SuperWAF therefore my thoughts lead me to think it just a custom name for a server that is acting as a firewall – I maybe wrong here.

Just a side note curl -v would have gave me the same output

[root:~/Desktop/FluxCapacitor]# curl -v 10.10.10.69
* Rebuilt URL to: 10.10.10.69/
* Trying 10.10.10.69...
* TCP_NODELAY set
* Connected to 10.10.10.69 (10.10.10.69) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.69
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 11 May 2018 13:04:06 GMT
< Content-Type: text/html
< Content-Length: 395
< Last-Modified: Tue, 05 Dec 2017 16:02:29 GMT
< Connection: keep-alive
< ETag: "5a26c315-18b"
< Server: SuperWAF
< Accept-Ranges: bytes
< 
<!DOCTYPE html>
<html>
<head>
<title>Keep Alive</title>
</head>
<body>
 OK: node1 alive
 <!--
 Please, add timestamp with something like:
 <script> $.ajax({ type: "GET", url: '/sync' }); </script>
 -->
 <hr/>
 FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br>
 <em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em>
</body>
</html>
* Connection #0 to host 10.10.10.69 left intact

I looked for nmap scripts to detect what type of firewall and ran them. Not sure why they didn’t work.

[root:~/Desktop/FluxCapacitor]# locate .nse | grep waf 
/pentest/vulnerability-analysis/nmap/scripts/http-waf-detect.nse
/pentest/vulnerability-analysis/nmap/scripts/http-waf-fingerprint.nse
[root:~/Desktop/FluxCapacitor]# nmap -p80 --script=http-waf-detect.nse 10.10.10.69
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-11 14:09 BST
Nmap scan report for fluxcapacitor.htb (10.10.10.69)
Host is up, received reset ttl 63 (0.030s latency).

PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63

Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds
[root:~/Desktop/FluxCapacitor]# nmap --script=http-waf-fingerprint 10.10.10.69
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-11 14:11 BST
Nmap scan report for fluxcapacitor.htb (10.10.10.69)
Host is up, received reset ttl 63 (0.030s latency).
Not shown: 998 closed ports, 1 filtered port
Reason: 998 resets and 1 no-response
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63

Nmap done: 1 IP address (1 host up) scanned in 2.84 seconds

I was expecting something like this as per the nmap manual.

Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-waf-fingerprint:
| Detected WAF
|_ BinarySec version 3.2.2

Clearly there is a firewall that is stopping me getting access to it. How to bypass it is the problem. I’m pretty sure there are no other vectors I should be attacking.

Back from the Google land I found a tool in Kali that will test to see if I’m behind a WAF for sure.

[root:~/Desktop/FluxCapacitor]# wafw00f 10.10.10.69

^ ^
 _ __ _ ____ _ __ _ _ ____
 ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
 | V V // o // _/ | V V // 0 // 0 // _/
 |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
 <
 ...'

WAFW00F - Web Application Firewall Detection Tool

By Sandro Gauci && Wendel G. Henrique

Checking http://10.10.10.69
Generic Detection results:
No WAF detected by the generic detection
Number of requests: 14

What the hell! No WAF detected! Cricky this is stumping me. I’m going to go with my (big) gut and assume that the above tool is wrong.

I found this pdf document on owasp website – link below. The <script>alert(1);<script> reminded me of the note in the index.html page.

Click to access OWASP_Stammtisch_Frankfurt_WAF_Profiling_and_Evasion.pdf

It looks like I have to inject a payload to bypass the firewall. Perhaps I could inject a reverse shell. Back to my notes and Google while i figure this out.

I Googled ‘OK: node1 alive‘ to see if that was the output of a known service or script but I couldn’t find anything – other than people struggling on the hackthebox forums with this machine. Reviewing the source page again I didn’t understand what it meant by adding a timestamp.

<!--  Please, add timestamp with something like:  <script> $.ajax({ type: "GET", url: '/sync' }); </script>  -->

I tried in Burp to see what response I’d get.

I Googled to see what the response meant by ‘padding to disable…’ and it seems that the dev put that in to force the 403 error – so Chrome or MSIE would not use their own ‘you don’t have access to this page, page. So I searched for OpenResty and couldn’t find any exploits.

So I’d like to say that time beat me on this box but unfortunately I’ve hit a wall – a virtual one WAF. Once the machine is retired I’ll update this post. Sad Beep

 

 

rowbot

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.