FluxCapacitor – HacktheBox
With 1 day left until the box has retired this is the first time I’ve looked at this box. I will give it a go to see how far I get.
START
Quick scan to see what ports are open.
[root:~/Desktop/FluxCapacitor]# nmap -F 10.10.10.69 Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-11 11:06 BST Nmap scan report for 10.10.10.69 Host is up, received echo-reply ttl 63 (0.031s latency). Not shown: 99 closed ports Reason: 99 resets PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 63 Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds
Port 80 is open, lets kick off a more detailed scan while I poke about to see what I can see through port 80. The scans I started are listed below.
I loaded up a browser and got this webpage
The source looked like this. Notice the tags starting with <em> – very funny.
<!DOCTYPE html> <html> <head> <title>Keep Alive</title> </head> <body> OK: node1 alive <!-- Please, add timestamp with something like: <script> $.ajax({ type: "GET", url: '/sync' }); </script> --> <hr/> FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br> <em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em> </body> </html>
While I was poking about I ran Dirbuster, Gobuster and Dirsearch one after another all came back with 3 pages which I didn’t have permission to view.
[root:~]# dirsearch -u 10.10.10.69 -e php -w /usr/share/wfuzz/wordlist/general/megabeast.txt -t 100 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php | Threads: 100 | Wordlist size: 20469 Error Log: /pentest/intelligence-gathering/dirsearch/logs/errors-18-05-11_13-52-07.log Target: 10.10.10.69 [13:52:17] 403 - 577B - /synchronism [13:52:17] 403 - 577B - /synchronization [13:52:17] 403 - 577B - /synchronizer [13:52:17] 403 - 577B - /synchronize [13:52:17] 403 - 577B - /synchronizers [13:52:17] 403 - 577B - /synchronized [13:52:17] 403 - 577B - /synchronizes [13:52:17] 403 - 577B - /synchronizing [13:52:17] 403 - 577B - /synchronously [13:52:17] 403 - 577B - /synchrony [13:52:17] 403 - 577B - /synchrotron [13:52:17] 403 - 577B - /synchronous [13:52:17] 403 - 577B - /syncopate Task Completed
I browsed to all pages listed here and got a 403 forbidden error. Just a note, if anyone knows a script that can take the input of a file say the list of directories above and check to see what message you get from the website, let me know.
I opened Burp and checked the responses. As you can see the Server is SuperWAF – some sort of Web Application Firewall. Google does not tell me what exactly is SuperWAF therefore my thoughts lead me to think it just a custom name for a server that is acting as a firewall – I maybe wrong here.
Just a side note curl -v would have gave me the same output
[root:~/Desktop/FluxCapacitor]# curl -v 10.10.10.69
* Rebuilt URL to: 10.10.10.69/
* Trying 10.10.10.69...
* TCP_NODELAY set
* Connected to 10.10.10.69 (10.10.10.69) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.69
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 11 May 2018 13:04:06 GMT
< Content-Type: text/html
< Content-Length: 395
< Last-Modified: Tue, 05 Dec 2017 16:02:29 GMT
< Connection: keep-alive
< ETag: "5a26c315-18b"
< Server: SuperWAF
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Keep Alive</title>
</head>
<body>
OK: node1 alive
<!--
Please, add timestamp with something like:
<script> $.ajax({ type: "GET", url: '/sync' }); </script>
-->
<hr/>
FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br>
<em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em>
</body>
</html>
* Connection #0 to host 10.10.10.69 left intact
I looked for nmap scripts to detect what type of firewall and ran them. Not sure why they didn’t work.
[root:~/Desktop/FluxCapacitor]# locate .nse | grep waf /pentest/vulnerability-analysis/nmap/scripts/http-waf-detect.nse /pentest/vulnerability-analysis/nmap/scripts/http-waf-fingerprint.nse [root:~/Desktop/FluxCapacitor]# nmap -p80 --script=http-waf-detect.nse 10.10.10.69 Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-11 14:09 BST Nmap scan report for fluxcapacitor.htb (10.10.10.69) Host is up, received reset ttl 63 (0.030s latency). PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 63 Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds [root:~/Desktop/FluxCapacitor]# nmap --script=http-waf-fingerprint 10.10.10.69 Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-11 14:11 BST Nmap scan report for fluxcapacitor.htb (10.10.10.69) Host is up, received reset ttl 63 (0.030s latency). Not shown: 998 closed ports, 1 filtered port Reason: 998 resets and 1 no-response Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 63 Nmap done: 1 IP address (1 host up) scanned in 2.84 seconds
I was expecting something like this as per the nmap manual.
Script Output PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-waf-fingerprint: | Detected WAF |_ BinarySec version 3.2.2
Clearly there is a firewall that is stopping me getting access to it. How to bypass it is the problem. I’m pretty sure there are no other vectors I should be attacking.
Back from the Google land I found a tool in Kali that will test to see if I’m behind a WAF for sure.
[root:~/Desktop/FluxCapacitor]# wafw00f 10.10.10.69 ^ ^ _ __ _ ____ _ __ _ _ ____ ///7/ /.' \ / __////7/ /,' \ ,' \ / __/ | V V // o // _/ | V V // 0 // 0 // _/ |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/ < ...' WAFW00F - Web Application Firewall Detection Tool By Sandro Gauci && Wendel G. Henrique Checking http://10.10.10.69 Generic Detection results: No WAF detected by the generic detection Number of requests: 14
What the hell! No WAF detected! Cricky this is stumping me. I’m going to go with my (big) gut and assume that the above tool is wrong.
I found this pdf document on owasp website – link below. The <script>alert(1);<script> reminded me of the note in the index.html page.
It looks like I have to inject a payload to bypass the firewall. Perhaps I could inject a reverse shell. Back to my notes and Google while i figure this out.
I Googled ‘OK: node1 alive‘ to see if that was the output of a known service or script but I couldn’t find anything – other than people struggling on the hackthebox forums with this machine. Reviewing the source page again I didn’t understand what it meant by adding a timestamp.
<!-- Please, add timestamp with something like: <script> $.ajax({ type: "GET", url: '/sync' }); </script> -->
I tried in Burp to see what response I’d get.
I Googled to see what the response meant by ‘padding to disable…’ and it seems that the dev put that in to force the 403 error – so Chrome or MSIE would not use their own ‘you don’t have access to this page, page. So I searched for OpenResty and couldn’t find any exploits.
So I’d like to say that time beat me on this box but unfortunately I’ve hit a wall – a virtual one WAF. Once the machine is retired I’ll update this post. Sad Beep