Try it out: TryHackMe - WebAppSec 101
[Task 1] Basic Description & Objectives
First, we need to deploy the machine.
[Task 2] Walking Through the Application
- What version of Apache is being used?
Use curl -I http://machine_ip to retrieve the web page and display header information.
HTTP/1.1 200 OK
Date: Fri, 26 Jun 2020 15:41:24 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.24
Set-Cookie: PHPSESSID=o5pm3qe52k1a6nnhhp0f2q2jq7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
The version of Apache used is 2.4.7.
-
What language was used to create the website? - PHP
-
What version of this language is used? - 5.5.9
[Task 4] Authentication
- What is the admin username?
Tried with the default one - it worked!
Answer: admin
- What is the admin password?
Default one again.
Answer: admin
We can also use Hydra to brute-force the password:
hydra -l admin -P /usr/share/dirb/wordlists/small.txt machine_ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -V-
What is the name of the cookie that can be manipulated? - session
-
What is the username?
After creating an account, we can change the user by manipulating the userid parameter:
http://machine_ip/users/sample.php?userid=1
Found the user bryce at http://machine_ip/users/sample.php?userid=11.
- What is the corresponding password to the username?
Tried bryce as the password and it worked!
Hope you all enjoyed going through this walkthrough.
Happy Hacking!