TryHackMe: Advent of Cyber 2 Walkthrough(Incomplete)

The advent of Cyber 2

We will be solving the #adventofcyber2 room from TryHackMe. The progress will be posted every day.

Task 6( Day 1): A Christmas Crisis

On day 1, we are supposed to learn about the web, HTTPS protocol and Cookies in brief. The cookies are tiny little pieces of information that get stored on our computer and get sent to the server along with every request that we make. Authentication (or session) cookies are used to identify us(these will be very important in our mission today!). The server receives our request with the attached cookie and checks the cookie to see what level of access we are allowed to have. It then returns a response appropriate to that level of access.

It’s important to note that cookies are stored locally on your computer. This means that they are under our control — i.e. we can add, edit, or delete them as we wish. It is done by Browser Developer Tool, which can be accessed either by right click and then opting for ‘inspect elements’ or ‘F12’ or ‘Ctrl+Shift+I’. With the developer tools open, navigate to the Storage tab in Firefox, or the Application tab in Chrome/Edge and select the Cookies menu on the left-hand side of the console.

Q&A

1. Deploy your AttackBox (the blue “Start AttackBox” button) and the tasks machine (the green button on this task) if you haven’t already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machine's IP into the browser search bar. No Answer needed
2. Register for an account, and then log in. What is the name of the cookie used for authentication? Answer: a**h(Check the cookies section for ‘Name’)
3. In what format is the value of this cookie encoded? Hint: hexad*****l
4. Having decoded the cookie, what format is the data stored in? Answer: JSON
5. What is the value of Santa’s cookie? Hint: use the website https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')’ and paste the cookie value in the input section, then copy the output. Now, change the username to santa and copy the whole text again. Use this link, ‘https://online-toolz.com/tools/text-hex-convertor.php’ and paste the text into the input section. Finally, the output is the answer.
6. Now that you are the santa user, you can re-activate the assembly line! What is the flag you’re given when the line is fully active? Hint: Replace the value of the cookie section with santa’s cookie and then refresh the page. Now, activate every option, and the flag shows.

Task 7( Day 2 ): The Elf Strikes Back!

On day 2, we are supposed to learn about the ‘File Upload’ vulnerability and its exploitation. We’ll learn about the ‘Get Parameters and URLs’. We are using a file upload vulnerability related to ‘File Extension Filtering’. File Extension Filtering as the name suggests checks the file extension of uploaded files. This is often done by specifying a list of allowed extensions and then checking the uploaded file against the list. If the extension is not in the allowlist, the upload is rejected.

So, what’s the bypass? Well, the answer is that it depends entirely on how the filter is implemented. Many extension filters split a filename at the dot (.) and check what comes after it against the list. This makes it very easy to bypass by uploading a double-barrelled extension (e.g. .jpg.php). The filter splits at the dot(s), and then checks what it thinks is the extension against the list. If jpg is an allowed extension then the upload will succeed and our malicious PHP script will be uploaded to the server.

Putting it all together

This was a lot of information, so let’s put it all together and look at the full process for exploiting a file upload vulnerability in a PHP web application:

1. Find a file upload point.
2. Try uploading some innocent files — what does it accept? (Images, text files, PDFs, etc)
3. Find the directory containing your uploads.
4. Try to bypass any filters and upload a reverse shell.
5. Start a Netcat listener to receive the shell
6. Navigate to the shell in your browser and receive a connection!

Q&A

1. What string of text needs adding to the URL to get access to the upload page? Hint: x.x.x.x/?id=[Assigned ID Number]
2. What type of file is accepted by the site? Hint: ‘.jpg/.png/.jpeg’ is an extension of a file type.
3. Bypass the filter and upload a reverse shell. In which directory are the uploaded files stored? Hint: The answer is in the ‘File Upload’ section.
4. Activate your reverse shell and catch it in a netcat listener! Answer: use the command, ‘sudo nc -nvlp 443’.
5. What is the flag in /var/www/flag.txt? Hint: Check the listener and when you get the access, use the command, ‘cat /var/www/flag.txt’.