On this task we need to discover what Santa’s password is. We have a website that will tell us whether or not we are on the naughty list. From here we can create a special URL in order to gain access to the password. First let’s start off by scanning the host.
nmap -p- -sV -T4 –reason 10.10.2.51
Now let’s visit the website and see what is on there.
Looks like we can check if we are on the naughty or nice list and there is also an admin panel on the same page! Let’s check if we are on the naughty or nice list.
The URL changes to use search.php to look for the name. Let’s decode this to see what all the parameters are. I’m going to use Burp Suite, but you could google HTML decoding as well. Open Burp, click on the Decoder tab, enter the URL, and select Decode as HTML.
Interesting, it looks like we get redirected to http://list.hohoho:8080 and then call search.php to search out hacker user.
Maybe we can change to a different port number. Try visiting the following link.
http://10.10.2.51/?proxy=http%3A%2F%2Flist.hohoho%3A80
We go an error, it appears that port 80 is not running an http server. Let’s try and change it to another port such as SSH.
http://10.10.2.51/?proxy=http%3A%2F%2Flist.hohoho%3A22
It looks like we are accessing the machine over SSH we just got a Recv Failure since we are trying to visit a URL for SSH. This makes sense because we saw that port 22 was open on the Nmap scan. We can use burp in order to enumerate all the open ports on the internal machine.
First generate a text file with numbers 1 through 65535 using the seq command in a Linux terminal.
seq 65535 > ports.txt
Now visit the link http://10.10.2.51/?proxy=http%3A%2F%2Flist.hohoho%3A22 and intercept the request in burp. Right click and send it to intruder.
Now click on the Positions tab, click Clear and highlight the 22 at the end of the link then click Add. This is the port number we are trying to enumerate.
Now let’s click on the Payloads tab and click on Load. Select the ports.txt file. Finally click start attack.
As it runs we can click on payloads and click on Render. Looking at the payload 22, it looks like the length is different than the others. Let’s sort by Length and check what the page says.
Other ports will display the error message Failed to connect to list.hohoho port XYZ: Connection refused. This means that the port is actually closed. This is a great way to enumerate ports that may not respond to external requests, but will from internal ones.
Let’s see if we can visit local host or 127.0.0.1 to gain some internal access.
http://10.10.2.51/?proxy=http%3A%2F%2Flocalhost
http://10.10.2.51/?proxy=http%3A%2F%2F127.0.0.1
Looks like we get an error saying we were blocked by the security team. It appears that you need to have list.hohoho in the URL.
We tried localhost, but what if we have the server query out for a DNS entry that resolves to 127.0.0.1 (localhost). We can use localtest.me, which will resolve to 127.0.0.1. We can test this on windows using nslookup to verify it resovles to 127.0.0.1.
Great let’s try out the link!
http://10.10.2.51/?proxy=http%3A%2F%2Flist.hohoho.localtest.me
We have a note from Elf McSkidy! Looks like we were able to gain the password!
Let’s log in with Santa and a password of Be good for goodness sake!
Click on the DELETE NAUGHTY LIST Button and we get the final flag.
That wraps up Day 19, hope you learned a lot!