I digress, FreedomOfChoice would like us to hack into the admin area of the website which he suggests is hidden in the directory structure somewhere. Upon visiting the application we are presented with the standard hate speech that the internet could use less of. At first glance, the website appears to be fairly basic with only a few hyperlinks. We will need to delve a little deeper into the dark recesses of the application to find something we can exploit. The local file inclusion immediately sets off alarm bells.
As you can see the showimages. If we navigate to patriot. This is an odd way to embed images into a website. Perhaps, we can use it to our advantage. Navigating to the images directory and we have scored. As you can see, the image below shows a directory listing is enabled. Please note, One important element of Cyber Security is minimizing information disclosure.
Having directory listing enabled could divulge information about the application such as its structure, the technologies being used, and even disclose other sensitive information through readable files. There appears to be an admin directory. Attempting to access the admin directory gives us the expected Unauthorized error message.
However, the login prompt appears to be being generated by an htaccess and htpasswd file combination. Previously, other challenges we have seen used an SQL-backed application login. We also know that the file parameter was performing local file inclusion to get the image files. To summarise, perhaps we can use the local file inclusion to our advantage and list out the contents of the admin directory without authenticating.
DIRB is a directory and file brute-forcing tool. The image above shows the results from running DIRB. What this also means, is that we can use the showimages. As you can see from the picture below, the htaccess file is referencing the htpasswd file. This confirms our suspicion that it was being used for authentication.
Now, if we go and look at the htpasswd file. We can see that the htpasswd file contains a password hash for the administrator user. Perhaps, we can crack this password hash and use it to log in to the admin area of the application. With the hash saved in a file called hash. John quickly identified that it was an MD5 hash. John also cracked the password surprisingly quickly given I was running it on a virtual machine.
This is a personal freedom issue. No one else is hurt if two consenting adults decide to marry. But people who claim to have the moral high ground decide to ruin it for everyone else and discriminate against same-sex couples. This injustice must be stopped. There is an admin section on that website somewhere, perhaps hidden among their directory structure. It would be a great fight against moral tyranny and a victory for freedom if you could somehow hack into their website.
Thank you. Furthermore, by calling one of these files in the url e.
0コメント