Going Deeper & Bypassing Authentication

Heading over to the website and inspecting the source, we see a custom js file at the very bottom, js/secure.js
Screenshot_20200817_224641.png

Viewing that and seeing it is just some char code, we can use our browser to convert this to something more useful.

Screenshot_20200817_225326.png

we now have a new url named /dirb_safe_dir_..../admin/stats.php

Viewing the new page source, we have the next flag.
Screenshot_20200817_225927.png

After running burpsuite, we find that this website is vulnerable to sql injection. Using sqlmap, we can build a small one liner that will suffice. (answer yes to all prompts)

sqlmap -u http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/login.php --forms -D jetadmin -T users -dump

Screenshot_20200817_230358.png
Now that we have the username and hash, we can crack the hash by visiting crackstation.net

Signing in with the new creds, we are brought to dashboard which brings us to our next flag
Screenshot_20200817_231534.png


Revision #3
Created Mon, Aug 17, 2020 10:43 PM by Treelovah
Updated Mon, Aug 17, 2020 11:14 PM by Treelovah