Web application pentesting on Seattle vm

In my spare time I like to sharpen my skills by pentesting vulnerable virtual machines, usually from vulnhub.com. This is my review of “Seattle”. This wasn’t a thorough pentest of the web application, it was what I was able to knock out in a couple of hours one afternoon for fun.

I found an LFI at the URL “/details.php?prod=1&type=1&lang=USD”.

The “My Account” page is vulnerable to SQL injection. The email address must be a valid email address. It wouldn’t accept foo@foo.com.

On the Blog page, I clicked on “Admin” and arrived at this page which includes admin’s email address.

Back on the “My Account” page, I logged in with admin@seattlesounds.net and a password of “‘ or 1=1 — “.

After multiple tests, I was able to exploit stored XSS on the site with “<a onmouseover=alert(document.cookie)>xxs link</a>”. Any requests containing SCRIPT were filtered on the blog form. OWASP has an excellent cheat sheet on XSS filter evasion at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

I was able to use sqlmap to exploit SQL injection with any of the product pages, using URL “/details.php?prod=1” for example. This was a blind SQL injection vulnerability, meaning that my usual methods of manually pulling info from the database to be displayed on the page didn’t work, so I let sqlmap do the heavy lifting as blind SQL injection can be very difficult to exploit.

I pasted the hash into crackstation.net and found the root password. Had it not been found on crackstation I would have run it through oclhashcat which uses the GPU to run through very large password lists in a few minutes.

Game over:

This wasn’t the most difficult web app that I’ve worked through. It did provide a couple of hours of fun on an afternoon off from work.
(Visited 328 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.