SNAKEOIL is another machine from Digitalworld.local series from Vulnhub by Donavan.

The description says: “Recently, Good Tech Inc. has decided to change their application development process. However, their applications look broken and too basic. Is this an application full of snakeoil, or are they insecure too? This goes beyond PEN-200, and some web application development expertise could be helpful”.

Get Ahmed Shamroukh’s stories in your inbox

Join Medium for free to get updates from this writer.

Link to the machine:

Information Gathering

Let’s find the target’s IP address.

┌─[a7@Parrot]─[10.10.10.2]─[~/Desktop/vulnHub/Digitalworld.local:SNAKEOIL]
└──╼ $fping -agq 10.10.10.0/24
10.10.10.1
10.10.10.2
10.10.10.7

Port Scan

Scan the target for open ports and running services.

Web Server Enumeration

First, let’s visit port 80.

Just a page telling us SNAKEOIL is set up properly, examining the source code, and nothing useful. Let's visit port 8080.

When we click on Introduction, we got a post, but look at the URL.

Back to the main page, click on House Rules.

We got username Patrick, and again notice the URL.
Now, head back and click on Useful Links.

We got some information, first, it’s flask, second, there is some kind of authentication mechanism like JWT (JSON Web Tokens), anyway, there’s a link, let’s visit it.

It’s about configuring JWT.
Our next step is to launch gobuster.

Firstly, let’s try to change the directory from 4 to 3.

This is the ‘404 Not Found’ message in JSON format which means there is no page with that name.
Moving on, let’s browse test.

Now, open Burp, and visit all links on the website including those found by gobuster for more analysis.

Notice create, let's browse it.

Let’s create a post.

Submit.

Click on Edit.

Back to Burp, send the interesting requests to Repeater for more analysis.
Starting with login.

The METHOD NOT ALLOWED, change the request method.

We got BAD REQUEST which means the request sent to the server is invalid or corrupted, add username=patrick&password=patrick.

Let’s jump to registration, when we send the request it responds with Wrong Method so change the method.

Bad request, obviously the method is POST and the page is registration, so let's add a new user.

Check our user on users.

Back to login, log in with the user admin.

We got Access_Token! Anyway, we analyzed users, login, registration, we have two left, let's analyze secret.

Let’s send a request to run.

Change the method.

This one took me some time till I notice my mistake.

Let’s do it.

Where the :) is my secret key.
Let’s visit secret.

After a few tries, thinking maybe expect a cookie or token, so let’s add one.

Tried it but didn’t work so I visit the link we found earlier.

Try it again.

We got the secret key, now let’s add it in run.

We got some kind of command output, we may be able to inject commands.
After playing around, turns out it’s curl.

The url parameter is vulnerable to command injection, so let's send some commands.

Tried to list files and directories.

After browsing these files, found an interesting one.

Getting Access

Tried to log in with ssh with the obtained creds.

When we check for SUDO permissions, we could run anything as root, let’s get root.