Here's one of my stories about a security assessment I did on a password manager company. One of my teams and I could have accessed hundreds of thousands of passwords from users on the internet.
Follow along so you can learn! I was given the project to pentest a password manager company:
No physical or phishing. The site was certified McAffee Secure! 😉
The 1st two days were spent doing recon, walking the application, and doing content discovery.
I used the RAFT wordlists to do Content Discovery:
ffuf -c -w /raft-large-directories.txt -u
I discovered, (by proxying the site through Burp Suite and looking at responses and errors), that the application was written in CodeIgniter. I noted this down.
The content discovery yielded several paths, a few of note:
Visiting these gave nothing but blank pages (to be expected) but I noted them all down. The adminpanel was whitelisted. The phpmyadmin link redirected us to login for phpmyadmin but we had no creds.
During spidering an additional path was found on the above:
When doing content discovery, special characters in the lists were giving errors that were interesting. The above path was giving PHP errors having to do with wrong pathing.
I began to expect there might be a path-based Local File Inclusion (also known as path traversal)...
Fuzzing the path with things like:
gave different errors on the incorrect pathing format.
I fuzz things like this with the LFI list in Seclists:
after MUCH trial and error (and bringing in some fellow testers) we found the correct pathing for /etc/passwd (helped by phpinfo.php file we found earlier)
The big "eureka moment" was learning that the minify function was stripping periods in our ../ but also using underscores (instead) for pathing in nix.
We learned this by researching the CodeIgniter docs and Googling on Stack Overflow.
We ended up doing something like this:
BAM. It Worked! "root dance" #1
So now we could read any file on the webserver.
Pentesting is a circular methodology. So we used that vulnerability to pull down all the configuration files for CodeIgniter. In fact, we installed our OWN instance of CodeIgniter on one of our servers and created a custom list of all paths and files. This install let us know where the configuration files were, which housed multiple secret API keys.
Remember the database.php file from earlier? yep... it had database credentials in it! Remember phpmyadmin? We used those creds there.
Boom we had access to the complete database of users. Enter "root dance" #2:
Remember gmail.php? It contained developer Gmail creds for some sort of integration. We could log into Gmail of the administrator of the company. This gave us full permission on the Gsuite of the company. All employee's mailboxes were ours to take over.
We used Phpmyadmin to add ourselves as users to the whitelist for /adminpanel
We now got access to the backend super user part of the site. It had the control to do everything. It had all the log access, configs, etc, etc.
We also bypassed their image upload. We were able to upload a PHP shell. One function checked for images by checking the binary header, but not the file extension (on the server-side). We uploaded a shell with a gif binary header through Burp Suite as a .PHP file An acquaintance of mine Soroush Dalili has one of the best presentations on upload vulnerabilities for security testers. Check it out.
In the end, the methodology and documentation of your hacking are important. Persistence is key. We had full access to every portion of the company.