Hackazon

    "Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications."  The download can be found here:  https://github.com/rapid7/hackazon

    Honestly, when I heard the name, I didn't clue in.  When I saw the interface, I realized I missed the play on words. 

    I'd seen this application mentioned somewhere and I wanted to check it out.  Let me start off by saying that if you're a beginner, this is a great application to mess with for a any number of reasons.  If you're seasoned a bit, this might not be worth the effort.  

    It "looks" realistic which is very cool.  In my opinion, someone went to a decent amount of effort to create this platform.  That being said, I wish it was a little more hardened.  I almost thought about fixing some of the vulns to make it a bit more interesting but I can only burn so much time.

    When we hit the main page, we see:




    Not really knowing what I was getting into, I started off with my typical scans:




    And this:





    But I quickly realized, everything about this platform is based around the UI so I moved there and left the rest of my initial enumeration process alone.

    Breaking this down into different vulnerabilities, let's start with Cross Site Scripting (XSS).  No protection whatsoever and I go for the standard:



    And as expected:





    We get the alert.  If there were protections in place, perhaps something looking for the <script> tag, we can also try:




    Again, we get:





    No point in messing with case or other sorts of trickery when this is going to pop on pretty much anything.

    Next up, we're going to play with SQL Injection.  For me, this is a little more sophisticated than your 1=1 kind of tinkering so I'm just heading for SQLMap.  Capturing a post from Burpsuite, I copy the contents into a file titled "post.txt" and I fire up SQLMap:





    SQLMap is quite verbose, I break this into two pieces:




    As you can see, the username field is vulnerable and we're able to retrieve the database name.  Now that we have the names, let's dig in.  The goal is to find the user table and retrieve hashes:





    Digging further:





    Excellent!  We have column names, let's dump username and password:





    And we get:





    Now this is interesting.  These "look" like MD5 hashes, possibly salted.  I looked through a bunch of hash types to see if I could match this up but no such luck.  I then proceeded to create a user with the password of "password" and I tried to crack the hash.  Still, no such luck.  I tried to search around to see if I could figure out what hash was being used but it wasn't an obstacle for moving forward with the box so I just let it go.  I am curious as to what the hash type is for this login though.  Anyone know?

    Since I could not crack the hashes, I attempted to use the os-shell command in SQLMap:




    Again, breaking this up into two since it's quite verbose:




    Now that's an interesting error and might not make sense. 

    Even if we go to a known directory with something like this:

    sqlmap -r post.txt -p username --file-write="cmd.php" --file-dest="/var/www/hackazon/web/cmd.php"

    We still get denied.  Shouldn't the user have rights to write?  Yes, the user should have rights but if we look at this from within MySQL:





    We see there are protections in place from this kind of execution.  

    Moving on, there are probably more than just the one -- but do we need more than one entry for Local File Inclusion?  





    And lastly, the application allows you to create a user.  When you login to your account, you will find a vulnerability in the Avatar Upload function:





    Nothing sanitized in the least bit so we can just upload our shell and it literally pops when you hit save -- I assume because it was attempting to render the image:





    We catch our shell and when we try to clean up the environment with:  

    python -c import pty;pty.spawn("/bin/bash")'

    We discover that Python is missing.  As an alternative when you find yourself in this situation:




    Now we have a fully functional shell.  

    As I said, definitely something you should play with if you're new and you're looking for an environment where you can play around with a few different vulns in the same place.  


    © 2020 sevenlayers.com