PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e9:a4:39:4a:fb:06:5d:57:82:fc:4a:0e:0b:e4:6b:25 (RSA)
|   256 a3:23:e4:98:df:b6:91:1b:f2:ac:2f:1c:c1:46:9b:15 (ECDSA)
|_  256 fb:10:5f:da:55:a6:6b:95:3d:f2:e8:5c:03:36:ff:31 (ED25519)
80/tcp open  http    nginx 1.21.6
|_http-title: Did not follow redirect to http://www.response.htb
|_http-server-header: nginx/1.21.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

http://www.response.htb/status/
http://www.response.htb/status/main.js.php

"url":"http://api.response.htb/","url_digest":"cab532f75001ed2cc94ada92183d2160319a328e67001a9215956a5dbf10c545",

any ideas how to get digest form ?

I noticed too that it is possible to create new digests when setting the cookie to something like "test".
However, when I set the cookie to an URL it complains about illegal characters. Is there a trick here?

Hope this helps...

## From: view-source:http://www.response.htb/status/main.js.php
## brief summary:
function get_api_status(handle_data, handle_error)
url_proxy = 'http://proxy.response.htb/fetch';
    json_body = {'url':'http://api.response.htb/', 'url_digest':'cab532f75001ed2cc94ada92183d2160319a328e67001a9215956a5dbf10c545', 'method':'GET', 'session':'405708b817a254d983b2d39a8af24b0c', 'session_digest':'5fce1d30c0bcee8165a352946941da035481c72f39a8e7e1d9d80ccb8e3dbf22'};

function get_chat_status(handle_data, handle_error)
url_proxy = 'http://proxy.response.htb/fetch';
    json_body = {'url':'http://api.response.htb/get_chat_status', 'url_digest':'582cca8fd9e8eb387d8e462fb5bd73a8ae458c40801aa4754b9132c28039bd07', 'method':'GET', 'session':'405708b817a254d983b2d39a8af24b0c', 'session_digest':'5fce1d30c0bcee8165a352946941da035481c72f39a8e7e1d9d80ccb8e3dbf22'};

function get_servers(handle_data, handle_error)
url_proxy = 'http://proxy.response.htb/fetch';
    json_body = {'url':'http://api.response.htb/get_servers', 'url_digest':'3ca24716672824484bd11c4ae8dfdbfef8ca2b94084c597a9d4c03fad7e28df7', 'method':'GET', 'session':'405708b817a254d983b2d39a8af24b0c', 'session_digest':'5fce1d30c0bcee8165a352946941da035481c72f39a8e7e1d9d80ccb8e3dbf22'};

get_api_status(data =>

get_chat_status(data =>

function clear_servers()

function add_server(id, name, ip)

function set_server_error(err)

get_servers(data =>

Also - the below seemed to work -- see above for additional info:

import json
import requests

json_data1 = {'url':'http://api.response.htb/get_servers', 'url_digest':'3ca24716672824484bd11c4ae8dfdbfef8ca2b94084c597a9d4c03fad7e28df7', 'method':'GET', 'session':'405708b817a254d983b2d39a8af24b0c', 'session_digest':'5fce1d30c0bcee8165a352946941da035481c72f39a8e7e1d9d80ccb8e3dbf22'};

url_proxy = 'http://proxy.response.htb/fetch'
#print(url_proxy)
# Send the data.
response = requests.post(url=url_proxy, json=json_data1)
print("Server responded with %s" % response.status_code)
decoded_result = response.json()
print(decoded_result)

(May 16, 2022, 04:26 PM)c0d3r Wrote: Also - the below seemed to work -- see above for additional info:

import json
import requests

json_data1 = {'url':'http://api.response.htb/get_servers', 'url_digest':'3ca24716672824484bd11c4ae8dfdbfef8ca2b94084c597a9d4c03fad7e28df7', 'method':'GET', 'session':'405708b817a254d983b2d39a8af24b0c', 'session_digest':'5fce1d30c0bcee8165a352946941da035481c72f39a8e7e1d9d80ccb8e3dbf22'};

url_proxy = 'http://proxy.response.htb/fetch'
#print(url_proxy)
# Send the data.
response = requests.post(url=url_proxy, json=json_data1)
print("Server responded with %s" % response.status_code)
decoded_result = response.json()
print(decoded_result)

Not really helpful though. You can already see/replay this traffic in BurpSuite:

POST /fetch HTTP/1.1
Host: proxy.response.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.response.htb/
Content-Type: application/json
Origin: http://www.response.htb
Content-Length: 269
Connection: close

{"url":"http://api.response.htb/get_servers","url_digest":"3ca24716672824484bd11c4ae8dfdbfef8ca2b94084c597a9d4c03fad7e28df7","method":"GET","session":"12a518c585f4fde026da1b0944cb0f40","session_digest":"1564a4bd4ae75ad2605fc45e8a357978311b9a0197e7c261ee7f82360ff58c7a"}

The question is how to create the url_digest for a new URL.

If you cast PHPSESSID as an array, you can view part of the salt[code]
Fatal error: Uncaught TypeError: hash_hmac(): Argument #2 ($data) must be of type string, array given in /var/www/html/status/main.js.php:14Stack trace:#0 /var/www/html/status/main.js.php(14): hash_hmac('sha256', Array, '920u89u2984u48y...')#1 /var/www/html/status/main.js.php(32): proxy_callback('http://api.resp...', 'get_api_status')#2 {main} thrown in /var/www/html/status/main.js.php on line 14
[/code]Can someone brute the rest of it ? my pc aint strong enough

I should have ignored the illegal characters error.

So the trick is to simply put an URL into PHPSESSID and copy the generated session_digest into url_digest.

Now I can access the chat application and I found the ZIP file.

(May 16, 2022, 07:19 PM)Exa Wrote: I should have ignored the illegal characters error.

So the trick is to simply put an URL into PHPSESSID and copy the generated session_digest into url_digest.

Now I can access the chat application and I found the ZIP file.

Anyone shares some tips about code review of Node.Js application?

I found a username and password in the ZIP file. This can be used to login to the chat application.

I also found that the login request contains this authserver parameter, which can be modified to login as any user.

Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?