[{"content":"Note - I\u0026rsquo;ve only looked at the attacking portion; I haven\u0026rsquo;t talked about patching the vulnerabilities, but you can explore fixing the vulnerabilities.\nLab Setup Install Docker and Docker Compose V2. For Windows, (make sure we\u0026rsquo;ve installed \u0026ldquo;git\u0026rdquo; for windows) Open CMD or PowerShell as administrator git clone https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game.git cd Damn-Vulnerable-RESTaurant-API-Game docker compose up -d For Linux git clone https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game.git cd Damn-Vulnerable-RESTaurant-API-Game ./start_app.sh 4. Now, visit http://127.0.0.1:8091/docs or http://\u0026lt;your_ip\u0026gt;:8091/docs Setup Done!\nTool setup Option 1: You can send request via the OpenAPI (Swagger) found at http://127.0.0.1:8091/docs to Burp Suite via proxy\nOption 2: But, I\u0026rsquo;ll use a Burp extension called https://github.com/nerdygenii/postman-burp-importer as I wanted to try this tool out for my workflow.\nHow to set up…\nDownload the latest JAR from Releases In Burp Suite: Extensions → Add → Select the JAR file The “Postman Importer” tab will appear Getting the Postman Collection for the \u0026ldquo;postman-burp-importer\u0026rdquo; ext (since, we\u0026rsquo;ve OpenAPI Specification formerly Swagger .JSON file and not the Postman collection which is required for the extension) Download the API doc from http://127.0.0.1:8091/openapi.json \u0026raquo; Open Postman \u0026raquo; Import \u0026raquo; Files \u0026raquo;Select openapi.json \u0026raquo; Open API 3.1 with a Post collection \u0026raquo; Import\nNext, export the post collection\u0026hellip;\n5. Open Burp Suite \u0026raquo; go to Extension \u0026raquo; Postman Importer \u0026raquo; Browse \u0026raquo; select \u0026lt;your_exported-postman_collection.json\u0026gt; \u0026raquo; Import Collection.\nAll the API requests will get imported in the requester tabs\nNow, It\u0026rsquo;s time for some API Hacking!\nLevel 0 — Information disclosure Send a GET request to /healthcheck\nYou will find the info disclosure in response — \u0026ldquo;x-powered-by: Python 3.10, FastAPI ^0.103.0\u0026rdquo;, which will be useful to plan and carry out further attack.\nLevel 1 — Unrestricted Menu Item Deletion or (BFLA) Attack -\nGet the Auth Token for our attacker\u0026rsquo;s account (userA) via POST /token endpoint Verifying it\u0026hellip;\nSend a request to GET /menu (to view list of menus).\nWe\u0026rsquo;ll try to delete ID: 17 Now, send a DELETE request to /menu/{id}\nChecking, if the id: 17 got successfully deleted!? Yes, it is - It\u0026rsquo;s a BFLA finding, since we as an attacker has the role: Customer (low privileged account) and we were able to perform unauthorized + high-level privileged function.\nLevel 2 — BOLA (Broken Object Level Authorization) We\u0026rsquo;ll perform \u0026ldquo;A-B\u0026rdquo; testing\u0026hellip;so create two accounts.\nOne will act as an attacker\u0026rsquo;s account and the other one will be the victim\u0026rsquo;s account.\nAttacker - UserA Victim - UserB The PUT /profile allows user to edit their profile information\nProfile info updated for userA- *Attack —\nNow, let\u0026rsquo;s change the profile info of userB.\nThis can be achieved by changing the username value to userB (victims account) but using the auth token of userA (attacker)\nOriginal request\nTampered request\nProfile info updated for userB by userA!!\nTo summarize this BOLA vulnerability -\nWe are authenticated as userA.\nThe API endpoint /profile is properly secured, meaning only authenticated users can access it. This prevents a “Broken Authentication” vulnerability, since unauthenticated users cannot access the function.\nHowever, the authorization check is flawed. Instead of verifying that the username in the request body matches the username associated with the authorization token, the API simply trusts the value provided in the request body.\nBy changing the username from userA to userB, we were successfully able to modify an object (userB\u0026rsquo;s profile) that we are not authorized to interact with.\nWe can also send the PUT /profile request to Intruder targeting \u0026ldquo;username\u0026rdquo; parameter for enumerating and attacking other user account using common username wordlist We see that we found one valid existing user called “chef”, which seems interesting (as it might have some elevated privileges. Level 3 - Privilege Escalation (via \u0026ldquo;BOPLA\u0026rdquo;/Broken Object Property Level Authorization) The API endpoint PATCH /profile allows user to update their profile info.\nAs per API doc — The request does not contain “role” value. We can try to add the “role” property in the request and see if we can see a successful response.\nTampered Request -\nWe see that our role got changed to “Chef” as we included unintended property \u0026ldquo;role\u0026rdquo; in our request. Level 4 - Server Side Request Forgery In the API endpoint PUT /menu, you\u0026rsquo;ll see an object \u0026ldquo;image_URL\u0026rdquo;. So, let\u0026rsquo;s test this object by inserting an external URL.\nI injected a custom created URL from webhook.site, let\u0026rsquo;s see what happens!?\nUpon sending the request, we get a base64 encoded response. After base64 decoding, we get our content that we created. This means the api is fetching the content from the URL and displays it in base64 encoded format. This means that SSRF might be possible on this endpoint. Now, let exploit it further to make it impactful\u0026hellip;\nAfter, reviewing the code under - \u0026ldquo;/Damn-Vulnerable-Restaurant-API-Game/app/apis/admin/services” - it was found that there were two API routes - one of which was -\nreset_chef_password_service.py - (responsible for generating and updating a new passwd for \u0026ldquo;admin\u0026rdquo; aka \u0026ldquo;chef\u0026rdquo;) After, replacing the previous URL with an internal URL i.e., http://localhost:8091/admin/reset-chef-password\nThat\u0026rsquo;s how, we got the admin\u0026rsquo;s password. Now, we\u0026rsquo;ll authenticate with admin cred to get the access token.\nVerifying it! Level 5 — RCE Only user with role “Chef” is authorized to send the request to the endpoint GET /admin/stats/disk?parameters=\nHence, we will use the admin\u0026rsquo;s token that we have with us\u0026hellip;(got from previous level - SSRF)\nThe above output looks like from the Linux command df\nAttack - Let\u0026rsquo;s see if we can perform command injection -\nI tested out the following —\u0026gt; ; whoami (url-encoded)\nIn the output, we see the whoami command got executed successfully.\nNow, let\u0026rsquo;s try to get a reverse shell\u0026hellip;\nIn order to inject right set of payload - We already have a useful piece of information that the backend language being used is Python3 as shown in the below highlight screenshot.\nSo, we will get the payload from https://www.revshells.com/\nand will inject the payload as the value of \u0026ldquo;**parameter=; \u0026quot;\nThis request will look something like this\u0026hellip;\nTurning the net cat listener ON\u0026hellip;\nNow, send the request!\nWe successfully got the reverse shell. Now, let\u0026rsquo;s try to get the root access.\nThe user app can run the /usr/bin/find command as root (or any user) without providing a password.\nThis means find can execute arbitrary commands using the -exec option, an attacker, or user could escalate privileges to root by running a command like:\nsudo find / -exec /bin/sh \\; -quit Voilà! We got root access.\nNote - I havn\u0026rsquo;t covered the fixing the vulnerabilites part and have only covered the attacking part.\nThank you for reading😄\nधन्यवाद पढ़ने के लिए!\nअनुगृहीतोऽस्मि पठितवान्\n感谢您的阅读\n¡Gracias por leer!\nDanke fürs Lesen!\n読んでくれてありがとうございます!\nشكراً على القراءة\nБлагодарю за чтение!\n","permalink":"https://cybern1nja8.github.io/blogs/writeups/others/damn-vulnerable-restaurant/","summary":"Writeup covering all the vulnerabilities and exploitations that are there in all six levels.","title":"Damn-Vulnerable-RESTaurant-API-Game"},{"content":"","permalink":"https://cybern1nja8.github.io/blogs/writeups/others/test/","summary":"","title":""},{"content":" Hi, my name is ABHISHEK (aka cybern1nja9)🥷🏻 — a cybersecurity consultant, curious hacker, and a goal chaser. From my childhood I’ve always been curious about how things work and how they can be manipulated. Over time, this curiosity has driven me to dive deep into hacking and securing not only applications and networks but also physical systems and critical infrastructure. In this blog, I share my experiences and thoughts on the cybersecurity, from vulnerabilities and hacking techniques to practical tips on defense. I hope you find something useful here, and I’d love to connect and chat about all things cybersecurity. 👨‍💻 What I Do Vulnerability Management (Tenable One), Web, API, Thick Client, Mobile App PenTesting\nCertifications and resume Course/Certificate Organization Badge Obtained Certificate APIsec Certified Practitioner(ACP) APIsec University May 2025 Accredible You can find these details on my Linkedin Profile as well.\nYou can find my resume here: [Resume] /docs/Abhishek Rajput.pdf\n📌 Current Focus Leveling up in Web app, API and Mobile App Hacking Bug Bounty Hunting Weight training: Chasing that 75kg goal 🏋️ Gotta REACH THE PEAK! ❤️‍🔥Area of Interests Application Security (AppSec)\nInfra Pentesting and Red Teaming\nOther forms of Offensive Security\n🧠 Personal Philosophy Research like a scholar, think like a hacker, and learn like a kid. | Research\tTrain\tHack\tRepeat!\n“Improve at least 1% every day.”\n","permalink":"https://cybern1nja8.github.io/whoami/","summary":"Security Consultant, AppSec/OffSec enthusiast.","title":"$ whoami"}]