Secrets in Source - Walkthrough

Lab Overview

This lab introduces you to the importance of examining web page source code and understanding how developers might accidentally leave sensitive information in HTML comments.

• Platform: HackerDna
• Lab Name: Secrets in Source
• Difficulty: Very Easy
• Target: Provided IP address (referred to as <target-ip>)
• Objective: Find the hidden flag by examining the web page source code

Step 1: Initial Reconnaissance

Let's start by gathering basic information about our target.

Attempting to Ping the Target

First, we'll try to ping the target IP to check its reachability:

ping <target-ip>

However, we discover that the target does not respond to ping. This is not uncommon, as many systems and networks block ICMP packets for security reasons. The lack of ping response doesn't mean the system is offline; it just means we need to try other methods to interact with it.

Port Scanning with Nmap

Since ping doesn't work, we need to use the -Pn flag with Nmap to skip the ping check. Since this is a "Very Easy" lab, we can focus on scanning just the common ports:

nmap -Pn <target-ip>

The -Pn flag tells Nmap to assume the host is online and skip the initial ping probe. This is essential when scanning hosts that don't respond to ICMP echo requests.

This command will scan the most common 1000 ports. The scan reveals that port 80 is open, which typically indicates a web server is running.

Service Version Detection

To get more information about the web server, we can use Nmap's version detection:

nmap -Pn -sV -p80 <target-ip>

This scan tells us that the web server is nginx version 1.25.4.

These initial findings give us a clear direction: we need to focus our efforts on exploring the web server running on port 80.

Step 2: Exploring the Web Page

Now that we know there's a web server, let's examine what it's hosting.

Accessing the Web Page

Open your web browser and navigate to:

http://<target-ip>

Upon visiting the site, we see a single web page. At first glance, it might not seem very interesting or exploitable. However, in web application security testing, it's crucial to look beyond what's immediately visible.

Initial Observations

Take note of any visible content, links, or functionalities on the page. Even if they seem unimportant, they might provide clues or lead to further discoveries.

Remember, not all valuable information is immediately visible in the rendered web page. Developers often leave comments, hidden fields, or other metadata in the source code that can be goldmines for security testers.

Step 3: Examining the Source Code

Since the visible content doesn't provide much to work with, our next step is to examine the HTML source code of the page.

Viewing the Page Source

To view the HTML source code:

1. Right-click anywhere on the web page
2. Select "View Page Source" or "View Source" (the exact wording may vary depending on your browser)

Alternatively, you can use keyboard shortcuts:

• Windows/Linux: Ctrl + U
• macOS: Command + Option + U

Analyzing the Source Code

When examining the source code, pay attention to:

• HTML comments (enclosed in <!-- -->)
• Hidden input fields
• JavaScript code, especially any hardcoded values or URLs
• References to other files or resources

In this case, we find a crucial piece of information in an HTML comment:

<!-- TODO: move the flag "/anwvdzqtcucr/flag.txt" in a more secure location -->

This comment reveals the location of our flag file. It's a common mistake for developers to leave sensitive information in comments, thinking they won't be visible to users. However, as we've just seen, anyone can easily view these comments in the source code.

Step 4: Retrieving the Flag

Now that we've discovered the path to the flag file, we can attempt to access it directly.

Accessing the Flag File

In your web browser, navigate to:

http://<target-ip>/anwvdzqtcucr/flag.txt

This should display the contents of the flag.txt file, which will be your flag for this challenge.

Alternative Method: Using curl

If you prefer using the command line, you can use curl to retrieve the flag:

curl http://<target-ip>/anwvdzqtcucr/flag.txt

This command will output the contents of the flag file to your terminal.

Capturing the Flag

The flag will likely be in a specific format, such as a UUID or a string with a particular pattern. Make sure to copy it exactly as it appears, paying attention to any uppercase/lowercase letters, numbers, or special characters.

Key Takeaways

This lab demonstrates several important concepts in web application security:

• Source code examination: Always check the source code of web pages, as they may contain valuable information not visible in the rendered page.
• Dangers of HTML comments: Developers should never leave sensitive information in HTML comments, as these are easily accessible to anyone who views the source.
• Security through obscurity is not effective: Hiding sensitive files in "secret" directories is not a secure practice. Proper access controls should always be implemented.
• Importance of code review: Regular code reviews can help catch instances where sensitive information might be accidentally exposed.
• Thorough reconnaissance: Even when initial probes (like ping) fail, it's important to use appropriate techniques like the -Pn flag with Nmap to continue your investigation.

Real-World Relevance: Scenarios like this are not uncommon in real-world applications. Developers might accidentally leave sensitive information in comments, configuration files, or other locations that are accessible to users. This is why security assessments often include a thorough examination of all accessible content, including source code and hidden files.