[pL4sTiC]

Hmm if i try with one of the libc.so.6 png files i am getting "ELFParseError: expected 8, found 5"
if i try with my own libc.so.6 it doesnt work (expected)...

I think you can try my way. Firstly, you need download libc.so.6 from box machine, then use my script to fix missing header, then use this libc to get shell.

import os
import shutil

def extract_libc(png_path, output_path, start_offset, total_size):
    """
    Extract libc.so.6 data from a PNG file.
    """
    with open(png_path, 'rb') as png_file:
        # Read the exact number of bytes for libc.so.6
        png_file.seek(start_offset)
        extracted_data = png_file.read(total_size)
   
    with open(output_path, 'wb') as output_file:
        output_file.write(extracted_data)
   
    print(f"Extracted libc.so.6 data to {output_path}")
    print(f"Extracted size: {len(extracted_data)} bytes")

def append_valid_section_headers(libc_path, reference_libc_path):
    """
    Append valid section headers from a reference libc.so.6 to the extracted file.
    """
    with open(reference_libc_path, 'rb') as ref_file:
        ref_file.seek(section_headers_offset)
        section_headers_data = ref_file.read(total_section_headers_size)
   
    with open(libc_path, 'ab') as libc_file:
        libc_file.write(section_headers_data)
   
    print(f"Appended section headers from reference libc.so.6.")

# Paths to files
png_file_path = '1-40.png'
reference_libc_path = 'libc.so.6'
output_libc_path = 'libc.so.7'

# Known offsets and sizes
elf_start_offset = 9  # ELF header start offset in 1-40.png
section_headers_offset = 0x1D7278  # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64  # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset  # Full size of libc.so.6

# Step 1: Extract the main ELF data from 1-40.png
extract_libc(
    png_path=png_file_path,
    output_path=output_libc_path,
    start_offset=elf_start_offset,
    total_size=total_size
)

# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
    libc_path=output_libc_path,
    reference_libc_path=reference_libc_path
)

print(f"Fixed libc.so.6 saved to: {output_libc_path}")

Okay, also lost... where does the PNG file come from?

[0xbeef]

for root part do I have to use /command endpoint with a special payload ?

You need a token first then you can inject any command. Did you get the token ?

yes i have the access_token. 

But when i try to inject command i fail : 
command: send_image , output_file :"etc/passwd" for example will give "error generating image: "
command : "ls" -> error: "invalid command'
output_file"test.png;id" => "error":"Output file path contains dangerous characters"

How did you get it ?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[kb2l]

for root part do I have to use /command endpoint with a special payload ?

You need a token first then you can inject any command. Did you get the token ?

yes i have the access_token. 

But when i try to inject command i fail : 
command: send_image , output_file :"etc/passwd" for example will give "error generating image: "
command : "ls" -> error: "invalid command'
output_file"test.png;id" => "error":"Output file path contains dangerous characters"

How did you get it ?

these a /login endpoint

[0xbeef]

for root part do I have to use /command endpoint with a special payload ?

You need a token first then you can inject any command. Did you get the token ?

yes i have the access_token. 

But when i try to inject command i fail : 
command: send_image , output_file :"etc/passwd" for example will give "error generating image: "
command : "ls" -> error: "invalid command'
output_file"test.png;id" => "error":"Output file path contains dangerous characters"

How did you get it ?

these a /login endpoint

Thanks. So here make sure you are sending `application/json' content-type and run something like `chmod u+s /bin/bash` as output_file. Then rest you know what to do
GG

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[kyakeiuwu]

I need help with the grafana.db hash. I've never cracked a grafana db hash before, x | x | developer | email | name | hash | salt | x and few other strings which could be salts, which one is the actual salt? I use the script to change it into hashcat crackable format but I exhaust my list and it never cracks. I have tried all the three strings that are after the hash as salts separately. Can anybody tell me what I am doing wrong?

use john for other user's hash

1|0|admin|admin@localhost||441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34|CFn7zMsQpf|CgJll8Bmss||1|1|0||2024-06-05 16:14:51|2024-06-05 16:16:02|0|2024-06-05 16:16:02|0|0|
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34, CFn7zMsQpf > hash.txt ---> like this? or the other string  CgJll8Bmss, I don't understand.

nah  how did u think all of this is a hash? this is (441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34) hash but its salted and even if u crack it the password will not usefull for further invest. i thought u were true way. U cannot find something from this grafana. There is a db u should look more agressions inside box, then think like outside of the box. even Without linpeas u can get first flag.

when you check the schema there's written there that its hash and salt

[luckystars0612]

Hmm if i try with one of the libc.so.6 png files i am getting "ELFParseError: expected 8, found 5"
if i try with my own libc.so.6 it doesnt work (expected)...

I think you can try my way. Firstly, you need download libc.so.6 from box machine, then use my script to fix missing header, then use this libc to get shell.

import os
import shutil

def extract_libc(png_path, output_path, start_offset, total_size):
    """
    Extract libc.so.6 data from a PNG file.
    """
    with open(png_path, 'rb') as png_file:
        # Read the exact number of bytes for libc.so.6
        png_file.seek(start_offset)
        extracted_data = png_file.read(total_size)
   
    with open(output_path, 'wb') as output_file:
        output_file.write(extracted_data)
   
    print(f"Extracted libc.so.6 data to {output_path}")
    print(f"Extracted size: {len(extracted_data)} bytes")

def append_valid_section_headers(libc_path, reference_libc_path):
    """
    Append valid section headers from a reference libc.so.6 to the extracted file.
    """
    with open(reference_libc_path, 'rb') as ref_file:
        ref_file.seek(section_headers_offset)
        section_headers_data = ref_file.read(total_section_headers_size)
   
    with open(libc_path, 'ab') as libc_file:
        libc_file.write(section_headers_data)
   
    print(f"Appended section headers from reference libc.so.6.")

# Paths to files
png_file_path = '1-40.png'
reference_libc_path = 'libc.so.6'
output_libc_path = 'libc.so.7'

# Known offsets and sizes
elf_start_offset = 9  # ELF header start offset in 1-40.png
section_headers_offset = 0x1D7278  # Section headers offset in reference libc.so.6
total_section_headers_size = 60 * 64  # 60 section headers, each 64 bytes
total_size = section_headers_offset + total_section_headers_size - elf_start_offset  # Full size of libc.so.6

# Step 1: Extract the main ELF data from 1-40.png
extract_libc(
    png_path=png_file_path,
    output_path=output_libc_path,
    start_offset=elf_start_offset,
    total_size=total_size
)

# Step 2: Append section headers from the reference libc.so.6
append_valid_section_headers(
    libc_path=output_libc_path,
    reference_libc_path=reference_libc_path
)

print(f"Fixed libc.so.6 saved to: {output_libc_path}")

Okay, also lost... where does the PNG file come from?

 Use lfi to download libc.so.6 from target server, it returns  the path as PNG format ?

[Miek22]

I need help with the grafana.db hash. I've never cracked a grafana db hash before, x | x | developer | email | name | hash | salt | x and few other strings which could be salts, which one is the actual salt? I use the script to change it into hashcat crackable format but I exhaust my list and it never cracks. I have tried all the three strings that are after the hash as salts separately. Can anybody tell me what I am doing wrong?

use john for other user's hash

1|0|admin|admin@localhost||441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34|CFn7zMsQpf|CgJll8Bmss||1|1|0||2024-06-05 16:14:51|2024-06-05 16:16:02|0|2024-06-05 16:16:02|0|0|
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34, CFn7zMsQpf > hash.txt ---> like this? or the other string  CgJll8Bmss, I don't understand.

nah  how did u think all of this is a hash? this is (441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34) hash but its salted and even if u crack it the password will not usefull for further invest. i thought u were true way. U cannot find something from this grafana. There is a db u should look more agressions inside box, then think like outside of the box. even Without linpeas u can get first flag.

when you check the schema there's written there that its hash and salt

Wow did it work for you?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[BFischer]

what after foothold ?

[kyakeiuwu]

use john for other user's hash

1|0|admin|admin@localhost||441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34|CFn7zMsQpf|CgJll8Bmss||1|1|0||2024-06-05 16:14:51|2024-06-05 16:16:02|0|2024-06-05 16:16:02|0|0|
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34, CFn7zMsQpf > hash.txt ---> like this? or the other string  CgJll8Bmss, I don't understand.

nah  how did u think all of this is a hash? this is (441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34) hash but its salted and even if u crack it the password will not usefull for further invest. i thought u were true way. U cannot find something from this grafana. There is a db u should look more agressions inside box, then think like outside of the box. even Without linpeas u can get first flag.

when you check the schema there's written there that its hash and salt

Wow did it work for you?

yep use grafana2hashcat

[Miek22]

1|0|admin|admin@localhost||441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34|CFn7zMsQpf|CgJll8Bmss||1|1|0||2024-06-05 16:14:51|2024-06-05 16:16:02|0|2024-06-05 16:16:02|0|0|
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34, CFn7zMsQpf > hash.txt ---> like this? or the other string  CgJll8Bmss, I don't understand.

nah  how did u think all of this is a hash? this is (441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34) hash but its salted and even if u crack it the password will not usefull for further invest. i thought u were true way. U cannot find something from this grafana. There is a db u should look more agressions inside box, then think like outside of the box. even Without linpeas u can get first flag.

when you check the schema there's written there that its hash and salt

Wow did it work for you?

yep use grafana2hashcat

Thanks a lot very good!

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.