Posts: 7
Threads: 0
Joined: Oct 2023
(Oct 15, 2023, 10:39 AM)peRd1 Wrote: (Oct 15, 2023, 02:23 AM)bololohaha Wrote: is option 5 from the CLI the correct path to root, or this is just another loophole? Yes. I'd say yes, I still didn't finish the box. There seem to be at least 2 ways to root the box.
Either via binary exploitation (BOF or something but I see somehow need to get past the stack smashing checks, I was thinking about ret to libc approach but couldn't get it done yet.), or via the help of loading some external library and sql statements. Regardless, the CLI binary's function 5 needs to get abused to its tears, where I am stumped pretty much......
As for the user and foothold. Read previous posts. Find out how to read other files. FUZZ for valid entries where it gives unauthorized but files exists, etc. Then you will see how to actually read those files that exist. After that step foothold is right away. Then moving laterally to a different user. After shell, on the server you will find some zips of sqlite db backups - which will contain pwd hashes! You need to get into the gitea that is filtered (seen from nmap scan RIGHT??). Port fwd that once you have foothold obviously. In the gitea once logged you will see right away the archive password. Unzip and his is how you find sql hashes. Crack them. Be smart. Use tools appropriately. Check all backups since not every credential will work but you'll get the user. And done.
should i crack these hashs of the database "pbkdf2_sha256", cuz for my laptop it will take 4 days??
Posts: 124
Threads: 2
Joined: Oct 2023
[quote="wh1t3pwn3r" pid='193898' dateline='1697397750']
[quote="al3" pid='193845' fecha='1697395454']
hola, ¿alguien podría ayudarme con el punto de apoyo?
[/cita]
Dedique algún tiempo a la función 'Reservar archivos' y verá que sus archivos se refieren a ellos con una identificación, lo que significa que puede cambiar esa identificación por otra y puede leer algo que no debería leer.
CONSEJO: Si no tiene la versión Burp Pro, puede borrar y borrar todas las identificaciones posibles de 0 a 200 y debería encontrar lo necesario para afianzarse en el objetivo.
[/cita]
Reserve Files???
Doesn't has an id when I intercept, just the filename
what do you mean?
and thank you!! This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 12
Threads: 1
Joined: Aug 2023
(Oct 15, 2023, 07:37 PM)al3 Wrote: [quote="wh1t3pwn3r" pid='193898' dateline='1697397750']
[quote="al3" pid='193845' fecha='1697395454']
hola, ¿alguien podría ayudarme con el punto de apoyo?
[/cita]
Dedique algún tiempo a la función 'Reservar archivos' y verá que sus archivos se refieren a ellos con una identificación, lo que significa que puede cambiar esa identificación por otra y puede leer algo que no debería leer.
CONSEJO: Si no tiene la versión Burp Pro, puede borrar y borrar todas las identificaciones posibles de 0 a 200 y debería encontrar lo necesario para afianzarse en el objetivo.
[/cita]
Reserve Files???
Doesn't has an id when I intercept, just the filename
what do you mean?
and thank you!!
First of all, you need to reserve the file and then click on it in order to edit/delete etc. and you'll see that the url is not http://drive.htb/<ID>/getFileDetail but http://drive.htb/<ID>/block instead
Posts: 60
Threads: 1
Joined: Jun 2023
(Oct 15, 2023, 06:44 PM)al3 Wrote: hello, could someone help me in the foothold?
Fuzz using numbers in /FUZZ/block/ or /FUZZ/getFileDetail/ until you find the IDOR, which gives ssh creds to the machine. This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad.onion/contact if you feel this is incorrect.
Posts: 124
Threads: 2
Joined: Oct 2023
Oct 15, 2023, 10:41 PM
(This post was last modified: Oct 15, 2023, 11:01 PM by al3.)
everyone here is a pro, now let's climb privileges
LOL, cracking those hashes will take me days xd This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 124
Threads: 2
Joined: Oct 2023
hello, any tip for crack cris hash ??? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 134
Threads: 13
Joined: Sep 2023
Posts: 8
Threads: 0
Joined: Jul 2023
wfuzz -u "http://drive.htb/FUZZ/block/" -z range,0-200 -H "Cookie: csrftoken=mlbkC03I9ETYLUqbAosyz8fBXWT6j4PD; sessionid=s57wz418ntq55ww0pej7ak8he8yg4hkb" --hc 404
(Replace sessionid with your own one. After finished, visit each ID http://drive.htb/ID/block/ -> Click button to show the message)
ssh -L 8007:127.0.0.1:3000 martin@drive.htb
(Visit 127.0.0.1:8007 in your browser, login with prev creds just add @ drive.htb to the username/email, find sh file in it the archieve password)
scp "martin@drive.htb:/var/www/backups/*" .
(unzip all backup file, and dump it, and place all sha1 hash to a file)
hashcat -m 124 hash /usr/share/wordlists/rockyou.txt
(One password is for tom user, su/ssh)
Posts: 124
Threads: 2
Joined: Oct 2023
 helppppppppppppp This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 42
Threads: 2
Joined: Aug 2023
(Oct 16, 2023, 02:18 AM)al3 Wrote: helppppppppppppp
what do u need?
|
