tldr:
Attack Path:
Review Website
Register an account on the site
Register an account using the qooqle oath
Create malicious article with html injection to force admin to register new oauth token for you
Report article to admin so trigger CSRF
Change oauth registration, use callback code in CSRF
Get Admin session
create malicious dll to get rev shell
upload to a banner as admin (we can do this now since the checks are bypassed as admin)
start listener
Go to eloquia.htb/dev/sql-explorer
Load the dll using the following
SELECT load_extension('statis/assets/images.blog/malicious.dll');
get user shell
type user.txt
Creds are stored in browser
Copy local_state.json and login_data.json
Crack password
Olivia.KAT:S3cureP@sswdIGu3ss
Login with evil winrm
Failure2ban service is vulnerable to being overwritten.
Overwrite with simple exe to move flag to readable directory or make a new rev shell.
Attack Path:
Review Website
Register an account on the site
Register an account using the qooqle oath
Create malicious article with html injection to force admin to register new oauth token for you
Report article to admin so trigger CSRF
Change oauth registration, use callback code in CSRF
Get Admin session
create malicious dll to get rev shell
upload to a banner as admin (we can do this now since the checks are bypassed as admin)
start listener
Go to eloquia.htb/dev/sql-explorer
Load the dll using the following
SELECT load_extension('statis/assets/images.blog/malicious.dll');
get user shell
type user.txt
Creds are stored in browser
Copy local_state.json and login_data.json
Crack password
Olivia.KAT:S3cureP@sswdIGu3ss
Login with evil winrm
Failure2ban service is vulnerable to being overwritten.
Overwrite with simple exe to move flag to readable directory or make a new rev shell.
