Posts: 16
Threads: 0
Joined: Jul 2024
Aug 17, 2024, 11:56 PM
(This post was last modified: Aug 17, 2024, 11:58 PM by hexforce.)
Few dlls we can grab in /opt/components : FileTree.dll, FileUpload.dll, Resumes.dll, etc...
Dont know if there is anything interesting there...
(Aug 17, 2024, 11:26 PM)sodanger123 Wrote: (Aug 17, 2024, 11:23 PM)nomx1337 Wrote: Hint for root? Not used to procmon on linux..
I'm thinking about smth like https://bordplate.no/presentations/findi...rocmon.pdf
Could you give hint about LFI to reverse shell ?
If I understand right, you can basically see in the "load module" section on the pannel port 3000, it loads modules from the /opt/components directory. Therefore, we can inject a payload in a dll and upload it with the same name and load it to gain a shell. I dont know how I would upload it to the /opt/components directory though. Might have to do some tests
Posts: 219
Threads: 14
Joined: Apr 2024
(Aug 17, 2024, 11:56 PM)hexforce Wrote: Few dlls we can grab in /opt/components : FileTree.dll, FileUpload.dll, Resumes.dll, etc...
Dont know if there is anything interesting there...
(Aug 17, 2024, 11:26 PM)sodanger123 Wrote: (Aug 17, 2024, 11:23 PM)nomx1337 Wrote: Hint for root? Not used to procmon on linux..
I'm thinking about smth like https://bordplate.no/presentations/findi...rocmon.pdf
Could you give hint about LFI to reverse shell ?
If I understand right, you can basically see in the "load module" section on the pannel port 3000, it loads modules from the /opt/components directory. Therefore, we can inject a payload in a dll and upload it with the same name and load it to gain a shell. I dont know how I would upload it to the /opt/components directory though. Might have to do some tests
Can't be done .. Ur upload only in images folder also its client side validation This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 36
Threads: 1
Joined: Jun 2023
Aug 18, 2024, 12:08 AM
(This post was last modified: Aug 18, 2024, 12:09 AM by v3701.)
you can upload the dll file to /opt/components if you played with the filename (some .. ) on upload feature.
that what I found so far, I couldn't get RCE yet
Posts: 16
Threads: 0
Joined: Jul 2024
Aug 18, 2024, 12:09 AM
(This post was last modified: Aug 18, 2024, 12:10 AM by hexforce.)
(Aug 18, 2024, 12:05 AM)osamy7593 Wrote: (Aug 17, 2024, 11:56 PM)hexforce Wrote: Few dlls we can grab in /opt/components : FileTree.dll, FileUpload.dll, Resumes.dll, etc...
Dont know if there is anything interesting there...
(Aug 17, 2024, 11:26 PM)sodanger123 Wrote: (Aug 17, 2024, 11:23 PM)nomx1337 Wrote: Hint for root? Not used to procmon on linux..
I'm thinking about smth like https://bordplate.no/presentations/findi...rocmon.pdf
Could you give hint about LFI to reverse shell ?
If I understand right, you can basically see in the "load module" section on the pannel port 3000, it loads modules from the /opt/components directory. Therefore, we can inject a payload in a dll and upload it with the same name and load it to gain a shell. I dont know how I would upload it to the /opt/components directory though. Might have to do some tests
Can't be done .. Ur upload only in images folder also its client side validation
Yup, that's the issue lol. Just throwing in an idea. I've been stuck for a while now.
(Aug 18, 2024, 12:08 AM)v3701 Wrote: you can upload the dll file to /opt/components if you played with the filename (some .. ) on upload feature.
that what I found so far, I couldn't get RCE yet
As in the file name: "../../test.dll" ??
Posts: 219
Threads: 14
Joined: Apr 2024
(Aug 18, 2024, 12:08 AM)v3701 Wrote: you can upload the dll file to /opt/components if you played with the filename (some .. ) on upload feature.
that what I found so far, I couldn't get RCE yet
How could u capture the request .. Its client side validation This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 16
Threads: 0
Joined: Jul 2024
(Aug 18, 2024, 12:13 AM)osamy7593 Wrote: (Aug 18, 2024, 12:08 AM)v3701 Wrote: you can upload the dll file to /opt/components if you played with the filename (some .. ) on upload feature.
that what I found so far, I couldn't get RCE yet
How could u capture the request .. Its client side validation
Maybe with pdf upload? Modify content type and filename to something like "../../../../test.pdf.dll" (in burp)
No Idea if that would work though. Im taking a break now
Posts: 219
Threads: 14
Joined: Apr 2024
Oh great idea maybe yes but we must have write access on that file This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 39
Threads: 12
Joined: Aug 2024
Has anyone tried to upload a pdf using msf and exploit/windows/fileformat/adobe_pdf_embedded_exe?
If tomas has login to the port on 3000, then it is likely that HTB has an automated "click" action for uploaded resumes?
Posts: 11
Threads: 0
Joined: Jul 2024
Aug 18, 2024, 01:27 AM
(This post was last modified: Aug 18, 2024, 01:28 AM by drunkp.)
Have you guys managed to build a dll with rev shell?
Used multiple tools to dissassemble and try to build but nothing worked.
What tools have you used?
(Aug 18, 2024, 01:24 AM)ir0nman4l1f3 Wrote: Has anyone tried to upload a pdf using msf and exploit/windows/fileformat/adobe_pdf_embedded_exe?
If tomas has login to the port on 3000, then it is likely that HTB has an automated "click" action for uploaded resumes?
It is not windows thoug
Posts: 39
Threads: 12
Joined: Aug 2024
(Aug 18, 2024, 01:27 AM)drunkp Wrote: Have you guys managed to build a dll with rev shell?
Used multiple tools to dissassemble and try to build but nothing worked.
What tools have you used?
(Aug 18, 2024, 01:24 AM)ir0nman4l1f3 Wrote: Has anyone tried to upload a pdf using msf and exploit/windows/fileformat/adobe_pdf_embedded_exe?
If tomas has login to the port on 3000, then it is likely that HTB has an automated "click" action for uploaded resumes?
It is not windows thoug
just an example - you can also update the payload to use a linux version as well for that one.
|
