[M4RCK]

GOT ssh key for leila

I am using hash_extender, but I can't figure out how to validate my parameters. Can you share more details?

hash_extender is the correct tool to use but i could not figure out the correct parameters

Can you provide details about hash_extender how to use it inside this box?

[peRd1]

GOT ssh key for leila

where, the request to ../../../../home/leila/.ssh/id_rsa
return empty; also from etc/passwd there is no leila user

That's since you're targeting it from the LFI-able endpoint with smuggling yes...

Grabbing the id rsa of the said user requires it targeting via that other API running on port 3000 and for that you need to understand code of app and create the requires hashes to become admin.

[caccapuzza]

GOT ssh key for leila

where, the request to ../../../../home/leila/.ssh/id_rsa
return empty; also from etc/passwd there is no leila user

That's since you're targeting it from the LFI-able endpoint with smuggling yes...

Grabbing the id rsa of the said user requires it targeting via that other API running on port 3000 and for that you need to understand code of app and create the requires hashes to become admin.

did you managed to expose tha app code with lfi?

[caccapuzza]

where, the request to ../../../../home/leila/.ssh/id_rsa
return empty; also from etc/passwd there is no leila user

That's since you're targeting it from the LFI-able endpoint with smuggling yes...

Grabbing the id rsa of the said user requires it targeting via that other API running on port 3000 and for that you need to understand code of app and create the requires hashes to become admin.

did you managed to expose tha app code with lfi?

My question exactly, where can we find that code?

try =app.js ,and  you can see the source code.

found the source, but there is no secret, i don't tink hash_extender is the way

[caccapuzza]

hash_extender --data leila --append '::admin:True' -f sha256 -s b811f03f712c066b1a03a1fbe3877fa2b68f9b1692c2bdfb45c96b731f677496               
Type: sha256
Secret length: 8
New signature: 35f4d8a3bf235009df21c066c563d65337e663c000ffbd51384fa02e7c770fef
New string: 6c65696c618000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000683a3a61646d696e3a54727565

am i missing something?

[caccapuzza]

.config/bin/process_informations/self/root/home/leila/

---

/file/get?file=.config/bin/process_informations/self/root/home/leila/.ssh/id_rsa

i'm getting invalid token from that, i'm wondering how to get the s

[peRd1]

hash_extender --data leila --append '::admin:True' -f sha256 -s b811f03f712c066b1a03a1fbe3877fa2b68f9b1692c2bdfb45c96b731f677496               
Type: sha256
Secret length: 8
New signature: 35f4d8a3bf235009df21c066c563d65337e663c000ffbd51384fa02e7c770fef
New string: 6c65696c618000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000683a3a61646d696e3a54727565

am i missing something?

Yes. You're missing the secret length value, and since you don't know, you need to brute force for it.

---

.config/bin/process_informations/self/root/home/leila/

---

/file/get?file=.config/bin/process_informations/self/root/home/leila/.ssh/id_rsa

i'm getting invalid token from that, i'm wondering how to get the s

You're getting invalid token because your ihash and identifier is not correct. Recheck the app.js for error messages....

[RebeLHeX]

small go program to calculate Content-Lenght for those that need one.

package main

import (
"fmt"
"os"
"strings"
)

func calculateContentLength(requestBody string) int {
// Encoding the string to UTF-8 and counting the bytes
return len([]byte(requestBody))
}

func main() {
if len(os.Args) < 2 {
fmt.Println("Usage: go run main.go \"<HTTP request body>\"")
return
}

// Joining all arguments to handle request bodies with spaces
requestBody := strings.Join(os.Args[1:], " ")
contentLength := calculateContentLength(requestBody)
fmt.Printf("Calculated Content-Length: %d bytes\n", contentLength)
}

[chillywilly]

hash_extender --data leila --append '::admin:True' -f sha256 -s b811f03f712c066b1a03a1fbe3877fa2b68f9b1692c2bdfb45c96b731f677496               
Type: sha256
Secret length: 8
New signature: 35f4d8a3bf235009df21c066c563d65337e663c000ffbd51384fa02e7c770fef
New string: 6c65696c618000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000683a3a61646d696e3a54727565

am i missing something?

Yes. You're missing the secret length value, and since you don't know, you need to brute force for it.

---

.config/bin/process_informations/self/root/home/leila/

---

/file/get?file=.config/bin/process_informations/self/root/home/leila/.ssh/id_rsa

i'm getting invalid token from that, i'm wondering how to get the s

You're getting invalid token because your ihash and identifier is not correct. Recheck the app.js for error messages....

import sys

def calculate_content_length(request_body):
    # Encoding the string to UTF-8 and counting the bytes
    return len(request_body.encode('utf-8'))

def main():
    if len(sys.argv) < 2:
        print("Usage: python main.py \"<HTTP request body>\"")
        return

    # Joining all arguments to handle request bodies with spaces
    request_body = " ".join(sys.argv[1:])
    content_length = calculate_content_length(request_body)
    print(f"Calculated Content-Length: {content_length} bytes")

if __name__ == "__main__":
    main()

[Azad23]

AAA looking for someone who rooted it for a small hint ... very smol .. pls pm

(for all the others sorry do not pm till i do not root it i do not replay anyway)

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.