Posts: 12
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:48 AM)osamy7593 Wrote: (Aug 04, 2024, 06:46 AM)glock05 Wrote: (Aug 04, 2024, 06:44 AM)jsvensson Wrote: (Aug 04, 2024, 06:37 AM)bestmajor Wrote: Found SSH-Login for msainristil. Just download the zip-file "c2f4813249...snip....zip". There is no ticket within the database, i.e. you could overlook it. It's a log file with creds. 
Damm i looked to that file, how did you noticed creds?
search for "pass"
https://github.com/Mr-xn/thinkphp_lang_R...me-ov-file
https://linux.do/t/topic/26424
(Nessus can be great for fingerprinting)
How did u figured out that vulnerability ../../shell ?
Posts: 124
Threads: 1
Joined: Apr 2024
(Aug 04, 2024, 07:11 AM)insect1285 Wrote: Any ideas on what to do with files in msainristil user home? Combined with clues from the tickets/messages in the database - they need to be used, but I'm out of my experience.
i think that it should be used to sign our public key, but how to use it to authorize on http://signserv.ssg.htb/v1/sign?
Posts: 12
Threads: 0
Joined: Jun 2024
(Aug 04, 2024, 06:48 AM)osamy7593 Wrote: (Aug 04, 2024, 06:46 AM)glock05 Wrote: (Aug 04, 2024, 06:44 AM)jsvensson Wrote: (Aug 04, 2024, 06:37 AM)bestmajor Wrote: Found SSH-Login for msainristil. Just download the zip-file "c2f4813249...snip....zip". There is no ticket within the database, i.e. you could overlook it. It's a log file with creds.
Damm i looked to that file, how did you noticed creds?
search for "pass"
How did u figured out that vulnerability ../../shell ?
https://github.com/Mr-xn/thinkphp_lang_R...me-ov-file
https://linux.do/t/topic/26424
(Nessus can be great for fingerprinting)
Posts: 18
Threads: 0
Joined: Jul 2024
1)create your own public key using ssh-keygen
2)sign that public key using the certificate as any user in the target server
3)use your private key and the generated cert file to login as the user you signed in the target server
Posts: 124
Threads: 1
Joined: Apr 2024
(Aug 04, 2024, 07:31 AM)0xScriptkiddie Wrote: 1)create your own public key using ssh-keygen
2)sign that public key using the certificate as any user in the target server
3)use your private key and the generated cert file to login as the user you signed in the target server
could you tell more about 2 ?
Posts: 19
Threads: 1
Joined: Jun 2024
You can sign it with something like:
ssh-keygen -s ca-itrc -n zzinter keypair.pub
Where keypair.pub is the public key of the RSA keypair you generate with something like:
ssh-keygen -t rsa -b 2048 -f keypair
Then you'd just connect with:
ssh -o CertificateFile=keypair-cert.pub -i keypair zzinter@ssg.htb
Make sure you set the key perms to 600 or else it'll bitch.
Posts: 52
Threads: 1
Joined: Jul 2024
got that thanks @ ShitWhiffler
Posts: 3
Threads: 0
Joined: Aug 2024
(Aug 04, 2024, 04:09 AM)UnkownWombat Wrote: (Aug 04, 2024, 03:52 AM)fuckhackthebox Wrote: its this: https://github.com/Mr-xn/thinkphp_lang_RCE
but use ?page instead of ?lang
now go find me the root method and report back please
im fucking sick of this guessing game bullshit
lol fair the only review is a 1* xD
(Aug 04, 2024, 02:17 AM)ggorilla1337 Wrote: I was able to leak some of the user zzinter hash
user=zzinter&pass[$eq]=ramdom
The response
<br />
<b>Fatal error</b>: Uncaught TypeError: password_verify(): Argument #1 ($password) must be of type string, array given in /var/www/itrc/api/login.php:16
Stack trace:
#0 /var/www/itrc/api/login.php(16): password_verify(Array, '$2y$10$VCpu.vx5...')
#1 {main}
thrown in <b>/var/www/itrc/api/login.php</b> on line <b>16</b><br />
for learning purposes could you explain this a bit more - its pretty interesting
Because PHP handles pass[$eq] as an array, it pops up an error because password_verify expects a string, and a little bit of the hash shows up in the stack trace. Honestly this was not something intentional and due to the character limit it is not very useful.
Posts: 52
Threads: 1
Joined: Jul 2024
any succes after that i am stucked at the signing the fast api one anyone can help ?
Posts: 18
Threads: 0
Joined: Jul 2024
|
