JOIN BREACHFORUMS TELEGRAM
Skyfall - HTB
by paven - Saturday February 3, 2024 at 02:10 PM
Breached
Member
Posts: 78
Threads: 24
Joined: Nov 2023
Reputation: 1
#1
Feb 03, 2024, 02:10 PM
Skyfall - Linux - Insane

Good luck everyone! Let's tackle this together!
https://app.hackthebox.com/machines/Skyfall
Reply
Breached
Member
Posts: 78
Threads: 24
Joined: Nov 2023
Reputation: 1
#2
Feb 03, 2024, 05:06 PM
Guy's last T-2 hrs before the challenge begins
Reply
Advanced User

Posts: 55
Threads: 2
Joined: Jul 2023
Reputation: 0
#3
Feb 03, 2024, 07:05 PM (This post was last modified: Feb 03, 2024, 07:07 PM by DataNinja.)
demo.skyfall.htb

posible unrestricted file upload

http://demo.skyfall.htb/files
Reply
Breached
Member
Posts: 43
Threads: 1
Joined: Oct 2023
Reputation: 0
#4
Feb 03, 2024, 07:32 PM
How did you login? SQLi does not work, rockyou is exhausted for all three users
Reply
Breached
Member
Posts: 5
Threads: 0
Joined: Jan 2024
Reputation: 0
#5
Feb 03, 2024, 07:34 PM
(Feb 03, 2024, 07:32 PM)Steward Wrote: How did you login? SQLi does not work, rockyou is exhausted for all three users

use guest:guest
Reply
Breached
Member
Posts: 16
Threads: 0
Joined: Jan 2024
Reputation: 0
#6
Feb 03, 2024, 07:34 PM
maybe endpoint with potential ssrf on fetch
Reply
Elite User

Posts: 148
Threads: 2
Joined: Oct 2023
Reputation: 25
#7
Feb 03, 2024, 07:44 PM
(Feb 03, 2024, 07:34 PM)U2t5d2lu Wrote: maybe endpoint with potential ssrf on fetch
yes, uploader+downloader works. and GET /fetch hits back home...
Reply
Advanced User

Posts: 55
Threads: 2
Joined: Jul 2023
Reputation: 0
#8
Feb 03, 2024, 07:51 PM
(Feb 03, 2024, 07:30 PM)kiddulu Wrote: uploaded a shell.php but cant trigger it and downloading does nothing

Think logically: the website uses Flask (Python), not PHP.
Reply
Elite User

Posts: 312
Threads: 7
Joined: Oct 2023
Reputation: 0
#9
Feb 03, 2024, 07:58 PM
Cookie decoded: flask-insign

{'_fresh': True, '_id': '1c26577c0e4ec6afcf478aca7923069824db76ff0e5075f97569c948773ba0e7b58b90481e6f15d06d527ad8aa52e375cc27f0fbf6582e8045d8d75353327a12', '_user_id': '1', 'csrf_token': 'aa237d20d7e1ebe1c8f2722ccf76d77b24fbbe00'}
Reply
Elite User

Posts: 148
Threads: 2
Joined: Oct 2023
Reputation: 25
#10
Feb 03, 2024, 08:13 PM
(Feb 03, 2024, 07:58 PM)Art10n Wrote: Cookie decoded: flask-insign

{'_fresh': True, '_id': '1c26577c0e4ec6afcf478aca7923069824db76ff0e5075f97569c948773ba0e7b58b90481e6f15d06d527ad8aa52e375cc27f0fbf6582e8045d8d75353327a12', '_user_id': '1', 'csrf_token': 'aa237d20d7e1ebe1c8f2722ccf76d77b24fbbe00'}
flask unsign, but sadly we need the secret to sign admin cookies hahaha
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Hack the box Pro Labs, VIP, VIP+ 1 month free Method RedBlock 23 2,181 2 hours ago
Last Post: kkkato
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 20 2,495 Yesterday, 11:06 PM
Last Post: op334
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 3 398 Yesterday, 10:36 PM
Last Post: op334
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 369 92,013 Yesterday, 04:10 PM
Last Post: sabbyahmed
  CBBH Write Ups hiddenhacker 22 6,229 Yesterday, 06:39 AM
Last Post: Usercomplex

Forum Jump:


 Users browsing this forum: 1 Guest(s)