Feb 03, 2024, 08:46 PM
i think You can recognize port on localhost via fetch endpoint (5005) but no idea so far what to do next
|
Skyfall - HTB
by paven - Saturday February 3, 2024 at 02:10 PM
|
|
Feb 03, 2024, 08:56 PM
there's aws
``` S3 operation failed; code: NoSuchKey, message: The specified key does not exist., resource: /guest//etc/passwd, request_id: 17B075BBE1C0F812, host_id: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, bucket_name: guest, object_name: etc/passwd ``` when accessing http://demo.skyfall.htb/download_file?fi...etc/passwd
Feb 03, 2024, 09:11 PM
(Feb 03, 2024, 08:52 PM)camiyi3472 Wrote:(Feb 03, 2024, 08:46 PM)U2t5d2lu Wrote: i think You can recognize port on localhost via fetch endpoint (5005) but no idea so far what to do next just 502 bad gateway and service is restarting
Feb 03, 2024, 09:14 PM
(Feb 03, 2024, 08:56 PM)hackwell Wrote: there's aws should be minio to be specific, am thinking enum buckets with the ssrf maybe not sure
Feb 03, 2024, 09:21 PM
(Feb 03, 2024, 08:56 PM)hackwell Wrote: there's aws I actually think its minio , it just has a S3 interface.
Feb 03, 2024, 09:27 PM
mmm... skyfall ? cloud ?
Feb 03, 2024, 09:30 PM
no its james bond skyfall, vue to a kill https://portswigger.net/daily-swig/vue-t...s-revealed
Feb 03, 2024, 09:33 PM
S3 operation failed; code: NoSuchKey, message: Object does not exist, resource: /guest/test.txt, request_id: 17B077A43BE44FF4, host_id: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, bucket_name: guest, object_name: test.txt
This implies AWS and S3 enum, I guess
Feb 03, 2024, 09:55 PM
(Feb 03, 2024, 09:30 PM)chillywilly Wrote: no its james bond skyfall, vue to a kill https://portswigger.net/daily-swig/vue-t...s-revealed But vue isnt used anywhere on the server afaik
Feb 03, 2024, 09:59 PM
filename=yyy returns error:
S3 operation failed; code: NoSuchKey, message: The specified key does not exist., resource: /guest/yyy, request_id: 17B0790FC421D09E, host_id: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, bucket_name: guest, object_name: yyy filename=../xxx/yyy returns error: S3 operation failed; code: SignatureDoesNotMatch, message: The request signature we calculated does not match the signature you provided. Check your key and signing method., resource: /xxx/yyy, request_id: 17B079010DB96CC8, host_id: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, bucket_name: xxx, object_name: yyy So we are traversing buckets with the ../ but strangely filename=../guest/Welcome.pdf (or any file we uploaded) also returns an error: S3 operation failed; code: SignatureDoesNotMatch, message: The request signature we calculated does not match the signature you provided. Check your key and signing method., resource: /guest/Welcome.pdf, request_id: 17B07923A86DCA80, host_id: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, bucket_name: guest, object_name: Welcome.pdf |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| [FREE] CPTS 12 FLAGS | 68 | 1,899 |
2 hours ago Last Post: VictorPipeau |
||
| [FREE] HackTheBox Dante - complete writeup written by Tamarisk | 601 | 91,509 |
2 hours ago Last Post: VictorPipeau |
||
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 371 | 92,787 |
3 hours ago Last Post: phannguyenbaouy1 |
||
| [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags | 21 | 2,599 |
7 hours ago Last Post: popoler |
||
| Hack the box Pro Labs, VIP, VIP+ 1 month free Method | 23 | 2,242 |
Yesterday, 02:10 PM Last Post: kkkato |
||