JOIN BREACHFORUMS TELEGRAM
Skyfall - HTB
by paven - Saturday February 3, 2024 at 02:10 PM
Breached
Member
Posts: 78
Threads: 24
Joined: Nov 2023
Reputation: 1
#1
Feb 03, 2024, 02:10 PM
Skyfall - Linux - Insane

Good luck everyone! Let's tackle this together!
https://app.hackthebox.com/machines/Skyfall
Reply
Breached
Member
Posts: 78
Threads: 24
Joined: Nov 2023
Reputation: 1
#2
Feb 03, 2024, 05:06 PM
Guy's last T-2 hrs before the challenge begins
Reply
Advanced User

Posts: 55
Threads: 2
Joined: Jul 2023
Reputation: 0
#3
Feb 03, 2024, 07:05 PM (This post was last modified: Feb 03, 2024, 07:07 PM by DataNinja.)
demo.skyfall.htb

posible unrestricted file upload

http://demo.skyfall.htb/files
Reply
Breached
Member
Posts: 43
Threads: 1
Joined: Oct 2023
Reputation: 0
#4
Feb 03, 2024, 07:32 PM
How did you login? SQLi does not work, rockyou is exhausted for all three users
Reply
Breached
Member
Posts: 5
Threads: 0
Joined: Jan 2024
Reputation: 0
#5
Feb 03, 2024, 07:34 PM
(Feb 03, 2024, 07:32 PM)Steward Wrote: How did you login? SQLi does not work, rockyou is exhausted for all three users

use guest:guest
Reply
Breached
Member
Posts: 16
Threads: 0
Joined: Jan 2024
Reputation: 0
#6
Feb 03, 2024, 07:34 PM
maybe endpoint with potential ssrf on fetch
Reply
Elite User

Posts: 148
Threads: 2
Joined: Oct 2023
Reputation: 25
#7
Feb 03, 2024, 07:44 PM
(Feb 03, 2024, 07:34 PM)U2t5d2lu Wrote: maybe endpoint with potential ssrf on fetch
yes, uploader+downloader works. and GET /fetch hits back home...
Reply
Advanced User

Posts: 55
Threads: 2
Joined: Jul 2023
Reputation: 0
#8
Feb 03, 2024, 07:51 PM
(Feb 03, 2024, 07:30 PM)kiddulu Wrote: uploaded a shell.php but cant trigger it and downloading does nothing

Think logically: the website uses Flask (Python), not PHP.
Reply
Elite User

Posts: 312
Threads: 7
Joined: Oct 2023
Reputation: 0
#9
Feb 03, 2024, 07:58 PM
Cookie decoded: flask-insign

{'_fresh': True, '_id': '1c26577c0e4ec6afcf478aca7923069824db76ff0e5075f97569c948773ba0e7b58b90481e6f15d06d527ad8aa52e375cc27f0fbf6582e8045d8d75353327a12', '_user_id': '1', 'csrf_token': 'aa237d20d7e1ebe1c8f2722ccf76d77b24fbbe00'}
Reply
Elite User

Posts: 148
Threads: 2
Joined: Oct 2023
Reputation: 25
#10
Feb 03, 2024, 08:13 PM
(Feb 03, 2024, 07:58 PM)Art10n Wrote: Cookie decoded: flask-insign

{'_fresh': True, '_id': '1c26577c0e4ec6afcf478aca7923069824db76ff0e5075f97569c948773ba0e7b58b90481e6f15d06d527ad8aa52e375cc27f0fbf6582e8045d8d75353327a12', '_user_id': '1', 'csrf_token': 'aa237d20d7e1ebe1c8f2722ccf76d77b24fbbe00'}
flask unsign, but sadly we need the secret to sign admin cookies hahaha
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 377 93,926 3 hours ago
Last Post: xuotcemcduzodzsdyd
  [FREE] CPTS 12 FLAGS pulsebreaker 75 2,438 3 hours ago
Last Post: rft569o7k
  [FREE] CPTS • CWES • CDSA • CWEE Exam Hint 3midjets 233 32,470 9 hours ago
Last Post: Sukon
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 89 8,147 Yesterday, 07:25 PM
Last Post: Xploitd
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 10 644 Yesterday, 03:44 PM
Last Post: chufoni

Forum Jump:


 Users browsing this forum: 1 Guest(s)