Posts: 10
Threads: 0
Joined: Feb 2024
(Feb 04, 2024, 09:06 AM)DwightSchrute Wrote: (Feb 04, 2024, 08:05 AM)izanamiidol Wrote: (Feb 04, 2024, 07:53 AM)balckroot Wrote: After getting the home_backup.tar.gz file how to get the shell
mc cp --vid 3c498578-8dfe-43b7-b679-32a3fe42018f myminio/askyy/home_backup.tar.gz .
Does anyone provide some hints on how to achieve shell?
see .bashrc file, grab the vault api address and token and then use vault to connect via ssh
there is nothing useful in the .bashrc, neither an address nor an token. could you please explain a little bit more? 
You're looking in the wrong bashrc file.
Posts: 9
Threads: 0
Joined: Aug 2023
mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 minio/askyy/home_backup.tar.gz ./
Posts: 1
Threads: 0
Joined: Jan 2024
Feb 04, 2024, 09:36 AM
(This post was last modified: Feb 04, 2024, 09:36 AM by N4v4S.)
Hi guys. I am trying to understand how the `prd23-s3-backend.skyfall.htb` was discovered. Was it via fetch feature or some bypass technique had been used? Thank you in advance.
Posts: 45
Threads: 1
Joined: Jan 2024
ok, now i got the vault token...but how to use it?
Posts: 55
Threads: 2
Joined: Jul 2023
Feb 04, 2024, 10:41 AM
(This post was last modified: Feb 04, 2024, 10:42 AM by DataNinja.)
the root is easy!
![[Image: U6nO8Z7.png]](https://i.imgur.com/U6nO8Z7.png)
Posts: 31
Threads: 0
Joined: Oct 2023
(Feb 04, 2024, 10:34 AM)rat Wrote: (Feb 04, 2024, 09:36 AM)N4v4S Wrote: Hi guys. I am trying to understand how the `prd23-s3-backend.skyfall.htb` was discovered. Was it via fetch feature or some bypass technique had been used? Thank you in advance.
http://demo.skyfall.htb/metrics%20
403 bypass
doing this i am gettin a 404 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 43
Threads: 1
Joined: Oct 2023
(Feb 04, 2024, 10:41 AM)DataNinja Wrote: the root is easy!
It seems you configured yaml config to be able to request root SSH one-time password from Vault and authenticate with one-time password.
Teach us Ninja how to fill yaml config!
Posts: 50
Threads: 8
Joined: Jan 2024
(Feb 04, 2024, 10:53 AM)berlik Wrote: (Feb 04, 2024, 09:36 AM)N4v4S Wrote: Hi guys. I am trying to understand how the `prd23-s3-backend.skyfall.htb` was discovered. Was it via fetch feature or some bypass technique had been used? Thank you in advance.
http://demo.skyfall.htb/metrics%0a
nice finding it is bro.
Posts: 16
Threads: 0
Joined: Oct 2023
Feb 04, 2024, 11:22 AM
(This post was last modified: Feb 04, 2024, 12:07 PM by christopher5gb.)
(Feb 04, 2024, 10:41 AM)DataNinja Wrote: the root is easy!
can we get a nudge on this?
UPDATE: finally got it 43 mins later, yes it is easy.. just try stuff
Posts: 148
Threads: 2
Joined: Oct 2023
Feb 04, 2024, 11:43 AM
(This post was last modified: Feb 04, 2024, 11:44 AM by peRd1.)
Path to root is vault unseal command that sudo -l gives you. You need to grab the master token and use that to connect to the vault exactly same way as you did for the user.
Then try some other commands that you have privs to runand gain root access in a similar fashion as for the user.
And yes, that prd23 backend domain can be found out via 302 bypassing, try tab, or other chars, in hex, to bypass.
Also use vault instead of vlt of hashicorp, the first one has problems... downloading the binary and unzipping is sufficient.
|
