Possibly Related Threads…

**RedBlock**

Time for the insane one!!!! Hope it will be fun.

Blog of the creator.
https://blog.shashwatshah.me/
Buffer overflow might be the initial access
https://github.com/D4rkCorp/Introduction-to-BOF

Neophenix · Feb 08, 2025, 06:59 PM

Is there only part 1 of BOF? Will we need any more parts?

4yhg5y72jffg820j3f · (This post was last modified: Feb 08, 2025, 07:32 PM by 4yhg5y72jffg820j3f.)

Register email account here:
http://drip.htb/register

Login at:
http://mail.drip.htb/

I registered as root and got this emails:

There is a cron script that sends error mails to root:

"""
Cron <root@Drip> /root/scripts/mail_clean.sh
/usr/bin/rm: cannot remove '/var/mail/ebelford/dovecot*': No such file or directory
/usr/bin/rm: cannot remove '/var/mail/support/dovecot*': No such file or directory
""""

Thus users ebelford and support exist.

You can change the recipient of the email in the /contact POST request, which will give you information about one more user.

peRd1 · Feb 08, 2025, 07:36 PM

(Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user.

Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.

jsvensson · (This post was last modified: Feb 08, 2025, 07:46 PM by jsvensson.)

there is Roundcube Webmail 1.6.7
and drip.darkcorp.htb (localhost [127.0.0.1])

4yhg5y72jffg820j3f · Feb 08, 2025, 07:47 PM

Not CNEXT again... I guess this is like BigBang? I hope we don't have to do WebSocket stuff...

https://github.com/ambionics/cnext-explo...exploit.py

jsvensson · Feb 08, 2025, 07:58 PM

version 1.6.8 fixes:
Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

USBTYPEA · Feb 08, 2025, 08:04 PM

(Feb 08, 2025, 07:47 PM)4yhg5y72jffg820j3f Wrote: Not CNEXT again... I guess this is like BigBang? I hope we don't have to do WebSocket stuff...

https://github.com/ambionics/cnext-explo...exploit.py

is for versions below 1.6.6

jsvensson · Feb 08, 2025, 08:06 PM

CVE-2024-42009 looks interesting but no poc

USBTYPEA · (This post was last modified: Feb 08, 2025, 08:08 PM by USBTYPEA.)

(Feb 08, 2025, 07:36 PM)peRd1 Wrote:
(Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user.
Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.

I can't get it to work? interesting

(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc

Description

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7

according to the description it won't work but you could try it.

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	86	3,032	1 minute ago Last Post: Mr_root
	[FREE] HackTheBox Academy - CAPE Path Study	Techtom	45	4,495	12 minutes ago Last Post: BlazeFury
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	29	2,684	6 hours ago Last Post: newuser201
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	41	3,341	6 hours ago Last Post: newuser201
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	95	8,744	11 hours ago Last Post: zxACASD