Posts: 213 Threads: 0 Joined: N/A PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 96:21:76:f7:2d:c5:f0:4e:e0:a8:df:b4:d9:5e:45:26 (RSA)
| 256 b1:6d:e3:fa:da:10:b9:7b:9e:57:53:5c:5b:b7:60:06 (ECDSA)
|_ 256 6a:16:96:d8:05:29:d5:90:bf:6b:2a:09:32:dc:36:4f (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Comming Soon
|_http-server-header: nginx/1.18.0 (Ubuntu)
http://portal.carpediem.htb/ There is a path traversal vulnerability here: http://portal.carpediem.htb/?p=abouthttp://portal.carpediem.htb/?p=../../../...rtal/abouthttp://portal.carpediem.htb/?p=../../../../tmp=> Cannot open /tmp/index.php Here is a XSS: http://portal.carpediem.htb/?p=bikes&sea...);</script> There is also a SQL injection in the register function: {"status":"failed","err":"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'st'' at line 1[INSERT INTO `users` set `firstname`='test' , `lastname`='test' , `contact`='test' , `gender`='Male' , `address`='test' , `username`='te'st' ]"} Posts: 36 Threads: 0 Joined: N/A Passwords are md5'd into the database if anyone manages to dump it Posts: 104 Threads: 0 Joined: N/A db showing avtar column but i didn't find any upload avtar of user
any one found ? Posts: 36 Threads: 0 Joined: N/A Sales_Report.xlsx found in portal Posts: 81 Threads: 0 Joined: N/A SQLi found in id parameter Here's the request GET /?p=view_bike&id=c4ca4238a0b923820dcc509a6f75849b HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=f6204505d2b42d3bbf2851c7c848a294
Upgrade-Insecure-Requests: 1
Was able to dump the whole db which include the admin password in md5 but was unable to decrypt it Also found something interesting in the DB statiing a file named 'Sales_Report.xlsx' Currently fuzzing to find this file Note: Seems like the admin has uploaded an avatar. We need to get admin to upload shell i suppose Posts: 104 Threads: 0 Joined: N/A (June 25, 2022, 08:06 PM)langetmama11 Wrote: SQLi found in id parameter
Here's the request
GET /?p=view_bike&id=c4ca4238a0b923820dcc509a6f75849b HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=f6204505d2b42d3bbf2851c7c848a294
Upgrade-Insecure-Requests: 1
Was able to dump the whole db which include the admin password in md5 but was unable to decrypt it
Also found something interesting in the DB statiing a file named 'Sales_Report.xlsx'
Currently fuzzing to find this file
Note: Seems like the admin has uploaded an avatar. We need to get admin to upload shell i suppose there's login_type parameter changed to 1 and you can access /admin after that Posts: 8 Threads: 0 Joined: N/A +----+--------+-------------------------------------+------------------------+---------+----------------------------------------------------------------------------------------------------+----------+----------------------------------+-----------+------------+------------+---------------------+---------------------+| id | gender | avatar | contact | address | username | lastname | password | firstname | last_login | login_type | date_added | date_updated |+----+--------+-------------------------------------+------------------------+---------+----------------------------------------------------------------------------------------------------+----------+----------------------------------+-----------+------------+------------+---------------------+---------------------+| 1 | Male | uploads\\/1635793020_HONDA_XADV.png | [email protected] | | admin | Hammond | b723e511b084ab84b44235d82da572f3 | Jeremy | NULL | 1 | 2021-01-20 14:02:37 | 2022-04-01 23:34:50 |Posts: 36 Threads: 0 Joined: N/A (June 25, 2022, 08:10 PM)hacker1111 Wrote: (June 25, 2022, 08:06 PM)langetmama11 Wrote: SQLi found in id parameter
Here's the request
GET /?p=view_bike&id=c4ca4238a0b923820dcc509a6f75849b HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=f6204505d2b42d3bbf2851c7c848a294
Upgrade-Insecure-Requests: 1
Was able to dump the whole db which include the admin password in md5 but was unable to decrypt it
Also found something interesting in the DB statiing a file named 'Sales_Report.xlsx'
Currently fuzzing to find this file
Note: Seems like the admin has uploaded an avatar. We need to get admin to upload shell i suppose
there's login_type parameter changed to 1 and you can access /admin after that Where did you find this parameter ? Posts: 104 Threads: 0 Joined: N/A (June 25, 2022, 08:27 PM)Toto Wrote: (June 25, 2022, 08:10 PM)hacker1111 Wrote: (June 25, 2022, 08:06 PM)langetmama11 Wrote: SQLi found in id parameter
Here's the request
GET /?p=view_bike&id=c4ca4238a0b923820dcc509a6f75849b HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=f6204505d2b42d3bbf2851c7c848a294
Upgrade-Insecure-Requests: 1
Was able to dump the whole db which include the admin password in md5 but was unable to decrypt it
Also found something interesting in the DB statiing a file named 'Sales_Report.xlsx'
Currently fuzzing to find this file
Note: Seems like the admin has uploaded an avatar. We need to get admin to upload shell i suppose
there's login_type parameter changed to 1 and you can access /admin after that
Where did you find this parameter ? update your profile and intercept req. in burp Posts: 36 Threads: 0 Joined: N/A (June 25, 2022, 08:31 PM)hacker1111 Wrote: (June 25, 2022, 08:27 PM)Toto Wrote: (June 25, 2022, 08:10 PM)hacker1111 Wrote: (June 25, 2022, 08:06 PM)langetmama11 Wrote: SQLi found in id parameter
Here's the request
GET /?p=view_bike&id=c4ca4238a0b923820dcc509a6f75849b HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=f6204505d2b42d3bbf2851c7c848a294
Upgrade-Insecure-Requests: 1
Was able to dump the whole db which include the admin password in md5 but was unable to decrypt it
Also found something interesting in the DB statiing a file named 'Sales_Report.xlsx'
Currently fuzzing to find this file
Note: Seems like the admin has uploaded an avatar. We need to get admin to upload shell i suppose
there's login_type parameter changed to 1 and you can access /admin after that
Where did you find this parameter ?
update your profile and intercept req. in burp Okay thanks, missed it for some reason. Anyone got any success with uploading images ? |
