Return to forum

neo0 · July 2, 2022 at 4:45 PM

Let's Begin

Exa · July 2, 2022 at 7:15 PM

I'm seeing an SQL injection (boolean-based blind) in the login form:

sqlmap -u "http://faculty.htb/admin/ajax.php?action=login_faculty" --data "id_no=1111" -p id_no --batch --level 2 --dbms=Mysql

Erik · July 2, 2022 at 7:17 PM

You can access admin dashboard with admin' -- - as the username

No idea how to proceed though, didn't find anything to do from there

Exa · July 2, 2022 at 7:23 PM

(July 2, 2022, 07:17 PM)Erik Wrote: You can access admin dashboard with admin' -- - as the username

No idea how to proceed though, didn't find anything to do from there

Where did you find the admin dashboard?

Erik · July 2, 2022 at 7:24 PM

Dirbusting, in /admin

langetmama11 · July 2, 2022 at 7:26 PM

School system seems to have severals exploits but no RCE

https://www.exploit-db.com/search?q=School+Faculty+Scheduling+System

Checking if I find an RCE

Exa · July 2, 2022 at 7:31 PM

(July 2, 2022, 07:24 PM)Erik Wrote: Dirbusting, in /admin

There is an admin user in the database dump, but I couldn't crack the hash.

There are also 3 valid IDs for http://faculty.htb/login.php

Erik · July 2, 2022 at 7:44 PM

Found those two things but not sure if that's any useful yet :
https://github.com/mpdf/mpdf/issues/949
https://pentest.co.uk/labs/leveraging-xss-to-get-rce-in-textpattern/

How can this be harder than Carpe Diem, fuck me

Exa · July 2, 2022 at 8:02 PM

When I'm adding (and encoding)

to the pdf parameter of /admin/download.php, I'm getting an incoming request to my Python server.

fironeDerbert · July 2, 2022 at 8:09 PM

[quote="Exa" pid="117869" dateline="1656792178"]When I'm adding (and encoding)

to the pdf parameter of /admin/download.php, I'm getting an incoming request to my Python server.[/quote]From you or from the taget ?