Posts: 45 Threads: 0 Joined: N/A (July 18, 2022, 11:50 AM)Exa Wrote: Here is my approach to get the password hashes:
1) Log (unsuccessfully) into http://snippet.htb/login using any credentials
2) Send that POST request to Burp Repeater
3) Change the URL to management/dump
4) Send that request. It should respond with "Missing arguments"
5) Replace the JSON body with {"key": "value"}
6) Now fuzz the "key" part until it no longer says "Missing arguments". It is a very common word you are looking for.
7) When you found it, fuzz the "value" part
On a different note: I got the Gitea API credentials. That user has a private repository. Using the API, I transferred that repository over to my own user (and made it public).
I noticed there is a cron job every two minutes or so which deletes all issues. I assume that is where the inject.js comes into play. I thought about creating a new issue and putting JavaScript inside the body part. But I don't see how I can get past the check() filter in inject.js. Anyone got further than that? hey ill be grateful for a reply. I fuzzed the json body im not getting any interesting responses . my wfuzz command: wfuzz -c -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -H "X-XSRF-TOKEN: eyJpdiI6InkyZTNJUDFZRFgzaWlTQ0N4TWJxU0E9PSIsInZhbHVlIjoiM0k3RlNCSEhzRE1zSTVsOTVZRXczT25jREpYSmtXdjBLcHBCaDVQQ2FWalNsRTh5eXB3MmpOSHFrVE9FdUhQbkJ0QmhHamZyMmxLR3JFcFFCUkh4QkhhKys5STk3TUp0WS9hbHlWWHhpenlaZGpYQ05yUlUrOGMrWEFEcGFpOEkiLCJtYWMiOiIyODU1YmY5ZjJiOWQ1Njc3NzMzODJlNDZhN2JjY2I2MDYyZmM3NGM1MGU5ZGI3OTc1YzQ2OWMyMmQ1Y2FmMDYyIiwidGFnIjoiIn0=" -b XSRF-TOKEN="eyJpdiI6InkyZTNJUDFZRFgzaWlTQ0N4TWJxU0E9PSIsInZhbHVlIjoiM0k3RlNCSEhzRE1zSTVsOTVZRXczT25jREpYSmtXdjBLcHBCaDVQQ2FWalNsRTh5eXB3MmpOSHFrVE9FdUhQbkJ0QmhHamZyMmxLR3JFcFFCUkh4QkhhKys5STk3TUp0WS9hbHlWWHhpenlaZGpYQ05yUlUrOGMrWEFEcGFpOEkiLCJtYWMiOiIyODU1YmY5ZjJiOWQ1Njc3NzMzODJlNDZhN2JjY2I2MDYyZmM3NGM1MGU5ZGI3OTc1YzQ2OWMyMmQ1Y2FmMDYyIiwidGFnIjoiIn0%3D; snippethtb_session=eyJpdiI6ImVoZkZWUVUwQnRnR2tZN2dMd2N5d3c9PSIsInZhbHVlIjoiRVQ2UTZJSlhCdi9Idyt2T0NjSzNlMVFtaisrTGdSOVNTUVRyUFpPUkNDWnc3QzBFRkU0Z3d6MFRjSm4yR1kvYlB3VXpWZzVPS055NXk2VHpPUWJ4TkJmWHpqdlJ2eUFZRzRMalQwVnVhSzNqNUw4WXRlZXRuVjE5Qk1ocUtYNWEiLCJtYWMiOiIwYjMzYzBmNjk3NzM2ZjNmNWVjYmFiMzM1MjJkODY0MWVjNjBkNjNmYmUzN2Y1NmYxYzM5M2E4ZGVlYjFjODRlIiwidGFnIjoiIn0%3D" -d {'"FUZZ"':'"value"'} --hs "Missing arguments" http://snippet.htb/management/dump
I also configured a proxy aiming on burp seems the request is fine responsing with "Missing arguments". Tried with brupsuite intruder too Posts: 57 Threads: 0 Joined: N/A Quick summary for root steps, as user steps have already been done :
- Once you're logged in as jean, search for dangerous php functions in laravel-app, using grep -Ri 'your php command' for example
- After understanding what could be exploited, forward the mysql port using ssh port forwarding, or any existing tool like chisel. The database creds can be obtained using pspy
- Perform RCE on snippet.htb by exploiting the dangerous php function
- Get a new shell logged in as application
- Escape from the docker container. If you have no idea where to start, this can help you : https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation Posts: 44 Threads: 0 Joined: N/A (July 23, 2022, 03:52 PM)wayxoo Wrote: (July 18, 2022, 11:50 AM)Exa Wrote: Here is my approach to get the password hashes:
1) Log (unsuccessfully) into http://snippet.htb/login using any credentials
2) Send that POST request to Burp Repeater
3) Change the URL to management/dump
4) Send that request. It should respond with "Missing arguments"
5) Replace the JSON body with {"key": "value"}
6) Now fuzz the "key" part until it no longer says "Missing arguments". It is a very common word you are looking for.
7) When you found it, fuzz the "value" part
On a different note: I got the Gitea API credentials. That user has a private repository. Using the API, I transferred that repository over to my own user (and made it public).
I noticed there is a cron job every two minutes or so which deletes all issues. I assume that is where the inject.js comes into play. I thought about creating a new issue and putting JavaScript inside the body part. But I don't see how I can get past the check() filter in inject.js. Anyone got further than that?
hey ill be grateful for a reply. I fuzzed the json body im not getting any interesting responses . my wfuzz command:
wfuzz -c -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -H "X-XSRF-TOKEN: eyJpdiI.....nIjoiIn0=" -b XSRF-TOKEN="eyJpdi...joiIn0%3D; snippethtb_session=eyJpdiI.....nIjoiIn0%3D" -d {'"FUZZ"':'"value"'} --hs "Missing arguments" http://snippet.htb/management/dump
I also configured a proxy aiming on burp seems the request is fine responsing with "Missing arguments".
Tried with brupsuite intruder too fuzzing json key:value pairs to dump hashes (sub with your session cookies):
ffuf -w .../raft-small-words-lowercase.txt -H "Content-Type: application/json"
-H "Cookie: XSRF-TOKEN=eyJpdiI6IkJ....IjoiIn0%3D; snippethtb_session=eyJpdiI6InFvQjNHM...In0%3D"
-H "X-XSRF-TOKEN: eyJpdiI6IkJtdjBoZ....idGFnIjoiIn0="
-X POST -u http://snippet.htb/management/dump
-d '{"FUZZ": "value"}' -mc all -fr "Missing arguments" -c -v
ffuf -w .../raft-small-words-lowercase.txt -H "Content-Type: application/json"
-H "Cookie: XSRF-TOKEN=eyJpdiI6IkJt....n0%3D; snippethtb_session=eyJpdiI6.....GFnIjoiIn0%3D"
-H "X-XSRF-TOKEN: eyJpdiI6IkJ.......oiIn0="
-X POST -u http://snippet.htb/management/dump
-d '{"key_here": "FUZZ"}' -mc all -fr "Unknown tablename" -c -v
Posts: 213 Threads: 0 Joined: N/A (July 23, 2022, 04:19 PM)Erik Wrote: Quick summary for root steps, as user steps have already been done :
- Once you're logged in as jean, search for dangerous php functions in laravel-app, using grep -Ri 'your php command' for example
- After understanding what could be exploited, forward the mysql port using ssh port forwarding, or any existing tool like chisel. The database creds can be obtained using pspy
- Perform RCE on snippet.htb by exploiting the dangerous php function
- Get a new shell logged in as application
- Escape from the docker container. If you have no idea where to start, this can help you : https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation Great summary. One thing to add: Modify the database so that you can login into http://snippet.htb with administrative privileges. Posts: 30 Threads: 0 Joined: N/A July 24, 2022 at 10:34 AM i want to know that what release arena do in HTB machine ??
and how it affect our points?? Posts: 81 Threads: 0 Joined: N/A (July 23, 2022, 06:35 PM)Exa Wrote: (July 23, 2022, 04:19 PM)Erik Wrote: Quick summary for root steps, as user steps have already been done :
- Once you're logged in as jean, search for dangerous php functions in laravel-app, using grep -Ri 'your php command' for example
- After understanding what could be exploited, forward the mysql port using ssh port forwarding, or any existing tool like chisel. The database creds can be obtained using pspy
- Perform RCE on snippet.htb by exploiting the dangerous php function
- Get a new shell logged in as application
- Escape from the docker container. If you have no idea where to start, this can help you : https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
Great summary.
One thing to add: Modify the database so that you can login into http://snippet.htb with administrative privileges. Wonderful summary. Took some time to figure out how to get the revshell. Trying to escape the container now Thanks @ ErikPosts: 71 Threads: 0 Joined: N/A can't find the escape from the docker. anyone care to hint?
have been through the hacktricks options but none seem to suit.
I'm landing as application user (non-privileged) - is that correct? Posts: 0 Threads: 0 Joined: N/A (July 25, 2022, 08:26 AM)skyweasel Wrote: can't find the escape from the docker. anyone care to hint?
have been through the hacktricks options but none seem to suit.
I'm landing as application user (non-privileged) - is that correct? EDIT: My opinion is to abuse the docker.sock because it can be accessed by the group 'app', and the application user belongs to app group. Google: docker.sock exploit Posts: 71 Threads: 0 Joined: N/A July 25, 2022 at 10:19 AM (July 25, 2022, 09:03 AM)nhocit Wrote: (July 25, 2022, 08:26 AM)skyweasel Wrote: can't find the escape from the docker. anyone care to hint?
have been through the hacktricks options but none seem to suit.
I'm landing as application user (non-privileged) - is that correct?
EDIT: My opinion is to abuse the docker.sock because it can be accessed by the group 'app', and the application user belongs to app group.
Google: Mounting the docker socket into a container. k thx, will give it a lash Posts: 132 Threads: 0 Joined: N/A (July 23, 2022, 04:19 PM)Erik Wrote: Quick summary for root steps, as user steps have already been done :
- Once you're logged in as jean, search for dangerous php functions in laravel-app, using grep -Ri 'your php command' for example
- After understanding what could be exploited, forward the mysql port using ssh port forwarding, or any existing tool like chisel. The database creds can be obtained using pspy
- Perform RCE on snippet.htb by exploiting the dangerous php function
- Get a new shell logged in as application
- Escape from the docker container. If you have no idea where to start, this can help you : https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation How to log in as jean since we are connected via ssh to charlie ? |
