(July 28, 2022, 04:51 AM)meowmeowattack Wrote: i'm on root atm. i figured the next step is to exploit a vulnerable function in the laravel app that executes system commands. but to exploit it, i need the app secret which is perhaps in the docker container. how am i suppose to be able to get that app secret? any nudge please?

dont worry, i figured that you don't have to find out the app_secret, because you can make the backend calculate it for you as long as you are a user in the db.

how?

(July 31, 2022, 04:23 PM)thescraphacker Wrote:

(July 28, 2022, 04:51 AM)meowmeowattack Wrote: i'm on root atm. i figured the next step is to exploit a vulnerable function in the laravel app that executes system commands. but to exploit it, i need the app secret which is perhaps in the docker container. how am i suppose to be able to get that app secret? any nudge please?

dont worry, i figured that you don't have to find out the app_secret, because you can make the backend calculate it for you as long as you are a user in the db.

how?

once you login to snippet.htb with an account that you've promoted to manager, check the responses that return the accounts. you can see that all accounts are returned with a sc value already, right? so this means the sc values have already been calculated on the server side. together with examining the code, you will see that as long as the sc values match, there are no further checks on whether the content itself is legit. 
This means, the account info are extracted from the db directly without any checking on its integrity. so, as long as you can login to the db, you can create a new account with a non-legit account name, and the server will be happily calculating it for you. Of course, you can just click on validate on the web client to trigger your payload.

¿Why I'm receiving a hit back from unknown? I've already added the inject extension, and using this payloadtestlistening on [any] 80 ...connect to [10.10.14.xx] from (UNKNOWN) [10.10.14.xx] 33448GET / HTTP/1.1Host: 10.10.14.xxConnection: keep-aliveUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36Accept: */*Origin: http://dev.snippet.htbAccept-Encoding: gzip, deflateAccept-Language: es-ES,es;q=0.9

[quote="fittale1754" pid='191157' dateline='1659437802']¿Why I'm receiving a hit back from unknown?I've already added the inject extension, and using this payloadtestlistening on [any] 80 ...connect to [10.10.14.xx] from (UNKNOWN) [10.10.14.xx] 33448GET / HTTP/1.1Host: 10.10.14.xxConnection: keep-aliveUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36Accept: */*Origin: http://dev.snippet.htbAccept-Encoding: gzip, deflateAccept-Language: es-ES,es;q=0.9[/quote]Finally rooted, what a hard box! thanks to every body here... I've learned a lot...

anyone root hash ?? :-/ :-/