Posts: 213 Threads: 0 Joined: N/A (July 17, 2022, 12:12 AM)yumi Wrote: [INFO] (custom) POST parameter 'JSON email' appears to be 'MySQL > 5.0.12 time-based blind - Parameter
waiting here I noticed some kind of rate limit. So your time-based finding might be a false positive. On a different note, I noticed that you can select OpenID during the Gitea login. Providing my own IP, I can see an incoming HTTP request. Posts: 0 Threads: 0 Joined: N/A (July 17, 2022, 06:16 AM)Exa Wrote: (July 17, 2022, 12:12 AM)yumi Wrote: [INFO] (custom) POST parameter 'JSON email' appears to be 'MySQL > 5.0.12 time-based blind - Parameter
waiting here
I noticed some kind of rate limit. So your time-based finding might be a false positive.
On a different note, I noticed that you can select OpenID during the Gitea login. Providing my own IP, I can see an incoming HTTP request. A new idea, I check all the credentials and only user jean is valid to login into the snippet.htb. I think this main page is vulnerable to PHP-type juggling. If you log in with user jean and intercept the request and change it to the GET instead of the POST method then you can see the error. If you find out anything just tell me! A good references link here: https://0xdf.gitlab.io/2022/03/15/htb-ransom.html Posts: 57 Threads: 0 Joined: N/A July 17, 2022 at 10:32 AM (July 17, 2022, 09:05 AM)nhocit Wrote: (July 17, 2022, 06:16 AM)Exa Wrote: (July 17, 2022, 12:12 AM)yumi Wrote: [INFO] (custom) POST parameter 'JSON email' appears to be 'MySQL > 5.0.12 time-based blind - Parameter
waiting here
I noticed some kind of rate limit. So your time-based finding might be a false positive.
On a different note, I noticed that you can select OpenID during the Gitea login. Providing my own IP, I can see an incoming HTTP request.
A new idea, I check all the credentials and only user jean is valid to login into the snippet.htb. I think this main page is vulnerable to PHP-type juggling. If you log in with user jean and intercept the request and change it to the GET instead of the POST method then you can see the error. If you find out anything just tell me!
A good references link here:
https://0xdf.gitlab.io/2022/03/15/htb-ransom.html Huh I made both jean and charlie work yesterday though. I'm going to try bruteforcing the token to perform the password reset poisoning, I'll keep you updated. Posts: 104 Threads: 0 Joined: N/A July 17, 2022 at 10:49 AM (July 17, 2022, 10:32 AM)Erik Wrote: (July 17, 2022, 09:05 AM)nhocit Wrote: (July 17, 2022, 06:16 AM)Exa Wrote: (July 17, 2022, 12:12 AM)yumi Wrote: [INFO] (custom) POST parameter 'JSON email' appears to be 'MySQL > 5.0.12 time-based blind - Parameter
waiting here
I noticed some kind of rate limit. So your time-based finding might be a false positive.
On a different note, I noticed that you can select OpenID during the Gitea login. Providing my own IP, I can see an incoming HTTP request.
A new idea, I check all the credentials and only user jean is valid to login into the snippet.htb. I think this main page is vulnerable to PHP-type juggling. If you log in with user jean and intercept the request and change it to the GET instead of the POST method then you can see the error. If you find out anything just tell me!
A good references link here:
https://0xdf.gitlab.io/2022/03/15/htb-ransom.html
Huh I made both jean and charlie work yesterday though. I'm going to try bruteforcing the token to perform the password reset poisoning, I'll keep you updated. how did you guys find login creds ? Posts: 9 Threads: 0 Joined: N/A July 17, 2022 at 11:02 AM (July 17, 2022, 10:49 AM)hacker1111 Wrote: (July 17, 2022, 10:32 AM)Erik Wrote: (July 17, 2022, 09:05 AM)nhocit Wrote: (July 17, 2022, 06:16 AM)Exa Wrote: (July 17, 2022, 12:12 AM)yumi Wrote: [INFO] (custom) POST parameter 'JSON email' appears to be 'MySQL > 5.0.12 time-based blind - Parameter
waiting here
I noticed some kind of rate limit. So your time-based finding might be a false positive.
On a different note, I noticed that you can select OpenID during the Gitea login. Providing my own IP, I can see an incoming HTTP request.
A new idea, I check all the credentials and only user jean is valid to login into the snippet.htb. I think this main page is vulnerable to PHP-type juggling. If you log in with user jean and intercept the request and change it to the GET instead of the POST method then you can see the error. If you find out anything just tell me!
A good references link here:
https://0xdf.gitlab.io/2022/03/15/htb-ransom.html
Huh I made both jean and charlie work yesterday though. I'm going to try bruteforcing the token to perform the password reset poisoning, I'll keep you updated.
how did you guys find login creds ? gitea explore users Posts: 104 Threads: 0 Joined: N/A July 17, 2022 at 11:25 AM (July 17, 2022, 11:02 AM)mhendel Wrote: (July 17, 2022, 10:49 AM)hacker1111 Wrote: (July 17, 2022, 10:32 AM)Erik Wrote: (July 17, 2022, 09:05 AM)nhocit Wrote: (July 17, 2022, 06:16 AM)Exa Wrote: I noticed some kind of rate limit. So your time-based finding might be a false positive.
On a different note, I noticed that you can select OpenID during the Gitea login. Providing my own IP, I can see an incoming HTTP request.
A new idea, I check all the credentials and only user jean is valid to login into the snippet.htb. I think this main page is vulnerable to PHP-type juggling. If you log in with user jean and intercept the request and change it to the GET instead of the POST method then you can see the error. If you find out anything just tell me!
A good references link here:
https://0xdf.gitlab.io/2022/03/15/htb-ransom.html
Huh I made both jean and charlie work yesterday though. I'm going to try bruteforcing the token to perform the password reset poisoning, I'll keep you updated.
how did you guys find login creds ?
gitea explore users what about password ? i already saw those names i was asking for password too he said he manage to login with charlie and jean yesterday Posts: 0 Threads: 0 Joined: N/A July 17, 2022 at 11:53 AM (July 17, 2022, 11:25 AM)hacker1111 Wrote: (July 17, 2022, 11:02 AM)mhendel Wrote: (July 17, 2022, 10:49 AM)hacker1111 Wrote: (July 17, 2022, 10:32 AM)Erik Wrote: (July 17, 2022, 09:05 AM)nhocit Wrote: A new idea, I check all the credentials and only user jean is valid to login into the snippet.htb. I think this main page is vulnerable to PHP-type juggling. If you log in with user jean and intercept the request and change it to the GET instead of the POST method then you can see the error. If you find out anything just tell me!
A good references link here:
https://0xdf.gitlab.io/2022/03/15/htb-ransom.html
Huh I made both jean and charlie work yesterday though. I'm going to try bruteforcing the token to perform the password reset poisoning, I'll keep you updated.
how did you guys find login creds ?
gitea explore users
what about password ? i already saw those names i was asking for password too
he said he manage to login with charlie and jean yesterday I think he wants to say that both jean and charlie are valid users and not about he found out the password! Posts: 104 Threads: 0 Joined: N/A any good news ?
got login credentials ? Posts: 0 Threads: 0 Joined: N/A (July 17, 2022, 01:36 PM)hacker1111 Wrote: any good news ?
got login credentials ? =)) We were together in HTB and now here =)) Posts: 104 Threads: 0 Joined: N/A (July 17, 2022, 03:08 PM)nhocit Wrote: (July 17, 2022, 01:36 PM)hacker1111 Wrote: any good news ?
got login credentials ?
=)) We were together in HTB and now here =)) do you know my htb username ? |
