Posts: 57 Threads: 0 Joined: N/A July 19, 2022 at 11:06 PM (July 19, 2022, 10:54 PM)mimikatz Wrote: Are we supposed to crack the passwords of Charlie and/or Jean on dev.snippet.htb? I dumped that user table but only cracked accounts unrelated to the dev sub domain. If you're talking about the dump from snippet.htb, nah you need to crack all of the hashes. If you somehow got another set of hashes from dev.snippet.htb, I'd love to know how you did that cause I'm definitely stuck trying to get anything from the XSS. Posts: 22 Threads: 0 Joined: N/A  July 19, 2022 at 11:10 PM (July 19, 2022, 11:06 PM)Erik Wrote: (July 19, 2022, 10:54 PM)mimikatz Wrote: Are we supposed to crack the passwords of Charlie and/or Jean on dev.snippet.htb? I dumped that user table but only cracked accounts unrelated to the dev sub domain.
If you're talking about the dump from snippet.htb, nah you need to crack all of the hashes. If you somehow got another set of hashes from dev.snippet.htb, I'd love to know how you did that cause I'm definitely stuck trying to get anything from the XSS. hashcat --username -m 1400 -a 0 snippethtb.txt -o cracked.txt realuniq.lst
This is what I used and it only cracked password123 which doesn't help me at all. I tried John with rockyou just in case and had no luck either. Did you apply a mask by chance? I did read previous comments but didn't help Posts: 57 Threads: 0 Joined: N/A July 19, 2022 at 11:11 PM (July 19, 2022, 11:10 PM)mimikatz Wrote: (July 19, 2022, 11:06 PM)Erik Wrote: (July 19, 2022, 10:54 PM)mimikatz Wrote: Are we supposed to crack the passwords of Charlie and/or Jean on dev.snippet.htb? I dumped that user table but only cracked accounts unrelated to the dev sub domain.
If you're talking about the dump from snippet.htb, nah you need to crack all of the hashes. If you somehow got another set of hashes from dev.snippet.htb, I'd love to know how you did that cause I'm definitely stuck trying to get anything from the XSS.
hashcat --username -m 1400 -a 0 snippethtb.txt -o cracked.txt realuniq.lst
This is what I used and it only cracked password123 which doesn't help me at all. I tried John with rockyou just in case and had no luck either. Did you apply a mask by chance? I did read previous comments but didn't help This is to be used on snippet.htb first. You have another step there before heading to dev.snippet.htb. Posts: 22 Threads: 0 Joined: N/A July 19, 2022 at 11:12 PM (July 19, 2022, 11:11 PM)Erik Wrote: (July 19, 2022, 11:10 PM)mimikatz Wrote: (July 19, 2022, 11:06 PM)Erik Wrote: (July 19, 2022, 10:54 PM)mimikatz Wrote: Are we supposed to crack the passwords of Charlie and/or Jean on dev.snippet.htb? I dumped that user table but only cracked accounts unrelated to the dev sub domain.
If you're talking about the dump from snippet.htb, nah you need to crack all of the hashes. If you somehow got another set of hashes from dev.snippet.htb, I'd love to know how you did that cause I'm definitely stuck trying to get anything from the XSS.
hashcat --username -m 1400 -a 0 snippethtb.txt -o cracked.txt realuniq.lst
This is what I used and it only cracked password123 which doesn't help me at all. I tried John with rockyou just in case and had no luck either. Did you apply a mask by chance? I did read previous comments but didn't help
This is to be used on snippet.htb first. You have another step there before heading to dev.snippet.htb. Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key. Posts: 71 Threads: 0 Joined: N/A anyone got a working XSS? I can get an initial call back from the server, but hosting a JS file to reach out and try get the account/settings page "as Jean" just fails to report back.
Talk about blind!
Anyone?
Im assuming we're trying to get Jeans CSRF or cookie to then log into Gitea as her? Not sure how this will have more permissions than generating a tokenfrom the API key.. but still. Posts: 213 Threads: 0 Joined: N/A Since we have write acccess, I managed to edit inject.js via the API. I changed return "" back to return str. But it looks like the charlie/cron user is not picking up this change. Perhaps I'm missing something. I finally understood why this machine is called Extension. This repo is basically a Firefox extension. I git cloned the repo and then added this extension to Firefox via about:debugging (load temporary add-on). Now when I visit http://dev.snippet.htb/jean/extension/issues I can see the issue bodies being inserted. On a side note: HTB was giving me no machines available currently for a few hours. Changing the VPN server from one region to another helped. (July 19, 2022, 11:12 PM)mimikatz Wrote: Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key. If anyone is stuck on this step: Try to crack all hashes. Then log into http://snippet.htb/login with any credentials you could find. The next step is to make someone else's private snippet public. Posts: 71 Threads: 0 Joined: N/A (July 20, 2022, 03:47 AM)Exa Wrote: Since we have write acccess, I managed to edit inject.js via the API. I changed return "" back to return str. But it looks like the charlie/cron user is not picking up this change. Perhaps I'm missing something.
I finally understood why this machine is called Extension. This repo is basically a Firefox extension. I git cloned the repo and then added this extension to Firefox via about:debugging (load temporary add-on). Now when I visit http://dev.snippet.htb/jean/extension/issues I can see the issue bodies being inserted.
On a side note: HTB was giving me no machines available currently for a few hours. Changing the VPN server from one region to another helped.
(July 19, 2022, 11:12 PM)mimikatz Wrote: Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key.
If anyone is stuck on this step:
Try to crack all hashes. Then log into http://snippet.htb/login with any credentials you could find. The next step is to make someone else's private snippet public. Ah right, good thought re: firefox . staring us in the face! Still struggling with the XSS. Not sure what we're targeting.... is it grabbing a copy of Charlie/s repo/backup via XSS that gets through the filter? Posts: 9 Threads: 0 Joined: N/A Hello,
I have an idea but I can't see if it is good because release arena is down for me.
Find out how you can change your email in gitea. Then see if with the xss we could change charlie's email and replace it with jean's. Then ask to reset charlie's password on the login page. The mail arrives at jean's for which we have the credentials in roundcube (mail.snippets.htb). And we change charlie's password, and we have access to his account. Since I can't check, is my idea stupid? Posts: 57 Threads: 0 Joined: N/A (July 20, 2022, 02:44 PM)mhendel Wrote: Hello,
I have an idea but I can't see if it is good because release arena is down for me.
Find out how you can change your email in gitea. Then see if with the xss we could change charlie's email and replace it with jean's. Then ask to reset charlie's password on the login page. The mail arrives at jean's for which we have the credentials in roundcube (mail.snippets.htb). And we change charlie's password, and we have access to his account. Since I can't check, is my idea stupid? Might be possible. Didn't manage to get anything out from Roundcube but if you got creds there I'll look harder. I'll try the email swapping afterwards, thanks for sharing. EDIT : It seems resetting the password is disabled on dev.snippet.htb. Posts: 57 Threads: 0 Joined: N/A Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for. |
