(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

(July 20, 2022, 09:07 PM)mhendel Wrote:

(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

That's a good point, I forgot that we need to modify charlie's inject.js, not jean's, so we can't use swagger for that. Thus we would need to resort to XSS.

(July 20, 2022, 09:11 PM)Erik Wrote:

(July 20, 2022, 09:07 PM)mhendel Wrote:

(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

That's a good point, I forgot that we need to modify charlie's inject.js, not jean's, so we can't use swagger for that. Thus we would need to resort to XSS.

Guys, I already told you the path: get backup file from Gitea via XSS. Just concentrate on XSS itself. No need to modify anything.

(July 20, 2022, 10:26 PM)teksius Wrote:

(July 20, 2022, 09:11 PM)Erik Wrote:

(July 20, 2022, 09:07 PM)mhendel Wrote:

(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

That's a good point, I forgot that we need to modify charlie's inject.js, not jean's, so we can't use swagger for that. Thus we would need to resort to XSS.

Guys, I already told you the path: get backup file from Gitea via XSS. Just concentrate on XSS itself. No need to modify anything.

Well Idk how you got foothold but I just said how I personally did it, there are several ways to do it.

(July 20, 2022, 03:47 AM)Exa Wrote: Since we have write acccess, I managed to edit inject.js via the API. I changed return "" back to return str. But it looks like the charlie/cron user is not picking up this change. Perhaps I'm missing something.

I finally understood why this machine is called Extension. This repo is basically a Firefox extension. I git cloned the repo and then added this extension to Firefox via about:debugging (load temporary add-on). Now when I visit http://dev.snippet.htb/jean/extension/issues I can see the issue bodies being inserted.

On a side note: HTB was giving me no machines available currently for a few hours. Changing the VPN server from one region to another helped.

(July 19, 2022, 11:12 PM)mimikatz Wrote: Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key.

If anyone is stuck on this step:

Try to crack all hashes. Then log into http://snippet.htb/login with any credentials you could find. The next step is to make someone else's private snippet public.

A little nudge on how to make this snippet public please? 
Tried to modify <textarea id="password" .... element,  tried to inject into url "?showAll=true&onlyMine=false"
tried JS debugger and still stuck on that part  :s

It is Gitea API, language Bash and so on snippet..

(July 20, 2022, 11:16 PM)onl1_f4ns Wrote:

(July 20, 2022, 03:47 AM)Exa Wrote: Since we have write acccess, I managed to edit inject.js via the API. I changed return "" back to return str. But it looks like the charlie/cron user is not picking up this change. Perhaps I'm missing something.

I finally understood why this machine is called Extension. This repo is basically a Firefox extension. I git cloned the repo and then added this extension to Firefox via about:debugging (load temporary add-on). Now when I visit http://dev.snippet.htb/jean/extension/issues I can see the issue bodies being inserted.

On a side note: HTB was giving me no machines available currently for a few hours. Changing the VPN server from one region to another helped.

(July 19, 2022, 11:12 PM)mimikatz Wrote: Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key.

If anyone is stuck on this step:

Try to crack all hashes. Then log into http://snippet.htb/login with any credentials you could find. The next step is to make someone else's private snippet public.

A little nudge on how to make this snippet public please? 
Tried to modify <textarea id="password" .... element,  tried to inject into url "?showAll=true&onlyMine=false"
tried JS debugger and still stuck on that part  :s

It is Gitea API, language Bash and so on snippet..

It is simpler than that. It's more of a traversal thing, try creating a snippet and editing it.

(July 20, 2022, 11:20 PM)Erik Wrote:

(July 20, 2022, 11:16 PM)onl1_f4ns Wrote:

(July 20, 2022, 03:47 AM)Exa Wrote: Since we have write acccess, I managed to edit inject.js via the API. I changed return "" back to return str. But it looks like the charlie/cron user is not picking up this change. Perhaps I'm missing something.

I finally understood why this machine is called Extension. This repo is basically a Firefox extension. I git cloned the repo and then added this extension to Firefox via about:debugging (load temporary add-on). Now when I visit http://dev.snippet.htb/jean/extension/issues I can see the issue bodies being inserted.

On a side note: HTB was giving me no machines available currently for a few hours. Changing the VPN server from one region to another helped.

(July 19, 2022, 11:12 PM)mimikatz Wrote: Awww okay I will take another look, I had figured password re-use from that table we dumped via management/dump was the key.

If anyone is stuck on this step:

Try to crack all hashes. Then log into http://snippet.htb/login with any credentials you could find. The next step is to make someone else's private snippet public.

A little nudge on how to make this snippet public please? 
Tried to modify <textarea id="password" .... element,  tried to inject into url "?showAll=true&onlyMine=false"
tried JS debugger and still stuck on that part  :s

It is Gitea API, language Bash and so on snippet..

It is simpler than that. It's more of a traversal thing, try creating a snippet and editing it.

Thank you Erik !
Indeed, that was much simpler. I was stuck for a while in JS debugger by  trying to debug this vue js app.
I've found this viewProps validation, folowed its logic, inserted brakepoint and so on.. was not able to find how to do this from debuger though.

OverThinking too much..

(July 20, 2022, 10:26 PM)teksius Wrote:

(July 20, 2022, 09:11 PM)Erik Wrote:

(July 20, 2022, 09:07 PM)mhendel Wrote:

(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

That's a good point, I forgot that we need to modify charlie's inject.js, not jean's, so we can't use swagger for that. Thus we would need to resort to XSS.

Guys, I already told you the path: get backup file from Gitea via XSS. Just concentrate on XSS itself. No need to modify anything.

the gitea-dump-timestamp ? ?

(July 20, 2022, 10:26 PM)teksius Wrote:

(July 20, 2022, 09:11 PM)Erik Wrote:

(July 20, 2022, 09:07 PM)mhendel Wrote:

(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

That's a good point, I forgot that we need to modify charlie's inject.js, not jean's, so we can't use swagger for that. Thus we would need to resort to XSS.

Guys, I already told you the path: get backup file from Gitea via XSS. Just concentrate on XSS itself. No need to modify anything.

How do u know Charlie's backup in Gitea? What we want to know is how to exploit this XSS flaw and where to use it? Should we create a new issue or upload the file into private repos? Just give us a nudge and not just tell us to download something that u already know but we don't know!

(July 21, 2022, 06:54 AM)nhocit Wrote:

(July 20, 2022, 10:26 PM)teksius Wrote:

(July 20, 2022, 09:11 PM)Erik Wrote:

(July 20, 2022, 09:07 PM)mhendel Wrote:

(July 20, 2022, 08:59 PM)Erik Wrote: Okay so we need to modify inject.js to make it able to call a php file from our system. Using that php file, we need to enumerate stuff from charlie's gitea to find what we're looking for.

I guess not modify inject.js, but use XSS in extension to execute php, no?

That's a good point, I forgot that we need to modify charlie's inject.js, not jean's, so we can't use swagger for that. Thus we would need to resort to XSS.

Guys, I already told you the path: get backup file from Gitea via XSS. Just concentrate on XSS itself. No need to modify anything.

How do u know Charlie's backup in Gitea? What we want to know is how to exploit this XSS flaw and where to use it? Should we create a new issue or upload the file into private repos? Just give us a nudge and not just tell us to download something that u already know but we don't know!

As I said in a previous message, you can figure that out by making php requests. Manage to upload a function that can call a php file through the XSS, and get charlie's http://dev.snippet.htb/ body html. You'll see the private repo you're looking for, and you can work your way to the file you want by modifying the request step by step. At least this is how I did it, might be other ways to do so.