Return to forum

fironeDerbert · August 20, 2022 at 6:45 PM

Discussion about the new easy linux machine Health, good luck everyone !

Nmap scan report for 10.129.12.167
Host is up (0.11s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE    SERVICE VERSION
22/tcp  open    ssh    OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|  2048 32:b7:f4:d4:2f:45:d3:30:ee:12:3b:03:67:bb:e6:31 (RSA)
|  256 86:e1:5d:8c:29:39:ac:d7:e8:15:e6:49:e2:35:ed:0c (ECDSA)
|_  256 ef:6b:ad:64:d5:e4:5b:3e:66:79:49:f4:ec:4c:23:9f (ED25519)
80/tcp  open    http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HTTP Monitoring Tool
3000/tcp filtered ppp
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=8/20%OT=22%CT=1%CU=33040%PV=Y%DS=2%DC=T%G=Y%TM=63012F6
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=FD%GCD=1%ISR=103%TI=Z%CI=Z%TS=A)OPS(O1=M537ST11NW7%O2=M537ST11NW7%O3=
OS:M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11NW7%O6=M537ST11)WIN(W1=FE88%W2=FE
OS:88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M537NNSNW7
OS:%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

JINXX · August 20, 2022 at 7:15 PM

Are exploiting webhooks on the site?

yumi · August 20, 2022 at 7:32 PM

idk but i recieve call back from payload or monitor

hacker15 · August 20, 2022 at 7:36 PM

Cookies

XSRF-TOKEN

eyJpdiI6InhydmZudHFzaGdZMFJFUDFoMDU5akE9PSIsInZhbHVlIjoiLzMwZWM4bWw4QzN5VUh1dUdnR3ordmE1ZUEzcDE2TzQ4cDFGc0MvYjBnRTUxR2lPUjBuSGJMQTBRbHBVUmE2WlNvOVI2VHF6UEZCSXB3RkZpNnNLWUs2aTBKenpneGVZODJzaDhiV0dmRE9JYzBwVXZKTnVNUURlYU5Lb1RUQ0wiLCJtYWMiOiJhNDJkZGM0ZDI2MmY4Mzc3ZWZiYTdiNGZiYjg5YzJjM2QwMGU5NGJlM2JmYjEwNzAxY2U1Mjg0YWQ4MGU3OWUxIiwidGFnIjoiIn0=

laravel_session

eyJpdiI6IlFENEp2emw5NWZIZ0NOQ0dWajlsc2c9PSIsInZhbHVlIjoieUdUYUFDNFdOcDRCTFlnaENHRTJhUSsvVjF1TXd1Q2VJZkpmRFYrMVJraVVkUENRWjdqOElkcE9NMWlpbmxLVXBXdkhVWFMzeFVWZlVnM3kwWU11TlBSN0dHUktRSDlRUkQ5dU1TTVprSmdXQ3FsYXdKWkNnQ3lzdjl0dXdKUlUiLCJtYWMiOiJmOTAzNjdhZDUzODBiY2NjYzhlYTc0NjQ2MDE5MjQ5NzQwYzExNGZmYjA2OWM2MzQzNjE2OTk0NWZlYjQ4ODgyIiwidGFnIjoiIn0=

can we do something from cookies???

fironeDerbert · August 20, 2022 at 7:38 PM

(August 20, 2022, 07:32 PM)yumi Wrote: idk but i recieve call back from payload or monitor

There is an app.js here:

http://health.htb/js/app.js

Laravel version 8.83.13
PHP version 7.4.30

cloud9 · August 20, 2022 at 7:39 PM

U can to check ur webhooks here -> http://health.htb/webhook/

fukingfuck · August 20, 2022 at 7:43 PM

looks like Gogs(Go Git Service) on localhost:3000 via ssrf

fukingfuck · August 20, 2022 at 7:53 PM

(August 20, 2022, 07:52 PM)Hacker2222 Wrote:
(August 20, 2022, 07:43 PM)fukingfuck Wrote: looks like Gogs(Go Git Service) on localhost:3000 via ssrf

how to bypass localhost filter ?

302 =)
https://gist.github.com/shreddd/b7991ab491384e3c3331

elliotal · August 20, 2022 at 8:21 PM

dont know what to do

fironeDerbert · August 20, 2022 at 8:26 PM

(August 20, 2022, 08:14 PM)rdre8 Wrote: Check out the data in base64 for application/json

What do you mean ?