(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

but i can't read index file , i can only view file structure using gin

(August 28, 2022, 04:54 AM)b4nna1337 Wrote:

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

but i can't read index file , i can only view file structure using gin

Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

(August 28, 2022, 05:02 AM)snowmanballs Wrote:

(August 28, 2022, 04:54 AM)b4nna1337 Wrote:

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

but i can't read index file , i can only view file structure using gin

Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

(August 28, 2022, 05:44 AM)Peter Wrote:

(August 28, 2022, 05:02 AM)snowmanballs Wrote:

(August 28, 2022, 04:54 AM)b4nna1337 Wrote:

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

but i can't read index file , i can only view file structure using gin

Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

Its pretty simple once realized. I googled nodejs sql injection examples and ended up finding an article with demonstrating a sql query very similar to the one found in the index.js file i mentioned

(August 28, 2022, 05:44 AM)Peter Wrote:

(August 28, 2022, 05:02 AM)snowmanballs Wrote:

(August 28, 2022, 04:54 AM)b4nna1337 Wrote:

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

but i can't read index file , i can only view file structure using gin

Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

(August 28, 2022, 06:10 AM)technic Wrote:

(August 28, 2022, 05:44 AM)Peter Wrote:

(August 28, 2022, 05:02 AM)snowmanballs Wrote:

(August 28, 2022, 04:54 AM)b4nna1337 Wrote:

(August 28, 2022, 03:20 AM)snowmanballs Wrote: If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

but i can't read index file , i can only view file structure using gin

Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

Have you had any luck figuring out the cache file name? Ive been reading thru the source code (totally not a programmer lol) trying to see how the file name is generated.. i have a fraction of an idea, but havent been able to guess the correct name yet

(August 28, 2022, 07:05 AM)snowmanballs Wrote:

(August 28, 2022, 06:10 AM)technic Wrote:

(August 28, 2022, 05:44 AM)Peter Wrote:

(August 28, 2022, 05:02 AM)snowmanballs Wrote:

(August 28, 2022, 04:54 AM)b4nna1337 Wrote: but i can't read index file , i can only view file structure using gin

Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote:

(August 28, 2022, 02:23 AM)yemacaw863 Wrote: so far.. found:
- DB connection string
- File path: /web/vessel/public/js/
Currently, bruteforcing login for user 'ethan'

Anyone managed to login yet?

If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

Have you had any luck figuring out the cache file name? Ive been reading thru the source code (totally not a programmer lol) trying to see how the file name is generated.. i have a fraction of an idea, but havent been able to guess the correct name yet

why we need to predict cache file name if directory path is open ??

(August 28, 2022, 08:15 AM)b4nna1337 Wrote:

(August 28, 2022, 07:05 AM)snowmanballs Wrote:

(August 28, 2022, 06:10 AM)technic Wrote:

(August 28, 2022, 05:44 AM)Peter Wrote:

(August 28, 2022, 05:02 AM)snowmanballs Wrote: Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote: If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

Have you had any luck figuring out the cache file name? Ive been reading thru the source code (totally not a programmer lol) trying to see how the file name is generated.. i have a fraction of an idea, but havent been able to guess the correct name yet

why we need to predict cache file name if directory path is open ??

You can most likely run a local version of the service.. however, im not having much luck getting it to work and i dont feel like spending the time to troubleshoot it.. so unless someone shares the file name, i guess this is where i finish lol

(August 28, 2022, 08:15 AM)b4nna1337 Wrote:

(August 28, 2022, 07:05 AM)snowmanballs Wrote:

(August 28, 2022, 06:10 AM)technic Wrote:

(August 28, 2022, 05:44 AM)Peter Wrote:

(August 28, 2022, 05:02 AM)snowmanballs Wrote: Dont worry about reading the index file.. research how to dump the entire .git directory to your machine

git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

(August 28, 2022, 03:20 AM)snowmanballs Wrote: If you have the source files from the .git folder, focus on sql query in the index.js file. No brute force needed.

Once you bypass authentication, youll find a new subdomain... then from there you need to predict the name of a cache file.. thats where im stuck. No idea what the cache file is named

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

Have you had any luck figuring out the cache file name? Ive been reading thru the source code (totally not a programmer lol) trying to see how the file name is generated.. i have a fraction of an idea, but havent been able to guess the correct name yet

why we need to predict cache file name if directory path is open ??

Because when the cache is created, an index.php file is going to be there, and you will not going to see the directory content.
I recommend to run a local version of owa and see what happens.

(August 28, 2022, 08:22 AM)snowmanballs Wrote:

(August 28, 2022, 08:15 AM)b4nna1337 Wrote:

(August 28, 2022, 07:05 AM)snowmanballs Wrote:

(August 28, 2022, 06:10 AM)technic Wrote:

(August 28, 2022, 05:44 AM)Peter Wrote: git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

Have you had any luck figuring out the cache file name? Ive been reading thru the source code (totally not a programmer lol) trying to see how the file name is generated.. i have a fraction of an idea, but havent been able to guess the correct name yet

why we need to predict cache file name if directory path is open ??

You can most likely run a local version of the service.. however, im not having much luck getting it to work and i dont feel like spending the time to troubleshoot it.. so unless someone shares the file name, i guess this is where i finish lol

(August 28, 2022, 08:31 AM)farkow Wrote:

(August 28, 2022, 08:15 AM)b4nna1337 Wrote:

(August 28, 2022, 07:05 AM)snowmanballs Wrote:

(August 28, 2022, 06:10 AM)technic Wrote:

(August 28, 2022, 05:44 AM)Peter Wrote: git-dumper http://www.vessel.htb/dev/.git/ dumpeader

---

Can tip, I cannot see the method to bypass the authentication

Inspect git history, it fix something and highlights something, do some search about those.

Have you had any luck figuring out the cache file name? Ive been reading thru the source code (totally not a programmer lol) trying to see how the file name is generated.. i have a fraction of an idea, but havent been able to guess the correct name yet

why we need to predict cache file name if directory path is open ??

Because when the cache is created, an index.php file is going to be there, and you will not going to see the directory content.
I recommend to run a local version of owa and see what happens.

            $this->makeCacheCollectionDir($collection);
            owa_coreAPI::debug(' writing file for: '.$collection.$id);
            // create collection dir
            $collection_dir = $this->makeCollectionDirPath($collection);
            // asemble cache file name
            $cache_file = $collection_dir.$id.'.php';

function makeCollectionDirPath($collection) {

        return $this->cache_dir.$this->cache_id.'/'.$collection.'/';
    }

var $cache_id = 1; // default cache id

$cache_file = $this->cache_dir.$this->cache_id.'/'.$collection.'/'.$id.'.php';
// owa-data/caches/1/owa_user/$ID.php

But...

function hash($id) {
    	
        return md5( $id . OWA_AUTH_KEY );
    }

OWA_AUTH_KEY? Could it be the default one? or something else?