Return to forum

cavour12 · April 12, 2022 at 9:43 AM

(April 11, 2022, 03:44 PM)Internetdreams Wrote: easy rce on rjeditor -> try(system("bash -c 'id'", intern = TRUE))
on the container go on /root/ unzip the .omv containing passwords for /bolt/ on :80.
Login as [email protected]:<PASSWORD>
TWIG SSTI to RCE on theme editing ; you got a shell as www-data you can ssh as saul from here with previous creds.

how can i download .omv?

yesterday i found something simlar with : system2("whoami", stdout = TRUE, stderr = TRUE)

and also a way to "ls" the filesystem with : list.files(path=".", pattern=NULL, all.files=FALSE,
full.names=FALSE)

cavour12 · April 12, 2022 at 9:58 AM

(April 12, 2022, 08:58 AM)inferno7us Wrote:
(April 11, 2022, 03:44 PM)Internetdreams Wrote: easy rce on rjeditor -> try(system("bash -c 'id'", intern = TRUE))
on the container go on /root/ unzip the .omv containing passwords for /bolt/ on :80.
Login as [email protected]:<PASSWORD>
TWIG SSTI to RCE on theme editing ; you got a shell as www-data you can ssh as saul from here with previous creds.

sadly, i cannot run the rce on rjeditor...some help please..

Try this ...

rewrite your endpoint ;) then go on the r editor and spawn shell!

i had the same problem ! but it perfectly works after this!

cavour12 · April 12, 2022 at 12:02 PM

I found a way to get the .omv file ....

1) write r code for download chisel from your webserver

2) chmod +x chisel

3) spawn another shell with python3 and you can get the jamovi fie! <3

rep+++ :D

Himitsu · April 12, 2022 at 12:08 PM

@Internetdreams @cavour12
Thanks for tips

br_7801 · April 12, 2022 at 6:41 PM

the ssti injection. i have tried to inject in a template but i dont get it to work. anyone?

inferno7us · April 12, 2022 at 8:45 PM

(April 12, 2022, 06:41 PM)br_7801 Wrote: the ssti injection. i have tried to inject in a template but i dont get it to work. anyone?

i also stuck here

br_7801 · April 13, 2022 at 5:02 AM

(April 13, 2022, 02:38 AM)Internetdreams Wrote:
(April 12, 2022, 06:41 PM)br_7801 Wrote: the ssti injection. i have tried to inject in a template but i dont get it to work. anyone?
{% block main %}
  {{7*7}}
{% endblock main %}
on themes/index.twig, then go reset the cache on menu -> maintenance -> clear the cache visit index page
curl http://talkative.htb/
your template is executed.

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#twig-php
google is your friend

ah clear chache. my payload worked adter that

inferno7us · April 13, 2022 at 6:44 AM

thanks for the hint..

For root access, i know we need to takeover account on Rocket Chat but i cannot takeover the account..

any advise?

udontknowme · April 13, 2022 at 8:56 AM

anyone can share root hash?

inferno7us · April 14, 2022 at 12:17 AM

(April 14, 2022, 12:05 AM)Internetdreams Wrote:
(April 13, 2022, 06:44 AM)inferno7us Wrote: thanks for the hint..

For root access, i know we need to takeover account on Rocket Chat but i cannot takeover the account..

any advise?

no sqli on user.lists?query

also you can access the mongodb through saul

i managed to get admin access to the application port 3000...what next?