Return to forum

dumpster · September 17, 2022 at 8:04 PM

(September 17, 2022, 08:00 PM)xurka Wrote:
(September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason

there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable

Cracked > remembermethisway

xurka · September 17, 2022 at 8:12 PM

this md5 hash is not well-known but john and rockyou crack it
we can login with this pass to mattermost

achillescarter · September 17, 2022 at 8:19 PM

(September 17, 2022, 08:12 PM)xurka Wrote: this md5 hash is not well-known but john and rockyou crack it
but we cannot login anywhere with this password as john or admin

you can login that decrypted key on john in admin login

elliotal · September 17, 2022 at 8:20 PM

(September 17, 2022, 08:00 PM)xurka Wrote:
(September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason

there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable

it shows nothing if you try to search the name

xurka · September 17, 2022 at 8:20 PM

(September 17, 2022, 08:19 PM)achillescarter Wrote:
(September 17, 2022, 08:12 PM)xurka Wrote: this md5 hash is not well-known but john and rockyou crack it
but we cannot login anywhere with this password as john or admin

you can login that decrypted key on john in admin login

we already there as admin, we do not need login as admin to admin login,
login mattermost instead

(September 17, 2022, 08:20 PM)elliotal Wrote: it shows nothing if you try to search the name

for me it showed two hashes in response: http://shoppy.htb/exports/export-search.json

0xhellfire · September 17, 2022 at 8:24 PM

(September 17, 2022, 08:20 PM)xurka Wrote:
(September 17, 2022, 08:19 PM)achillescarter Wrote:
(September 17, 2022, 08:12 PM)xurka Wrote: this md5 hash is not well-known but john and rockyou crack it
but we cannot login anywhere with this password as john or admin

you can login that decrypted key on john in admin login

we already there as admin, we do not need login as admin to admin login,
login mattermost instead

(September 17, 2022, 08:20 PM)elliotal Wrote: it shows nothing if you try to search the name

for me it showed two hashes in response: http://shoppy.htb/exports/export-search.json

I know who you are
Don't share these clear hints here

pandu · September 17, 2022 at 8:25 PM

The Password is crackable by md5 hash but for what users it is use?

Anandu · September 17, 2022 at 8:26 PM

(September 17, 2022, 08:19 PM)achillescarter Wrote:
(September 17, 2022, 08:12 PM)xurka Wrote: this md5 hash is not well-known but john and rockyou crack it
but we cannot login anywhere with this password as john or admin

you can login that decrypted key on john in admin login

we already there as admin, we do not need login as admin to admin login,
login mattermost instead

Any hints to find mattermost? directory-2.3-medium does not show it

Giovanni0 · September 17, 2022 at 8:27 PM

(September 17, 2022, 08:00 PM)xurka Wrote:
(September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason

there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable

How did you come to the conclusion that this injection was viable?

weaponize · September 17, 2022 at 8:30 PM

(September 17, 2022, 08:00 PM)xurka Wrote:
(September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason

there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable

How did you find this injection?