Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 12:57 PM Is this healthcheck from pylib Healthcheck and Flask framework in the backend? With Tornadohandler as callback? Did someone check it? Posts: 17 Threads: 0 Joined: N/A October 16, 2022 at 3:19 PM the cookie its isn't jwt its a flask session cookie use flask-unsign to see it if anyone got the secret to change the cookie its possible to log in as jack Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 3:19 PM (October 16, 2022, 02:58 PM)Hacker2222 Wrote: i think u need to use dev. healthcheck to read secret for cookie creation . maybe u can forge cookie of jack user ....... There is id encrypted with sha256 in POST request but I gues I'm not able to brute it. If you send POST payload from container to http://dev.rainycloud.htb/containers for python shell it will open the same shell as you have allready. But brute forcing id for "secrets" container seems to be good idea if it can be possible :) Also healthcheck can accept POST request with some unknown parameter.
Entry points can be: - http://dev.rainycloud.htb/api/user/<id> (injection possible)
- id in post request for http://dev.rainycloud.htb/containers (brute forcing sha256)
- unknown POST parameter for http://dev.rainycloud.htb/healthcheck
Posts: 17 Threads: 0 Joined: N/A October 16, 2022 at 3:27 PM (October 16, 2022, 03:19 PM)m4rsh3ll Wrote: (October 16, 2022, 02:58 PM)Hacker2222 Wrote: i think u need to use dev. healthcheck to read secret for cookie creation . maybe u can forge cookie of jack user .......
There is id encrypted with sha256 in POST request but I gues I'm not able to brute it. If you send POST payload from container to http://dev.rainycloud.htb/containers for python shell it will open the same shell as you have allready. But brute forcing id for "secrets" container seems to be good idea if it can be possible :)
Also healthcheck can accept POST request with some unknown parameter.
Entry points can be:- http://dev.rainycloud.htb/api/user/<id> (injection possible)
- id in post request for http://dev.rainycloud.htb/containers (brute forcing sha256)
- unknown POST parameter for http://dev.rainycloud.htb/healthcheck
how it possible to inject in the id in http://dev.rainycloud.htb/api/user/ <id>?Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 3:37 PM (October 16, 2022, 03:27 PM)first6444444 Wrote: (October 16, 2022, 03:19 PM)m4rsh3ll Wrote: (October 16, 2022, 02:58 PM)Hacker2222 Wrote: i think u need to use dev. healthcheck to read secret for cookie creation . maybe u can forge cookie of jack user .......
There is id encrypted with sha256 in POST request but I gues I'm not able to brute it. If you send POST payload from container to http://dev.rainycloud.htb/containers for python shell it will open the same shell as you have allready. But brute forcing id for "secrets" container seems to be good idea if it can be possible :)
Also healthcheck can accept POST request with some unknown parameter.
Entry points can be:- http://dev.rainycloud.htb/api/user/<id> (injection possible)
- id in post request for http://dev.rainycloud.htb/containers (brute forcing sha256)
- unknown POST parameter for http://dev.rainycloud.htb/healthcheck
how it possible to inject in the id in http://dev.rainycloud.htb/api/user/<id>? IDK maybe template injection or something. I just wrote all possible entry point Posts: 22 Threads: 0 Joined: N/A October 16, 2022 at 4:25 PM (October 16, 2022, 03:58 PM)Hacker2222 Wrote: (October 16, 2022, 03:19 PM)m4rsh3ll Wrote: (October 16, 2022, 02:58 PM)Hacker2222 Wrote: i think u need to use dev. healthcheck to read secret for cookie creation . maybe u can forge cookie of jack user .......
There is id encrypted with sha256 in POST request but I gues I'm not able to brute it. If you send POST payload from container to http://dev.rainycloud.htb/containers for python shell it will open the same shell as you have allready. But brute forcing id for "secrets" container seems to be good idea if it can be possible :)
Also healthcheck can accept POST request with some unknown parameter.
Entry points can be:- http://dev.rainycloud.htb/api/user/<id> (injection possible)
- id in post request for http://dev.rainycloud.htb/containers (brute forcing sha256)
- unknown POST parameter for http://dev.rainycloud.htb/healthcheck
1. only injection psosible is 1.0 ....... prob dead end
2. u can get id of secret container with ps aux on ur container. when u change id to secrets container u get "unauthorized" . prob dead end.
3. params are file type and pattern bruh.. im missing something in tunnelling can you please explain me real quick :( Posts: 104 Threads: 0 Joined: N/A October 16, 2022 at 5:13 PM Here is Flask Session of Jack eyJ1c2VybmFtZSI6ImphY2sifQ.Y0w6sQ.dr499o6kKo4Zy4fhVBQAJku02TE
Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 5:19 PM (October 16, 2022, 05:13 PM)hacker1111 Wrote: Here is Flask Session of Jack
eyJ1c2VybmFtZSI6ImphY2sifQ.Y0w6sQ.dr499o6kKo4Zy4fhVBQAJku02TE
Where did you get this? Posts: 22 Threads: 0 Joined: N/A October 16, 2022 at 5:31 PM (October 16, 2022, 04:58 PM)Hacker2222 Wrote: (October 16, 2022, 04:25 PM)dumpsterX0 Wrote: (October 16, 2022, 03:58 PM)Hacker2222 Wrote: (October 16, 2022, 03:19 PM)m4rsh3ll Wrote: (October 16, 2022, 02:58 PM)Hacker2222 Wrote: i think u need to use dev. healthcheck to read secret for cookie creation . maybe u can forge cookie of jack user .......
There is id encrypted with sha256 in POST request but I gues I'm not able to brute it. If you send POST payload from container to http://dev.rainycloud.htb/containers for python shell it will open the same shell as you have allready. But brute forcing id for "secrets" container seems to be good idea if it can be possible :)
Also healthcheck can accept POST request with some unknown parameter.
Entry points can be:- http://dev.rainycloud.htb/api/user/<id> (injection possible)
- id in post request for http://dev.rainycloud.htb/containers (brute forcing sha256)
- unknown POST parameter for http://dev.rainycloud.htb/healthcheck
1. only injection psosible is 1.0 ....... prob dead end
2. u can get id of secret container with ps aux on ur container. when u change id to secrets container u get "unauthorized" . prob dead end.
3. params are file type and pattern
bruh.. im missing something in tunnelling can you please explain me real quick :(
idk..... use chisel ?? i dont know where u go wrong LOL
next path is prob getting secret_key from app. share your steps bro. l'll make sure what im doing wrong :( i was stucked too long Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 5:42 PM (October 16, 2022, 05:37 PM)Hacker2222 Wrote: (October 16, 2022, 05:19 PM)m4rsh3ll Wrote: (October 16, 2022, 05:13 PM)hacker1111 Wrote: Here is Flask Session of Jack
eyJ1c2VybmFtZSI6ImphY2sifQ.Y0w6sQ.dr499o6kKo4Zy4fhVBQAJku02TE
Where did you get this?
probably by generating it with the secret_key in app.py So how to get access to source? app.py is on 172.18.0.1 WIth secret key anyone can create token. Then question is how to get this key. |
