Posts: 30 Threads: 0 Joined: N/A October 16, 2022 at 6:08 PM (October 16, 2022, 05:45 PM)Hacker2222 Wrote: (October 16, 2022, 05:42 PM)m4rsh3ll Wrote: (October 16, 2022, 05:37 PM)Hacker2222 Wrote: (October 16, 2022, 05:19 PM)m4rsh3ll Wrote: (October 16, 2022, 05:13 PM)hacker1111 Wrote: Here is Flask Session of Jack
eyJ1c2VybmFtZSI6ImphY2sifQ.Y0w6sQ.dr499o6kKo4Zy4fhVBQAJku02TE
Where did you get this?
probably by generating it with the secret_key in app.py
So how to get access to source? app.py is on 172.18.0.1 WIth secret key anyone can create token. Then question is how to get this key.
with healthcheck . u can make custom check with post request . then find what each char is. How are you able to enum chars? I tried with a curl request with --data 'file=/var/www/rainycloud/app.py&type=CUSTOM[also tried with PYTHON]&pattern=^secret_key*' following that GET request you get at /api/healthcheck but I get true every damn time... Posts: 104 Threads: 0 Joined: N/A October 16, 2022 at 6:25 PM You can get idea from here that how i got secret key[code]https://0xdf.gitlab.io/2022/05/14/htb-fingerprint.html#ssh-brute-script[/code][code]https://0xdf.gitlab.io/2022/05/14/htb-fingerprint.html#blind-injection[/code]Parameter[code]file=/var/www/rainycloud/app.py&type=custom&pattern= [/code]Posts: 10 Threads: 0 Joined: N/A October 16, 2022 at 6:49 PM [quote="hacker1111" pid="664775" dateline="1665944726"]You can get idea from here that how i got secret key[code]https://0xdf.gitlab.io/2022/05/14/htb-fingerprint.html#ssh-brute-script[/code][code]https://0xdf.gitlab.io/2022/05/14/htb-fingerprint.html#blind-injection[/code]Parameter[code]file=/var/www/rainycloud/app.py&type=custom&pattern= [/code][/quote]any luck with getting system?Posts: 104 Threads: 0 Joined: N/A October 16, 2022 at 7:15 PM [quote="br4v0ch4rl33" pid="664881" dateline="1665946154"][quote="hacker1111" pid="664775" dateline="1665944726"]You can get idea from here that how i got secret key[code]https://0xdf.gitlab.io/2022/05/14/htb-fingerprint.html#ssh-brute-script[/code][code]https://0xdf.gitlab.io/2022/05/14/htb-fingerprint.html#blind-injection[/code]Parameter[code]file=/var/www/rainycloud/app.py&type=custom&pattern= [/code][/quote]any luck with getting system?[/quote]system ?? did you mean shell ?Posts: 28 Threads: 0 Joined: N/A October 16, 2022 at 10:46 PM (October 16, 2022, 10:12 PM)Hacker2222 Wrote: for user flag .............. ps xau in container shows sleep command . this process has mount on root of host. u can read ssh private key of jack .......
check cat /proc/NUMBER/root/home/jack/.ssh/id_rsa Which regex did you use for pattern? I can find any string what I whant, for example first "def" entry is in 47 line. But I can't find any "sec" or "key" entry Posts: 20 Threads: 0 Joined: N/A October 16, 2022 at 11:14 PM (October 16, 2022, 10:46 PM)m4rsh3ll Wrote: (October 16, 2022, 10:12 PM)Hacker2222 Wrote: for user flag .............. ps xau in container shows sleep command . this process has mount on root of host. u can read ssh private key of jack .......
check cat /proc/NUMBER/root/home/jack/.ssh/id_rsa
Which regex did you use for pattern? I can find any string what I whant, for example first "def" entry is in 47 line. But I can't find any "sec" or "key" entry Two hints... Is your search case sensitive? And the second one... Maybe the key is not on that file... Posts: 20 Threads: 0 Joined: N/A October 16, 2022 at 11:48 PM Once you get inside the Host, you will need to escalate privileges (as always)... I think you will find this useful ;) Hidden Content You must register or login to view this content. Posts: 13 Threads: 0 Joined: N/A October 16, 2022 at 11:51 PM Everyone is stuck at jack_adm :-D
(October 16, 2022, 11:48 PM)lnf02 Wrote: Once you get inside the Host, you will need to escalate privileges (as always)...
I think you will find this useful ;) Let's see -- we need from jack_adm Posts: 18 Threads: 0 Joined: N/A October 17, 2022 at 12:35 AM 😎 Posts: 24 Threads: 0 Joined: N/A October 17, 2022 at 12:53 AM anyone found steps to jack_adm? |
