I guess it has something to do with processing of the notes after they are posted or reported.
Maybe some kind of markdown vulnerability, hadn't any chance to test it so far. Will proceed later today

(November 21, 2022, 10:11 AM)meowmeowattack Wrote:

(November 21, 2022, 08:33 AM)hacker9999 Wrote: tried generate payload from CVE-2020-8165 and universal deserialisation gadget from
https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
And replace username value with payload when register
but no luck

same here, i also tried sending the payload canonically and via the url params instead of a post body. 

authenticity_token=<token>&user[username]=Marshal.load&user[username]=Base64.decode64&user[username]=<payload>&user[password]=test&user[password_confirmation]=test

from the cookie settings, i'm more convinced the first step is not about xss, as it's httponly.

from the redirects of login/register, i can see it's redirected to derailed.htb:3003, which is weird, but couldn't map it to any vectors for now

from browsing the clipnotes, i can see there is a user called alice who posted clipnotes/1, bruteforcing password didn't succeed

some hints would be appreciated

you are going down a rabbit hole. the app has two roles [admin and user]. what if you could register a user with a admin "role" 😉

Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

Any nudge on foothold please?

(November 21, 2022, 01:17 PM)hacker9999 Wrote:

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

Any nudge on foothold please?

One step is to take a look on "register" process, we can intercept and modify the request.

(November 21, 2022, 01:20 PM)Himitsu Wrote:

(November 21, 2022, 01:17 PM)hacker9999 Wrote:

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

Any nudge on foothold please?

One step is to take a look on "register" process, we can intercept and modify the request.

Is deserialization on the right direction? Thank you

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

Congrats! do you mind giving me a nudge for priv esc?

---

(November 21, 2022, 01:27 PM)hacker9999 Wrote:

(November 21, 2022, 01:20 PM)Himitsu Wrote:

(November 21, 2022, 01:17 PM)hacker9999 Wrote:

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

Any nudge on foothold please?

One step is to take a look on "register" process, we can intercept and modify the request.

Is deserialization on the right direction? Thank you

no it isn't

Tried to
* register as "alice ", "admin", "administrator" e.g.
* Modified prameters without success for example added role=admin, user[role]=admin, switched user[username] to admin[username] e.g.

Maybe I'm completely wrong with what I'm doing

(November 21, 2022, 01:44 PM)nuki Wrote: Tried to
* register as "alice ", "admin", "administrator" e.g.
* Modified prameters without success for example added user[role]=admin, switched user[username] to admin[username] e.g.

Maybe I'm completely wrong with what I'm doing

The role doesn't have to literally be "admin"

lol, if y'all actually rooted the box you'll know that the first part is actually xss alice, not the role one. And it will be patched