(November 21, 2022, 01:46 PM)xGarfield Wrote:

(November 21, 2022, 01:44 PM)nuki Wrote: Tried to
* register as "alice ", "admin", "administrator" e.g.
* Modified prameters without success for example added user[role]=admin, switched user[username] to admin[username] e.g.

Maybe I'm completely wrong with what I'm doing

The role doesn't have to be literally "admin"

Thanks, got in  😊

(November 21, 2022, 01:50 PM)thehated1 Wrote: lol, if y'all actually rooted the box you'll know that doing first part is actually xss alice, not the role one. And it will be patched

thanks, that's a big hint

(November 21, 2022, 01:20 PM)Himitsu Wrote:

(November 21, 2022, 01:17 PM)hacker9999 Wrote:

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

Any nudge on foothold please?

One step is to take a look on "register" process, we can intercept and modify the request.

thanks

---

(November 21, 2022, 12:53 PM)Himitsu Wrote: Rooted.

The authenticity of host 'derailed.htb (10.129.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:Yw+seNrrZmY6BejnAGxRIklQ/9U0R1nVhdWjPp+5xG4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'derailed.htb' (ED25519) to the list of known hosts.
Linux derailed 5.19.0-0.deb11.2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1~bpo11+1 (2022-10-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 14 04:52:43 2022
root@derailed:~# 

Pretty cool box.
Maybe will prepare a writeup if time to do.

it would be great

Any nudge for initial system access?

Found a password for some user that is associated with a service that's probably running on the system.
SSH Access using that password with any of the user accounts doesn't work.

Bruteforcing isn't the right direction?

Struggle on report XSS, never get a call back, any hints thanks

[quote=xGarfield]
[quote=meowmeowattack]
[quote=hacker9999]
tried generate payload from CVE-2020-8165 and universal deserialisation gadget from
https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
And replace username value with payload when register
but no luck
[/quote]

same here, i also tried sending the payload canonically and via the url params instead of a post body. 

authenticity_token=<token>&user[username]=Marshal.load&user[username]=Base64.decode64&user[username]=<payload>&user[password]=test&user[password_confirmation]=test

from the cookie settings, i'm more convinced the first step is not about xss, as it's httponly.

from the redirects of login/register, i can see it's redirected to derailed.htb:3003, which is weird, but couldn't map it to any vectors for now

from browsing the clipnotes, i can see there is a user called alice who posted clipnotes/1, bruteforcing password didn't succeed

some hints would be appreciated
[/quote]

you are going down a rabbit hole. the app has two roles [admin and user]. what if you could register a user with a admin "role" 😉
[/quote]

ye, that's what i tried at first, but didn't figure out the correct term/wording. anyway, that's the unintended way and has been patched now. 
given the unintended way patched and cookie is httponly, i feel the next possible vector would be csrf to change some state for the user we created and then proceed.

How did the recently patched unintended privilege escalation Chrome Driver root work?

[quote=meowmeowattack]
[quote=xGarfield]
[quote=meowmeowattack]
[quote=hacker9999]
tried generate payload from CVE-2020-8165 and universal deserialisation gadget from
https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
And replace username value with payload when register
but no luck
[/quote]

same here, i also tried sending the payload canonically and via the url params instead of a post body. 

authenticity_token=<token>&user[username]=Marshal.load&user[username]=Base64.decode64&user[username]=<payload>&user[password]=test&user[password_confirmation]=test

from the cookie settings, i'm more convinced the first step is not about xss, as it's httponly.

from the redirects of login/register, i can see it's redirected to derailed.htb:3003, which is weird, but couldn't map it to any vectors for now

from browsing the clipnotes, i can see there is a user called alice who posted clipnotes/1, bruteforcing password didn't succeed

some hints would be appreciated
[/quote]

you are going down a rabbit hole. the app has two roles [admin and user]. what if you could register a user with a admin "role" 😉
[/quote]

ye, that's what i tried at first, but didn't figure out the correct term/wording. anyway, that's the unintended way and has been patched now. 
given the unintended way patched and cookie is httponly, i feel the next possible vector would be csrf to change some state for the user we created and then proceed.
[/quote]

That's how the reports look like when they are downloaded

4,bl
4,bl
4,bl
57,pls

Maybe there's some script parsing those records and opening them using a headless browser or something. Changelog of the machine could hint to a headless browser

I found the LFI. Any hint on what to do next?

Edit: I found development.sqlite3 and cracked a hash. Where to go next?

Exa Wrote:I found the LFI. Any hint on what to do next?

Edit: I found development.sqlite3.

Cracking the hash of toby works pretty well, unfortunately it doesn't lead anywhere. 
I already tried bruteforcing the ssh login for the user associated to toby with a list of album names and artists from https://en.wikipedia.org/wiki/Toby_Wright

No success so far for the last couple of hours