(May 8, 2022, 12:43 PM)Truss46 Wrote:

(May 8, 2022, 12:29 PM)Exa Wrote:

(May 8, 2022, 12:26 PM)Truss46 Wrote: When I sign up for ssh with Blue, I'm kicked out right away

Am I doing something wrong?

Same for me. SSH gives me "This account is currently not available."

However, the FTP login works. There is one file named policy.pdf.


This line from the PDF might be useful: "Default user-password generated by the application is in the format of "username@site_name!" (This applies to all your applications)"

Do we have any other usernames?

ftp_admin

Right, I can see one note was created by ftp_admin.

FTP login works for ftp_admin. Now I see two files there: app_backup_1635803546.zip and app_backup_1638395546.zip

Anyone root ? Cant see where it goes after the user

(May 8, 2022, 01:23 PM)iamnoone777 Wrote: Anyone root ? Cant see where it goes after the user

look at mysql

any writeups ?

Can anyone help me in user part ?

(May 8, 2022, 01:01 PM)Exa Wrote:

(May 8, 2022, 12:43 PM)Truss46 Wrote:

(May 8, 2022, 12:29 PM)Exa Wrote:

(May 8, 2022, 12:26 PM)Truss46 Wrote: When I sign up for ssh with Blue, I'm kicked out right away

Am I doing something wrong?

Same for me. SSH gives me "This account is currently not available."

However, the FTP login works. There is one file named policy.pdf.


This line from the PDF might be useful: "Default user-password generated by the application is in the format of "username@site_name!" (This applies to all your applications)"

Do we have any other usernames?

ftp_admin

Right, I can see one note was created by ftp_admin.

FTP login works for ftp_admin. Now I see two files there: app_backup_1635803546.zip and app_backup_1638395546.zip

sql creds in the first backup, not sure how to get on box still

Is this the correct path to user?

```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
if check_VIP(session['username']):
try:
url = request.form['url']

status, error = parse_url(url)

if (status is True) and (error is None):
try:
r = pyrequest.get(url,allow_redirects=True)
rand_int = random.randint(1,10000)
command = f"node misc/md-to-pdf.js $'{r.text.strip()}' {rand_int}"
subprocess.run(command, shell=True, executable="/bin/bash")

if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):

return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)

else:
return render_template('export_note.html', error="Error occured while exporting the !")
```

(May 8, 2022, 05:24 PM)just4htb1337 Wrote: Is this the correct path to user?

```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
    if check_VIP(session['username']):
        try:
            url = request.form['url']

            status, error = parse_url(url)

            if (status is True) and (error is None):
                try:
                    r = pyrequest.get(url,allow_redirects=True)
                    rand_int = random.randint(1,10000)
                    command = f"node misc/md-to-pdf.js  $'{r.text.strip()}' {rand_int}"
                    subprocess.run(command, shell=True, executable="/bin/bash")

                    if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):

                        return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)                                                                                               

                    else:
                        return render_template('export_note.html', error="Error occured while exporting the !")
```

possible https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880

(May 8, 2022, 05:30 PM)hackerman Wrote:

(May 8, 2022, 05:24 PM)just4htb1337 Wrote: Is this the correct path to user?

```
# Export remote
@app.route('/export_note_remote', methods=['POST'])
@is_logged_in
def export_note_remote():
    if check_VIP(session['username']):
        try:
            url = request.form['url']

            status, error = parse_url(url)

            if (status is True) and (error is None):
                try:
                    r = pyrequest.get(url,allow_redirects=True)
                    rand_int = random.randint(1,10000)
                    command = f"node misc/md-to-pdf.js  $'{r.text.strip()}' {rand_int}"
                    subprocess.run(command, shell=True, executable="/bin/bash")

                    if os.path.isfile(attachment_dir + f'{str(rand_int)}.pdf'):

                        return send_file(attachment_dir + f'{str(rand_int)}.pdf', as_attachment=True)                                                                                               

                    else:
                        return render_template('export_note.html', error="Error occured while exporting the !")
```

possible https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880

Tried that one as well, but somewhat it didn't work ... could be that am doing it wrongly

Looking at the diff between both backups, there are four differing functions:/export_note/export_note_local//export_note_remote/import_note