![]() ![]() ![]() Inject has a website with a file read vulnerability that allows me to read the source code for the site. In Beyond Root, I’ll look at pulling the Python source code from the application, even though I didn’t need that to solve the box.Ĭtf htb-inject hackthebox nmap ubuntu file-read directory-traversal tomcat feroxbuster burp-repeater burp spring-cloud-function-spel-injection java java-sprint maven snyk spring-cloud-function-web cve-2022-22963 command-injection brace-expansion ansible pspy ansible-playbook ![]() That user is able to run the PyInstaller build process as root, and I’ll abuse that to read files, and get a shell. I’ll find a SQLite injection over the websocket and leak a password and username that can be used for SSH. I’ll download both the Linux and Windows application, and through dynamic analysis, see web socket connections to the box. Socket has a web application for a company that makes a QRcode encoding / decoding software. In Beyond Root, I’ll debug the webassembly in Chromium dev tools.Ĭtf hackthebox htb-socket nmap ffuf qrcode python ubuntu flask websocket python-websockets pyinstaller burp burp-proxy burp-repeater burp-repeater-websocket websocket-sqli username-anarchy crackmapexec pyinstaller-spec pyinstxtractor pycdc htb-forgot htb-absolute To get root, I’ll exploit openmediavault’s RPC, showing three different ways - adding an SSH key for root, creating a cron, and installing a Debian package. I’ll pivot uses using creds from the database. From there, I’ll use the administrator’s browser session to read an admin page with a file read vulnerability where I can get the page source, and abuse an open injection in Ruby (just like in Perl) to get execution. The general user input is relatively locked down as far as cross site scripting, but I’ll find a buffer overflow in the webassembly that puts the username on the page and use that to get a XSS payload overwriting the unfiltered date string. I’m able to create notes, and to flag notes for review by an admin. To get SYSTEM on the host, I’ll exploit a SAML vulnerability in ManageEngine’s ADSelfService Plus.Ĭtf hackthebox htb-derailed nmap ruby rails debian ffuf idor xss wasm webassembly javascript bof wasm-bof pattern-create command-injection cors chatgpt python file-read open-injection open-injection-ruby openmediavault sqlite git hashcat chisel deb deb-package youtubeĭerailed starts with a Ruby on Rails web notes application. I’ll also get creds for a user on the host from SSSD, and then tunnel through the VM to get WinRM access to the host. Inside the VM, I’ll exploit Firejail to get root. I’ll exploit two CVEs in Icinga, first with file read to get credentials, and then a file write to write a fake module and get execution. To start, I can only access an IcingaWeb2 instance running in the VM. In Beyond Root, I’ll show two unintended vulnerabilities in the web application that got patched about a week after release.Ĭtf htb-cerberus hackthebox nmap ttl wireshark dig ffuf icinga github cve-2022-24716 cve-2022-24715 file-read file-write icinga-module firejail cve-2022-31214 sssd hashcat chisel evil-winrm manageengine adselfservice cve-2022-47966 metasploit saml saml-decoderĬerberus is unique in that it’s one of the few boxes on HTB (or any CTF) that has Windows hosting a Linux VM. I’ll abuse CVE-2023-22809 to write into the virtual environment that root is sourcing to get root. This user can use sudoedit to modify files related to the test server. There’s a testing version of the app running as well, and I’ll abuse Chrome debug to get credentials from the testing Chrome instance to pivot to the next user. From there, I’ll dump a user’s password out of the database and get an SSH shell. I’ll use those to get execution on the box, which turns out to be a bit trickier than expected. There’s a file read vulnerability in the application, and the Flask server is running in debug mode. I’ll find a virtualhost with Gitea, and use that along with different creds to eventually find the source for the script, and identify how to run it to get arbitrary execution as root.Ĭtf hackthebox htb-agile nmap ubuntu flask python feroxbuster file-read werkzeug werkzeug-debug flask-debug-pin youtube python-venv pytest selenium chrome chrome-debug sudoedit cve-2023-22809 idor flask-cookieĪgile is a box hosting a password manager solution. On the host, the user can run sudo to run a Python script, but I can’t see the script. Under the hood, it is using the Python Searchor command line tool, and I’ll find an unsafe eval vulnerability and exploit that to get code execution. Hackthebox htb-busqueda ctf nmap flask ubuntu searchor feroxbuster python-eval command-injection burp burp-repeater password-reuse giteaīusqueda presents a website that gives links to various sites based on user input. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |