I’ll abuse CVE-2023-22809 to write into the virtual environment that root is sourcing to get root. This user can use sudoedit to modify files related to the test server. There’s a testing version of the app running as well, and I’ll abuse Chrome debug to get credentials from the testing Chrome instance to pivot to the next user. From there, I’ll dump a user’s password out of the database and get an SSH shell. I’ll use those to get execution on the box, which turns out to be a bit trickier than expected. There’s a file read vulnerability in the application, and the Flask server is running in debug mode. I’ll find a virtualhost with Gitea, and use that along with different creds to eventually find the source for the script, and identify how to run it to get arbitrary execution as root.Ĭtf hackthebox htb-agile nmap ubuntu flask python feroxbuster file-read werkzeug werkzeug-debug flask-debug-pin youtube python-venv pytest selenium chrome chrome-debug sudoedit cve-2023-22809 idor flask-cookie htb-bagel htb-opensource htb-rainyday htb-noterĪgile is a box hosting a password manager solution. On the host, the user can run sudo to run a Python script, but I can’t see the script. Under the hood, it is using the Python Searchor command line tool, and I’ll find an unsafe eval vulnerability and exploit that to get code execution. Hackthebox htb-busqueda ctf nmap flask ubuntu searchor feroxbuster python-eval command-injection burp burp-repeater password-reuse gitea htb-forgotīusqueda presents a website that gives links to various sites based on user input. In Beyond Root, a quick dive into how the KeePass password was automated. This user is opening their KeePass database, and I’ll use strace to watch them type their password into KeePass CLI, which I can use to recover the root password. From this foothold, I’ll exploit into the container running the site and find more credentials, pivoting to another user. I’ll use this XSS to exploit a NoSQL injection vulnerability in a private site, brute forcing the user’s password and exfiling it back to myself. Mailroom has a contact us form that I can use to get cross site sripting against an admin user. Htb-mailroom hackthebox ctf nmap ubuntu debian feroxbuster wfuzz gitea subdomain execute-after-redirect xss nosql-injection nosql-injection-over-xss xsrf command-injection filter keepass strace trace ptrace-scope youtube htb-retired htb-fingerprint htb-previse I’ll pivot to the next user by abusing a Cypher Injection in Neo4J, and then escalate to root by exploiting an unsafe sudo rule with pip. In that source, I’ll identify a command injection vulnerability, and figure out how bypass the filtering with a misunderstanding of the re.match function. I’ll start by exploiting a Flask website file disclosure vulnerability due to a misunderstanding of the os.path.join function to get the source for another site. OnlyForYou is about exploiting Python and Neo4J. Hackthebox htb-onlyforyou ctf nmap ffuf subdomain flask ubuntu source-code file-read directory-traversal burp burp-repeater python-re command-injection filter chisel foxyproxy gogs neo4j cypher-injection cypher crackstation pip setup-py htb-opensource For root, I’ll exploit a couple of Docker CVEs that allow for creating a SetUID binary inside the container that I can then run as root on the host. I’ll pivot to the database container and crack a hash to get a foothold on the box. I’ll show why, and exploit it manually to get a shell in a container. There’s a command injection vuln that has a bunch of POCs that don’t work as of the time of MonitorsTwo’s release. MonitorsTwo starts with a Cacti website (just like Monitors). Htb-monitorstwo hackthebox ctf nmap ubuntu cacti cve-2022-46169 command-injection metasploit wfuzz burp-repeater burp docker john cve-2021-41091 cve-2021-41103 htb-monitors
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |