![]() In that documentation, I’ll spot an awk injection that leads to a file disclosure vulnerability. I’ll find another API where I can get it to do a SSRF, and read internal documentation about the API. I’ll start by bypassing the auth check, and using that to find an API where I can dump user hashes. Hackthebox ctf htb-awkward nmap webpack vuejs wfuzz auth-bypass jwt jwt-io burp burp-repeater hashcat ssrf express api express-api awk awk-injection file-read hashcat-jwt python-jwt youtube python-requests xpad pspy mail gtfobins pm2 command-injectionĪwkward involves abusing a NodeJS API over and over again. To get to root, I’ll abuse an unsafe eval in TensorFlow in a script designed to check for XSS. ![]() From there, I’ll abuse some wildcard routes and a Varnish cache to get a cached version of the admin page, which leaks SSH creds. Hackthebox htb-forgot ctf nmap flask burp burp-proxy varnish cache cache-abuse web-cache-deception feroxbuster ffuf host-header-injection htb-response tensorflow cve-2022-29216 command-injectionįorgot starts with a host-header injection that allows me to reset a users password and have the link sent to them be to my webserver. For root, I’ll find a password in the SNMP configuration. On cracking the hash for one user, I can get SSH access to the host. From inside the web container, I’ll find creds for the database and dump the users table. With that password, I can get a valid auth token to the API, and find a backup endpoint that has a command injection vulnerability, which I’ll exploit to get a shell. With that, I’ll get access to the running process command lines, and recover a password. I’ll brute force a second community string that gives more access than the default “public” string. Mentor focuses on abusing a FastAPI API and SNMP enumeration. Htb-mentor hackthebox ctf nmap youtube snmp fastapi flask feroxbuster snmp-brute onesixtyone snmpwalk snmpbulkwalk command-injection postgresql chisel psql crackstation password-reuse The Docker socket inside the container is writable, allowing for a simple container breakout. With this access, I’ll identify a hash extension vulnerability in the web application, and abuse that to access a command injection and get RCE in the website container. That backup gives SSH access to the host, and some password reuse pivots to the next user. I’ll abuse that extension, bypassing the cross site scripting filters to hit the Gitea API and pull down a backup file from another user. With this access, I get creds for a Gitea instance, where I’ll find a custom Firefox extension. I’m not able to brute force a single token, but I can submit hundreds of resets set the odds such that I can guess a valid on in only a few guesses. ![]() I’ll enumerate the password reset functionality, and notice that only the last few characters of the token sent each time are changing. Abusing an IDOR vulnerability I’ll identify the user that I need to get access as next. I’ll start by leaking usernames and hashes, getting access to the site and to the email box for a few users. Hackthebox htb-extension ctf nmap subdomain password-reset laravel feroxbuster roundcube gitea burp burp-repeater laravel-csrf wfuzz api hashcat idor firefox-extension xss filter firefox-dev-tools gitea-api password-reuse hash-extension hash-extender command-injection deepce docker docker-escape docker-sockĮxtension has multiple really creative attack vectors with some unique features.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |