![]() In that documentation, I’ll spot an awk injection that leads to a file disclosure vulnerability. I’ll find another API where I can get it to do a SSRF, and read internal documentation about the API. I’ll start by bypassing the auth check, and using that to find an API where I can dump user hashes. Hackthebox ctf htb-awkward nmap webpack vuejs wfuzz auth-bypass jwt jwt-io burp burp-repeater hashcat ssrf express api express-api awk awk-injection file-read hashcat-jwt python-jwt youtube python-requests xpad pspy mail gtfobins pm2 command-injectionĪwkward involves abusing a NodeJS API over and over again. To get to root, I’ll abuse an unsafe eval in TensorFlow in a script designed to check for XSS. From there, I’ll abuse some wildcard routes and a Varnish cache to get a cached version of the admin page, which leaks SSH creds. Hackthebox htb-forgot ctf nmap flask burp burp-proxy varnish cache cache-abuse web-cache-deception feroxbuster ffuf host-header-injection htb-response tensorflow cve-2022-29216 command-injectionįorgot starts with a host-header injection that allows me to reset a users password and have the link sent to them be to my webserver. For root, I’ll find a password in the SNMP configuration. On cracking the hash for one user, I can get SSH access to the host. ![]() From inside the web container, I’ll find creds for the database and dump the users table. ![]() With that password, I can get a valid auth token to the API, and find a backup endpoint that has a command injection vulnerability, which I’ll exploit to get a shell. With that, I’ll get access to the running process command lines, and recover a password. I’ll brute force a second community string that gives more access than the default “public” string. ![]() Mentor focuses on abusing a FastAPI API and SNMP enumeration. Htb-mentor hackthebox ctf nmap youtube snmp fastapi flask feroxbuster snmp-brute onesixtyone snmpwalk snmpbulkwalk command-injection postgresql chisel psql crackstation password-reuse ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |