TUTORIAL HTB Toby [Discussion]
by Aadhi123456 - November 07, 2021 at 03:00 AM
#73
(November 21, 2021 at 10:27 PM)gambit1337 Wrote: Decode the hex u get from 20053, then decode the second hex "xor_key:", use the letter between prefix and suffix to xor ur command in UTF8 ...

hope that helps

I think this is the part I miss. What is this prefix and suffix? Where do I get them from? Any help would be appreciated.
Reply
#74
(November 22, 2021 at 01:49 PM)blah7 Wrote:
(November 21, 2021 at 10:27 PM)gambit1337 Wrote: Decode the hex u get from 20053, then decode the second hex "xor_key:", use the letter between prefix and suffix to xor ur command in UTF8 ...

hope that helps

I think this is the part I miss. What is this prefix and suffix? Where do I get them from? Any help would be appreciated.

U get it when u decode the hex in "xor_key:<hex>"
Reply
#75
(November 21, 2021 at 02:25 AM)tec Wrote:
(November 20, 2021 at 11:58 PM)rebelon Wrote:
(November 15, 2021 at 07:09 PM)omgilovethis Wrote:
(November 15, 2021 at 07:05 AM)phperl Wrote:
(November 15, 2021 at 05:15 AM)omgilovethis Wrote: i see the mypam.so reading /etc/.bd for passwrod.. ghidra show it call usleep(10000) if letter in password

but how did you get key by trying to su? sudo take too long because toby.htb is not in /etc/hosts.

did u try letter by letter with su - root?


a hint: what other repositories are there in git when u login on web portal ? maybe something that is being hosted on another IP.. look at the python code.. there are some mistakes that make it insecure
make the machine connect to my vm and capture the mysql login, but can't crack the dump hash. any more clear hint?

that is good... now look at the password generator api... look at the seed it uses.. is the time.. that randomness is not crypt secure either.. also in code comment it has dates of when password was added... try to generate all possible passwords that algorithm can make between those dates in epoch to make wordlist to crack that mysql hash


I do not see those comments, you mean in the git history dates?

along with the vulnerable codes.

you mean this?
`
# NOT FOR PROD USE, USE FOR HEALTHCHECK ON DB
# 01/07/21 - Added dbtest method and warning message
# 06/07/21 - added ability to test remote DB
# 07/07/21 - added creds
# 10/07/21 - removed creds and placed in environment
`
Those are 24 hour dates and 4 dates.. id we have to do 60 for m x 24 for hours?

I am doing something wrong, my list is exhausted so I have the wrong hash from tcpdump/wireshark, or I am passing the wrong flag to hashcat or Im doing the dictionary wrong.
can someone PM me so I can paste you my code, my hashcat -m #, and my hash see if I have it correct?
Reply
#76
ok finally got into the mysql server... now trying to see if I can upload psypy
[edit]
YAY! and mysql was easier, just run pspy and you see what you need to do.
now im on host with jack and got user.txt
Reply
#77
Anyone has any tip for finding out the secret letters on the last step to root? I wrote 3-4 diff bash scripts to figure out if there is any time diff when testing letters with no luck, seems like it works, but when I run it again, then the result is different so no. :( I was able to find out the backdoor type and a couple github repos, aparently works with all users not just root if they keep it the same, so if is like the ones on git you can test with other user not just root.. but not 100% sure. tips?
Reply
#78
got r00t yay! had 1 piece wrong, something wrong very silly. read the code better, get a better de-compiler if you need to
Reply
#79
Fancy the root password? You can go straight into the box with the following:

sshpass -p<PASSWORD> ssh [email protected]

Hidden Content
You must register or login to view this content.


Cheers
dipshit
Reply
#80
(November 22, 2021 at 02:28 PM)gambit1337 Wrote:
(November 22, 2021 at 01:49 PM)blah7 Wrote:
(November 21, 2021 at 10:27 PM)gambit1337 Wrote: Decode the hex u get from 20053, then decode the second hex "xor_key:", use the letter between prefix and suffix to xor ur command in UTF8 ...

hope that helps

I think this is the part I miss. What is this prefix and suffix? Where do I get them from? Any help would be appreciated.

U get it when u decode the hex in "xor_key:<hex>"

how to decode the hex in "xor_key:<hex>", be specific, pls
Reply
#81
(December 01, 2021 at 06:08 AM)v411d Wrote:
(November 22, 2021 at 02:28 PM)gambit1337 Wrote:
(November 22, 2021 at 01:49 PM)blah7 Wrote:
(November 21, 2021 at 10:27 PM)gambit1337 Wrote: Decode the hex u get from 20053, then decode the second hex "xor_key:", use the letter between prefix and suffix to xor ur command in UTF8 ...

hope that helps

I think this is the part I miss. What is this prefix and suffix? Where do I get them from? Any help would be appreciated.

U get it when u decode the hex in "xor_key:<hex>"

how to decode the hex in "xor_key:<hex>", be specific, pls

Unhex the hex in front of "xor_key:"
Reply
#82
machine pwned :)
full detailed writeup available.
if u want DM me.
Reply
#83
(November 21, 2021 at 10:27 PM)gambit1337 Wrote:
(November 21, 2021 at 05:37 PM)blah7 Wrote:
(November 21, 2021 at 09:38 AM)tec Wrote:
(November 21, 2021 at 09:06 AM)blah7 Wrote: anyone could help with how to encode the xored command on 2***3 port? How should we send it? Base64, hex encoded? Nothing seems to be accepted by the backdoor...

always try the simplest first.
I tried ascii hex, base64, raw bytes using a python server. I even tried using the unhexed key (python's key.decode("hex")). Nothing worked. What else can be done?
Decode the hex u get from 20053, then decode the second hex "xor_key:", use the letter between prefix and suffix to xor ur command in UTF8 ...
hope that helps

plaiz can you help me at the hash of eval function // ba4fb13188ee48077524f9ac23c230250c5661aec9776389e8befbce277c72de - ignore

(December 01, 2021 at 05:34 PM)donteverthink Wrote: machine pwned :)
full detailed writeup available.
if u want DM me.

can you help me at the hash of eval function // ba4fb13188ee48077524f9ac23c230250c5661aec9776389e8befbce277c72de - ignore how to exploit this hash
Reply
#84
(December 02, 2021 at 01:09 PM)0xmhvx Wrote:
(November 21, 2021 at 10:27 PM)gambit1337 Wrote:
(November 21, 2021 at 05:37 PM)blah7 Wrote:
(November 21, 2021 at 09:38 AM)tec Wrote:
(November 21, 2021 at 09:06 AM)blah7 Wrote: anyone could help with how to encode the xored command on 2***3 port? How should we send it? Base64, hex encoded? Nothing seems to be accepted by the backdoor...

always try the simplest first.
I tried ascii hex, base64, raw bytes using a python server. I even tried using the unhexed key (python's key.decode("hex")). Nothing worked. What else can be done?
Decode the hex u get from 20053, then decode the second hex "xor_key:", use the letter between prefix and suffix to xor ur command in UTF8 ...
hope that helps

plaiz can you help me at the hash of eval function // ba4fb13188ee48077524f9ac23c230250c5661aec9776389e8befbce277c72de - ignore

(December 01, 2021 at 05:34 PM)donteverthink Wrote: machine pwned :)
full detailed writeup available.
if u want DM me.

can you help me at the hash of eval function // ba4fb13188ee48077524f9ac23c230250c5661aec9776389e8befbce277c72de - ignore how to exploit this hash

This is not a hash
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fingerprint [Discussion] kalic99 94 23,468 Yesterday at 10:18 PM
Last Post: ARhOmOuTEd
TUTORIAL HTB Stacked [Discussion] pheonix2021 97 36,286 Yesterday at 09:59 PM
Last Post: CatPy
TUTORIAL HTB Toby id_rsa for root, the root key and the easy way to get the flags ARhOmOuTEd 5 1,988 Yesterday at 02:00 PM
Last Post: donteverthink

 Users browsing this thread: 1 Guest(s)