I’ll get the source for the site and find a filter bypass that allows SQL injection in another part of the site. I’ll abuse this by putting symlinks into the zip and reading back files from the host file system. Zipping has a website with a function to upload resumes as PDF documents in a Zip archive. In Beyond Root, I’ll look at the Express webserver from the foothold and how it was vulnerable and where it wasn’t.Ĭtf htb-zipping hackthebox nmap ubuntu php feroxbuster zip file-read symlink youtube python python-zipfile filter php-regex sqli sqli-union sqli-file lfi shared-object null-byte 7z phar For root, I’ll abuse a SQL injection in a label creating script to do PostScript injectin to read and write files as root. I’ll abuse this with symlinks to get arbitrary write, and write an SSH public key and get access. The next user is running a dev webserver that manages ebook format conversion. I’ll use that to leak database creds that also work for SSH on the box. In this endpoint, I’ll find that if multiple files are requested, one can attack a directory traversal to return arbitrary files in the returned Zip archive. To get root, I’ll exploit a script the user can run with sudo, showing three different ways (playing with Perl environment variables, setting myself as the proxy and adding an XXE attack, and abusing LD_PRELOAD).Ĭtf htb-bookworm hackthebox nmap ubuntu nodejs express xss idor javascript python feroxbuster csp content-security-policy insecure-upload flask directory-traversal file-read netexec calibre-ebook-convert symlink sqli postscript postscript-injection arbitrary-write ps2pdf express-query-stringsīookworm starts with a gnarly exploit chain combining cross-site scripting, insecure upload, and insecure direct object reference vulnerabilities to identify an HTTP endpoint that allows for file download. To escalate, I’ll find a SetUID binary for the next user and abuse it to read their SSH key. Then I’ll exploit a file write vulnerability to get a webshell and execution on the box. ![]() ![]() I’ll find an mass assignment vulnerability that allows me to change my role to admin after bypassing a filter two different ways (newline injection and SQLI). Htb-clicker hackthebox ctf nmap ubuntu ffuf php feroxbuster nfs source-code mass-assignment newline-injection sqli burp burp-proxy burp-repeater webshell directory-traversal reverse-engineering ghidra perl-debug ld-preload http-proxy environment-variables sudo-setenv xxeĬlicker has a website that presents a game that is a silly version of Universal Paperclips.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |