The intended and most interesting is to inject into a configuration file, setting my host as the redis server, and storing a malicious serialized PHP object in that server to get execution. Those credentials provide access to multiple CVEs in a Cachet instance, providing several different paths to a shell.
In Beyond Root, a YouTube video showing basic analysis of the webserver, from NGINX to Gunicorn to Python Flask.Ĭtf hackthebox htb-catch nmap apk android feroxbuster gitea swagger lets-chat cachet jadx mobsf api cve-2021-39172 burp burp-repeater wireshark redis php-deserialization deserialization phpggc laravel cve-2021-39174 cve-2021-39165 sqli ssti sqlmap docker bash command-injection apktool htb-routerspace flare-on-flarebearĬatch requires finding an API token in an Android application, and using that to leak credentials from a chat server. The current user has append access to the file, and therefore I can add a malicious line to the script and connect over SSH to get execution as root. From there, I’ll identify a script that’s running whenever someone logs in over SSH. Still, some trial and error pays off, and results in a shell. This is relatively simple to find, but getting the fonts correct to exploit the vulnerability is a bit tricky. The first is to find a online image OCR website that is vulnerable to server-side template injection (SSTI) via the OCRed text in the image. Htb-late ctf hackthebox nmap ocr flask kolourpaint tesseract burp-repeater ssti jinja2 payloadsallthethings linpeas pspy bash chattr lsattr extended-attributes youtube
0 kommentar(er)
