In Beyond root, I’ll look at an SSRF that worked for IppSec but not me, and show how we troubleshot it to find some unexpected behavior from the PHP parse_url function.
That user is able to create and start services, which I’ll abuse to get root. To get to the next user I’ll install a malicious git hook. With that repo, I’ll identify a new web URL that has a local file include vulnerability, and leverage a server-side request forgery to hit that and get execution using php filter injection. Hackthebox htb-encoding ctf nmap php file-read lfi feroxbuster wfuzz subdomain ssrf filter php-filter-injection youtube source-code git git-manual gitdumper python flask proxy uri-structure burp burp-repeater git-hooks systemd service chatgpt parse_urlĮncoding centered around a web application where I’ll first identify a file read vulnerability, and leverage that to exfil a git repo from a site that I can’t directly access. Finally, I find a piece of malware that runs as root and understand it to get execution. Then I find a set of Windows event logs, and analyze them to extract a password. I’ll dig into that vulnerability, and then exploit it to get a foothold. Investigation starts with a website that accepts user uploaded images and runs Exiftool on them. I’ll crack the PGP key protecting the password and get a shell as root.Ĭtf hackthebox htb-investigation nmap php exiftool feroxbuster cve-2022-23935 command-injection youtube perl event-logs msgconvert mutt mbox evtx-dump jq ghidra reverse-engineering race-condition The user has a Passpie instance that stores the root password. On the FTP server I’ll find a script that is sending emails, and use the creds from that to get a shell on the host. I’ll exploit an XML external entity (XXE) injection to read files from the host, reading the WP configuration, and getting the creds for the FTP server. I’ll find an unauthenticated SQL injection in that plugin and use it to get access to the WP admin panel as an account that can manage media uploads. MetaTwo starts with a simple WordPress blog using the BookingPress plugin to manage booking events.
Htb-metatwo ctf hackthebox nmap wfuzz php wordpress bookingpress cve-2022-0739 sqli sqlmap john xxe cve-2021-29447 credentials passpie pgp gpg
0 kommentar(er)
