I’ll get the application source and use a password it contains to get a shell on the box. From there, I’ll exploit purchase order generation via a serverside cross site scripting in the PDF generation that allows me to read files from the host. Stocker starts out with a NoSQL injection allowing me to bypass login on the dev website. Hackthebox ctf htb-stocker nmap ubuntu ffuf subdomain feroxbuster burp burp-repeater chatgpt express nodejs nosql nosql-auth-bypass nosql-injection xss serverside-xss pdf file-read In beyond root, I take a quick look at the max length of a URL encountered during the XXE exploit. That API has a prototpye pollution vulnerability, which I can exploit to get execution and a shell as root. I’ll pivot to the next user by exploiting PHP’s FastCGI Process Manager (PHP-FPM), where I’ll get access to the source code for a NodeJS / Express API in development. This filter injection technique has become popular, but was relatively unknown at the time of Pollution’s release. That site has a PHP local file include (LFI) that I can exploit with filter injection to get code execution. With that, I’ll read files, including the source code for the site to get access to redis, where I’ll modify my state to get access to the developers site. With that token, I can escalate my account to admin, and get access to an endpoint vulnerable to XML external entity (XXE) injection. Pollution starts off with a website where I can find a token in a forum post that has a Burp history export attached. Htb-pollution ctf hackthebox debian nmap redis redis-cli feroxbuster ffuf subdomain mybb burp burp-history-export xxe htpasswd hashcat source-code php lfi php-filter-injection php-fpm fastcgi express nodejs snyk prototype-pollution
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |