![]() ![]() Mentor focuses on abusing a FastAPI API and SNMP enumeration. Htb-mentor hackthebox ctf nmap youtube snmp fastapi flask feroxbuster snmp-brute onesixtyone snmpwalk snmpbulkwalk command-injection postgresql chisel psql crackstation password-reuse The Docker socket inside the container is writable, allowing for a simple container breakout. ![]() With this access, I’ll identify a hash extension vulnerability in the web application, and abuse that to access a command injection and get RCE in the website container. That backup gives SSH access to the host, and some password reuse pivots to the next user. I’ll abuse that extension, bypassing the cross site scripting filters to hit the Gitea API and pull down a backup file from another user. With this access, I get creds for a Gitea instance, where I’ll find a custom Firefox extension. I’m not able to brute force a single token, but I can submit hundreds of resets set the odds such that I can guess a valid on in only a few guesses. I’ll enumerate the password reset functionality, and notice that only the last few characters of the token sent each time are changing. Abusing an IDOR vulnerability I’ll identify the user that I need to get access as next. I’ll start by leaking usernames and hashes, getting access to the site and to the email box for a few users. Hackthebox htb-extension ctf nmap subdomain password-reset laravel feroxbuster roundcube gitea burp burp-repeater laravel-csrf wfuzz api hashcat idor firefox-extension xss filter firefox-dev-tools gitea-api password-reuse hash-extension hash-extender command-injection deepce docker docker-escape docker-sockĮxtension has multiple really creative attack vectors with some unique features. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |