![]() I’ll show a couple ways to do this, most of which center around giving the container privileges. To get to root, I’ll abuse a script designed to allow a user to run docker compose in a safe way. I’ll abuse those to get file read on the API container, and leak the password of a user that works for SSH. Source code review shows additional API endpoints with an additional header required. From there, I’ll find a Docker Registry container, and pull the API container image. I’ll abuse that to get code execution in the web container. I’ll abuse that, with a CRLF injection to interact with the Redis database that’s caching the Laravel session data. One of webhooks allows me to get the server to issue web requests, like an SSRF. I’ll abuse that to forge a token and get admin access to the API, where I can create webhooks. I’ll enumerate that API to find it uses JWTs and asymmetric crypto. I’ll find a mass assignment vulnerability in the site allowing me to get admin access, which provides a new subdomain for a webhooks API. I’ll start with a website, and abuse an off-by-slash nginx misconfiguration to read a. Htb-cybermonday ctf hackthebox nmap debian php laravel feroxbuster off-by-slash nginx ffuf gitdumper source-code mass-assignment burp burp-repeater api jwt jwks python-jwt jwt-tool jwt-algorithm-confusion jwt-asymmetric ssrf ssrf-redis redis crlf-injection laravel-deserialization deserialization redis-migrate redis-blind laravel-decrypt phpggc docker container escape pivot chisel docker-registry snyk directory-traversal file-read docker-compose docker-capabilities docker-apparmor docker-shocker shocker youtube htb-pikaboo htb-seal htb-monitors htb-talkativeĬyberMonday is a crazy difficult box, most of it front-loaded before the user flag. In that repo, the attacker found SSH creds, and used an SSH session to download GonnaCry ransomware using wget. On that server, they find lots of documents, including a reference to secrets on the company GitHub page. In there, the attacker finds a configuration file for a port-knocking setup, and uses that to get access to an internal FTP server. ![]() I’ll find where the attacker uses a password spray to compromise a publicly facing FTP server. Knock Knock is a Sherlock from HackTheBox that provides a PCAP for a ransomware incident. Ctf dfir forensics sherlock-knock-knock hackthebox pcap zeek pcap-nmap pcap-password-spray port-knocking knockd pcap-port-knocking ansible gonnacry ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |