7/20/2023 0 Comments Combat arms classic malwareI’ll find another API where I can get it to do a SSRF, and read internal documentation about the API. I’ll start by bypassing the auth check, and using that to find an API where I can dump user hashes. Hackthebox ctf htb-awkward nmap webpack vuejs wfuzz auth-bypass jwt jwt-io burp burp-repeater hashcat ssrf express api express-api awk awk-injection file-read hashcat-jwt python-jwt youtube python-requests xpad pspy mail gtfobins pm2 command-injectionĪwkward involves abusing a NodeJS API over and over again. To get to root, I’ll abuse an unsafe eval in TensorFlow in a script designed to check for XSS. From there, I’ll abuse some wildcard routes and a Varnish cache to get a cached version of the admin page, which leaks SSH creds. Hackthebox htb-forgot ctf nmap flask burp burp-proxy varnish cache cache-abuse web-cache-deception feroxbuster ffuf host-header-injection htb-response tensorflow cve-2022-29216 command-injectionįorgot starts with a host-header injection that allows me to reset a users password and have the link sent to them be to my webserver.
0 Comments
Leave a Reply. |