![]() To get root, I’ll exploit openmediavault’s RPC, showing three different ways - adding an SSH key for root, creating a cron, and installing a Debian package. I’ll pivot uses using creds from the database. From there, I’ll use the administrator’s browser session to read an admin page with a file read vulnerability where I can get the page source, and abuse an open injection in Ruby (just like in Perl) to get execution. The general user input is relatively locked down as far as cross site scripting, but I’ll find a buffer overflow in the webassembly that puts the username on the page and use that to get a XSS payload overwriting the unfiltered date string. I’m able to create notes, and to flag notes for review by an admin. ![]() To get SYSTEM on the host, I’ll exploit a SAML vulnerability in ManageEngine’s ADSelfService Plus.Ĭtf hackthebox htb-derailed nmap ruby rails debian ffuf idor xss wasm webassembly javascript bof wasm-bof pattern-create command-injection cors chatgpt python file-read open-injection open-injection-ruby openmediavault sqlite git hashcat chisel deb deb-package youtubeĭerailed starts with a Ruby on Rails web notes application. I’ll also get creds for a user on the host from SSSD, and then tunnel through the VM to get WinRM access to the host. Inside the VM, I’ll exploit Firejail to get root. I’ll exploit two CVEs in Icinga, first with file read to get credentials, and then a file write to write a fake module and get execution. To start, I can only access an IcingaWeb2 instance running in the VM. Ctf htb-cerberus hackthebox nmap ttl wireshark dig ffuf icinga github cve-2022-24716 cve-2022-24715 file-read file-write icinga-module firejail cve-2022-31214 sssd hashcat chisel evil-winrm manageengine adselfservice cve-2022-47966 metasploit saml saml-decoderĬerberus is unique in that it’s one of the few boxes on HTB (or any CTF) that has Windows hosting a Linux VM.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |