Just Bold the command where it returns the error. for me _builtins_ (in get_flashed payload) always returned error. so i made it bold: {{ get_flashed_messages.globals. *builtins.open("/etc/passwd").read() }}*
You make it look so easy. I spent time looking for exploits for tesseract and the Python tesseract package but didn't find any that worked. I feel stupid now.
@@rajkaransinghgill2082 In Hackthebox, there's two categories of machines, active and retired. An active machine is a machine that's relatively new, this means there's no writeups or reviews available for you to see. A retired machine is usually a couple months old, and has writeups and reviews available. So the only difference is really release date.
Honestly I had no idea what to do with this box...how ippsec straight away decided to try SSTI??? Well he is very much experienced but this kind of box won't make sense to beginners like me.. 😂
For the image part. After more than 20 attempts I realised that it worked much more easily if I took the screenshot directly from the webpage example rather than my own text editor
If you have vip go for silo or mischief. These newer boxes with AI. It seems like everyone eventually knew attack method but the payload delivery was annoying. I saw the name of it and skipped it. I would have been trying to get a php Webshell on this thing forever tbh lmfao “python, php, Ruby, awk, php2-9, nmap? Nope. Baby’s screaming there’s a Saturday with nothing learned yayyy!!” Then we explain to the fam how much we appreciate them being understanding while you’re not working, not studying, no researching, or playing video games, but you’re angry and unsettled over a puzz… 3AM…wait a minute… SSTI?! Gonna sneak to the computer even though I told myself I’d never do that agai…YES! SSTI! Thanks Ippsec for the videos on ssti or I never would have thought of that. Wtf does this box have to do with time? Other than the quick overwrite at the end. It’s not a cron, pspy wasn’t needed, no “active users”, image to text converter -> shell -> ssh checker? I tip my hat to everyone who did this one. Great concept but still waiting on AI to get better before I start doing boxes with it. Just always seems aggravating. Voice, Books, Images, etc. I want to say Book was the other SSTI but was harder right?
Ippsec is an incredibly good hacker but he almost always has solved these boxes ahead of time. When you see him coasting through a box with zero downtime you aren't really seeing the true picture. In real life you don't always know what the next step is going to be. This is very important to realize since seeing someone else do these boxes so easily will lead to imposter syndrome. Ippsec is still going to get sucked into rabbit holes or whatever.
Took me about a hundred more uploads. I ran linpeas and was looking into exploiting the env path couldn’t figure it out. Totes missed the append tried all kinds of stuff missed out on root:/
Basically whenever a user logs in via SSH it is configured to run "/usr/local/sbin/ssh-alert.sh" with root privileges. The sh script itself is just a standard script to alert the admin via email that an SSH login had occurred. The issue is however that our low-priv user has write privileges to this file. However, due to the attributes we can only append to the end of the file - we can't overwrite pre-existing contents. So as a result we append our command to execute at the end of the file with "echo 'COMMAND_TO_RUN' >> /usr/local/sbin/ssh-alert.sh". In this case he used a command to curl a reverse shell payload off his python webserver and pipe it to bash so it would be executed. Next was to make the script itself run. As noted previously, the script runs whenever someone logs in via ssh, so he got the id_rsa key for the current user then logged in via SSH using that. When the login was detected the ssh-alert.sh script ran, the command appended to the file executed, and the reverse shell was downloaded and executed.
If you mean the index.html basically you put the reverse shell code that works with bash inside index.html then you get the code with curl and pipe it to bash
You look at what you have. He tried ssti because he knew it was accepting input from an untrusted source. It also said that the app was made with flask, which supports this.
2. After you gain shell you do the same thing. What groups are you apart of? Can you read any ssh keys? What users and what groups are on the box? Did Nmap or 'ss' show you anything you haven't dealt with yet like mysql? Go check things like /var/ , /opt/ , try sudo -l, etc. If you have like mongodb ot mysql it's more likely that thays going to be apart of the next step. If not that, any custom bash scripts, cron jobs, etc. If there's nothing it's going to be permissions misconfigured somewhere
3. Think of it like tchekov's gun. These boxes are made to teach you something. If you see something there is almost certainly a reason why it is there. A box designer isn't going to make a bash script that deletes XYZ or an ABC that does whatever for no reason. Use what you have available and what is in front of you. Even something like the box name or an innocent mention like "made with flask" is done on purpose. Lastly, just practice. A lot of this is just putting in the time to get the experience.
@@somerandomwithacat750 i find expecting ssti here a big step. Normally you’d be piping data to some ocr program, then sending the response buffer out as a file. There is not reason to do any templating in that flow.
I did the same exploit for the foothold, but I got the id_rsa and accessed the machine as svc_acc via ssh, for the privesc was basically the same thing, I append a revshell to the file and ggwp
