![]() To get root, I’ll exploit openmediavault’s RPC, showing three different ways - adding an SSH key for root, creating a cron, and installing a Debian package. I’ll pivot uses using creds from the database. From there, I’ll use the administrator’s browser session to read an admin page with a file read vulnerability where I can get the page source, and abuse an open injection in Ruby (just like in Perl) to get execution. The general user input is relatively locked down as far as cross site scripting, but I’ll find a buffer overflow in the webassembly that puts the username on the page and use that to get a XSS payload overwriting the unfiltered date string. I’m able to create notes, and to flag notes for review by an admin. ![]() ![]() Ctf hackthebox htb-derailed nmap ruby rails debian ffuf idor xss wasm webassembly javascript bof wasm-bof pattern-create command-injection cors chatgpt python file-read open-injection open-injection-ruby openmediavault sqlite git hashcat chisel deb deb-package youtubeĭerailed starts with a Ruby on Rails web notes application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |