Tag: SSH-Port-Forwarding | Yw4rf

2024-11-27

Alert - XSS to LFI, Hash Cracking, and Group Write Privilege Escalation

Technical writeup detailing the compromise of the Alert Linux machine. Initial access is gained by chaining a Stored XSS vulnerability in the Markdown viewer to a Local File Inclusion (LFI) vulnerability in an internal /messages endpoint. LFI is used to exfiltrate an Apache MD5 hash from the .htpasswd file, which is then cracked via Hashcat to obtain SSH credentials for the 'albert' user. Privilege escalation is achieved by identifying a high-privileged PHP process running as root in a directory with group write permissions (management), which the 'albert' user belongs to. The configuration.php file is modified to set the SUID bit on /bin/bash, granting a root shell.

HackTheBox XSS LFI Local-File-Inclusion Cross-Site-Scripting Hashcat Apache-MD5-Crack SSH-Port-Forwarding PHP-Privilege-Escalation SUID-Exploitation Linux-Exploitation
2024-10-21

Chemistry - Pymatgen RCE (CVE-2024-23346), SSH Port Forwarding, and aiohttp LFI (CVE-2024-23334)

Technical writeup detailing the compromise of the Chemistry machine. Initial access (RCE) is gained by exploiting CVE-2024-23346, an arbitrary code execution vulnerability in the pymatgen library via a malicious .CIF file upload, leading to a low-privileged shell. Privilege escalation is achieved by locating hidden credentials in a SQLite database, gaining SSH access, and then using SSH Port Forwarding to access an internal web service. The final step involves exploiting CVE-2024-23334, a critical path traversal vulnerability in aiohttp/3.9.1, to perform Local File Inclusion (LFI) and read the /etc/shadow file for root access.

HackTheBox RCE CVE-2024-23346 Pymatgen CIF-File-Exploit Reverse-Shell SSH-Port-Forwarding LFI CVE-2024-23334 aiohttp Local-File-Inclusion Linux-Exploitation