dont-use-client-side The website prompts us with a “Secure Logon” that has to be verified with valid credentials in order to proceed. If we take a look at the source code, we can see how the verify function works.
function verify() { checkpass = document.getElementById("pass").value; split = 4; if (checkpass.substring(0, split) == 'pico') { if (checkpass.substring(split*6, split*7) == '723c') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass....
OS: Linux Difficulty: Easy Points: 10 The nmap scan shows an open SSH and HTTP port. On the corresponding website we can find a Helpdesk Application and a Mattermost. To actually access the helpdesk.delivery.htb server, the IP and servername has to be added to /etc/host on the local machine. Mattermost can be accessed over the URL http://:8065. Go to the support center and “Open a new Ticket”, upon submit you get an E-Mail Address associated with your ticket 7493836@delivery....
OS: Linux Difficulty: Medium Points: 30 Release: 12 Dec 2020 Initial Access Nmap shows an open ssh and onscreen port.
With the Onscreenport :5080 a website hosting Gitlab can be accessed.
A short google search reveals a fitting CVE, https://www.exploit-db.com/exploits/49257. Download the code, register a user, gather the necessary data and run the script to get a shell with the git user.
To get a prettier shell, run...