HackTheBox - Dab
Last updated
Was this helpful?
Last updated
Was this helpful?
The root page shows the following error. Access denied: password authentication cookie not set
I created a wordlist using the word password and authentication in it.
We will use the Burp's Suite Intruder Tab to FUZZ the cookie name.
Now let's fuzz the value for cookie using wfuzz.
Memcached is an open-source distributed memory object caching program that allows us to improve and speed up the performance of dynamic web applications by caching data and objects in Memory. Memcached is also used to cache entire database tables and queries to improve the performance of the database.
References: https://book.hacktricks.xyz/pentesting/11211-memcache
Getting slabs
Getting items with info
Getting key names ( 0 is for unlimited output)
To get the users ITEM, we can use the get users command.
If we use the following command, we won't get any data. This is because of no cache generated recently. Let's logout and login again and then try to get the data.
Let's get this data and apply some BashFu skills to organize the data.
Bash command used: cat users.json | jq | awk -F\" '{print $2,$4}' | sed -r 's/ /:/g' > userpass.txt
/usr/bin/myexec looks suspicious, we can get that file using netcat.
Main Function:
To get the password stored, decode the hex value and the string that we get is s3cur3l0g1n
So the seclogin() function isn't created yet, so this looks like a library hijacking binary.
So the seclogin function is present in libcseclogin.so file, one can use strings on that binary or readelf to check.
Let's create a malicious library.
We can run ldconfig file as root, so let's do that.
