Craft — HackTheBox

About this box:

Recon:

https://api.craft.htb/api/
https://gogs.craft.htb/
sudo vim /etc/hosts

Let’s dive into code

craft_api/api/brew/endpoints/brew.py

Get reverse shell

https://gist.github.com/ls4cfk/ab6c1115f3f3da247b65041e93771486#file-exploit-py
nc -nvlp 9999
sql = "SELECT * FROM `user`"
result = cursor.fetchone() 
=>
result = cursor.fetchall()
ssh -i id_rsa gilfoyle@10.10.10.110

Privilege escalation

vault write ssh/creds/root_otp ip=10.10.10.110

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store