100 Days of Hacking — Day 8
Objectives of day 8:
- Learn about CSP bypassing vulnerability
- Finish a tryhackme room
Reports of day 8:
Okay first of all I found this gold mine :
https://oscpnotes.infosecsanyam.in/My_OSCP_Preparation_Notes.html
It’s very detailed with some lab experiences do give it a read if you are seriously preparing for OSCP.
The tryhackme room I tried was https://tryhackme.com/room/cowboyhacker
I didn’t get the anime reference :( sed noises anyways standard enumerations and
It was easy to get the user.txt now to the privilege escalation part as we can see our user can run /bin/tar command so I searched payloads that leverage this.
This payload is brilliant (obviously) ahem, as far as I know, the -c creates an archive file in /dev/null named as /dev/null whenever the -checkpoint=1 is reached checkpoint-actions will look for any possible action to execute in this case its the access to bash binary /bin/sh.
Read this for a better understanding :
https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/
Now, I learned about content security policy by playing this: http://csp1.rf.gd/bypass-1.php
It shows how whitelisting insecure CDN plugins will lead to XSS. (ajax.googleapi.com is one of them).
sbin/shutdown(day8)
