OnlyForYou writeup by evyatar9

Read my writeup to OnlyForYou on:


User: Found vhost beta.only4you.htb. Downloaded the source code and discovered an LFI vulnerability on the /download API. Utilizing this vulnerability, we were able to read the file of only4you.htb and subsequently identified an RCE vulnerability within the email send logic. By exploiting this RCE vulnerability, we successfully gained a reverse shell as the www-data user. Furthermore, we came across local ports 8001 and 3000 (Gogs). We managed to log in to the web portal on port 8001 and extract the password hash for the user john using a neo4j query injection.

Root: After running sudo -l, we discovered that we have the ability to execute pip download as the root user. Leveraging this privilege, we created a malicious Python package with a reverse shell embedded in the file. Next, we uploaded this package to Gogs and proceeded to install the malicious Python package as root. As a result, we successfully obtained a reverse shell as root.