Skip to content

HTB DarkCorp #1506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HTB DarkCorp #1506

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

This post documents an end-to-end compromise chain across a Debian web/mail host and a Windows AD network. It starts with an HTML email delivery path in a public contact form, escalates via a no-click stored XSS in Roundcube (CVE-2024-42009), pivots to a dev dashboard where a stacked-queries SQLi yields PostgreSQL superuser, and finishes with two independent PostgreSQL→OS RCE paths. The write-up includes full HTTP requests, JavaScript payloads, Python/Flask exfil code, SQL payloads, and shell...

🔧 Technical Details

Stored XSS in Roundcube (CVE-2024-42009) via post-sanitization regex corruption: After washtml, Roundcube removes bgcolor using /\s?bgcolor=["\']*[a-z0-9#]+["\']*/i. Place bgcolor inside another attribute so removal reintroduces executable attributes (e.g., onanimationstart). Example payload executes JS on email view, enabling in-origin actions and data theft even with HttpOnly cookies.


Reliable HTML payload delivery via contact form: If a site allows client-controlled recipient and content=html in a mail-sending endpoint, you can deliver stored-XSS emails to internal users without interaction beyond viewing, making it ideal for Roundcube XSS delivery.


Mailbox exfiltration from the victim’s origin: From injected JS, iterate message UIDs and request ?_task=mail&_action=show&_uid=...&_mbox=INBOX&_extwin=1 with mode:'no-cors'...

🤖 Agent Actions

I explored the repository, reviewed existing PostgreSQL content, and identified the best place to incorporate new, practical SQLi-to-RCE techniques. I read and analyzed the following relevant files to ensure consistency and avoid duplication:

  • src/network-services-pentesting/pentesting-postgresql.md
  • src/pentesting-web/sql-injection/postgresql-injection/README.md
  • src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
  • src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md
  • src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
  • src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md

Decision and changes made:

  • The main page for host compromise from PostgreSQL is src/network-services-pentesting/pentesting-postgresql.md and it already covers both COPY PROGRAM and configuration-based RCE paths (including archive_command). However, it lacked:
    • A practical WAF/keyword filter bypass for COPY PROGRAM using CHR() with a DO block to EXECUTE a dynamically built COPY statement.
    • A SQLi-friendly, step-by-step method using Large Objects (lo_import/lo_get/lo_from_bytea/lo_export) to read and overwrite postgresql.conf for archive_command RCE (especially helpful when COPY cannot handle multi-line config writes).
  • I updated that page to include both techniques and added a References section at the end with the blog link and supporting resources.

Repository updates:

  • Modified: src/network-services-pentesting/pentesting-postgresql.md
    • Added section “Bypass keyword filters/WAF to reach COPY PROGRAM” with a DO $$ ... $$ EXECUTE CHR(67)||'OPY' example, enabling reverse shell via COPY PROGRAM even with “COPY” filtered by a WAF.
    • Enhanced “RCE with archive_command” by adding “Editing postgresql.conf via Large Objects (SQLi-friendly)” with a complete workflow: lo_import current conf, lo_get to read, lo_from_bytea and lo_export to overwrite with a base64-encoded multi-line config including archive_mode, archive_command, and archive_timeout, and pg_reload_conf (with optional pg_switch_wal).
    • Appended “## References” section before the banner include:
      • 0xdf’s DarkCorp write-up
      • PayloadsAllTheThings: PostgreSQL Injection - COPY PROGRAM
      • The Gray Area: Postgres SQL injection to RCE with archive_command

No other pages were modified to avoid duplicated content and to keep references consolidated in the most relevant page.

If you want me to also add a concise WAF-bypass example under the PostgreSQL SQLi “WAF bypass” page, I can, but the critical, actionable details are now present in the primary Postgres pentesting page.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/10/18/htb-darkcorp.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Databases -> PostgreSQL -> From SQLi to RCE (COPY PROGRAM and WAL archive_command techniques)".

Repository Maintenance:

  • MD Files Formatting: 901 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop