WhiteRabbit is a pentesting company. I’ll exploit their Uptime Kuma instance to find the domain for their WikiJS wiki. On that I’ll find documentation for a n8n pipeline, and find an SQL injection vulnerability in how it processes email, as well as the key for crafting signatures. I’ll make a proxy to add signatures using mitmproxy and then use sqlmap to dump the database. In the DB I’ll find restic commands, which I’ll use to get a backup with SSH keys. I’ll abuse restic command injection to get root on a container, and find SSH keys for a user on the host. From there I’ll find a custom password generator, and using logs from the DB that leak the time the command was run, generate the right password for the next user. That user can run any command as root.

0xdf hacks stuff

A detailed walkthrough of exploiting a pentesting company's infrastructure. The attack chain involves exploiting Uptime Kuma to discover internal domains, finding SQL injection in an n8n workflow that processes phishing data, using mitmproxy to automate signature generation for sqlmap exploitation, recovering SSH keys from restic backups, abusing restic command injection for container root access, reverse engineering a custom password generator with weak seeding, and leveraging database logs to reconstruct the exact timestamp needed to generate valid credentials for privilege escalation.

HTB: WhiteRabbit