SolidState

Unable to trigger the machine to reverse the shell ,Should I wait for the machine to auto sign in or there is a way to connect through the ssh ?!
Thank you

«1

Comments

  • you have the right hint, just look for a way to read emails

  • edited October 2017

    I have read ,all the emails in another port ,but still not triggered !! I'am confused

  • emails for all users ?

  • Read all emails from all users.... u ll find a way to manage your shell...

    Agent22

  • @Agent22 said:
    Read all emails from all users.... u ll find a way to manage your shell...

    any hint on priv esc? got stuck here. not much options for enum here, it seems.

    Hack The Box

  • Also need a hint on priv esc. It is something silly, just cannot figure out from enumeration what to look at.

  • use the linuxpriv checker script and gotmil1 blog there will be something fishy you will notice..

  • @princeade said:
    use the linuxpriv checker script and gotmil1 blog there will be something fishy you will notice..

    Just cannot see it. Can someone DM the pointer?

  • There's more to compromising these machines than just "nmap, find easy password for user shell, run enum script and get answers handed to you" .. You have to research. Research more. Question everything. Even things that you think look normal. Google is your friend. ACTUALLY TRY THINGS FOR YOURSELF. Stop expecting everything to be handed to you as a "pointer" or a "tip" or a "nudge" .. Jesus.. these forums are getting bad... :(

    likwidsec

  • finally got root. Yeah @likwidsec , tried harder. it really helped.

    Hack The Box

  • @likwidsec said:
    There's more to compromising these machines than just "nmap, find easy password for user shell, run enum script and get answers handed to you" .. You have to research. Research more. Question everything. Even things that you think look normal. Google is your friend. ACTUALLY TRY THINGS FOR YOURSELF. Stop expecting everything to be handed to you as a "pointer" or a "tip" or a "nudge" .. Jesus.. these forums are getting bad... :(

    Wow, RAGE mode on. Chill, mate, people trying to learn here. Had to ask for help, cause after several days of looking there was clear sign that something I do not know,. Sometimes just a simple nod to the right direction works. Try that, people will thank you.

  • @ndabbot said:

    @likwidsec said:
    There's more to compromising these machines than just "nmap, find easy password for user shell, run enum script and get answers handed to you" .. You have to research. Research more. Question everything. Even things that you think look normal. Google is your friend. ACTUALLY TRY THINGS FOR YOURSELF. Stop expecting everything to be handed to you as a "pointer" or a "tip" or a "nudge" .. Jesus.. these forums are getting bad... :(

    Wow, RAGE mode on. Chill, mate, people trying to learn here. Had to ask for help, cause after several days of looking there was clear sign that something I do not know,. Sometimes just a simple nod to the right direction works. Try that, people will thank you.

    No rage mode at all. In fact, I've helped several people on these forums with several machines and different techniques to research. It's all about the way you ask and the effort you've put in thus far. That's all.

    likwidsec

  • got ssh but still no priv escalation yet :( run linuxprivchecker.py but cannot seems to find a clue from the result

  • edited November 2017

    Hello, is it only me or did others have problem telneting to p**3 ? I set the creds on port 4... , can log into smtp but not the other, to read mails. any hints?

  • @psyberlupus said:
    Hello, is it only me or did others have problem telneting to p**3 ? I set the creds on port 4... , can log into smtp but not the other, to read mails. any hints?

    http://www.suburbancomputer.com/tips_email.htm
    Read this ......

    Agent22

  • I did , but the problem i am having is p**3 isn't responding when i telnet to it... It just seems to do nothing after telneting to it... I don't know why?
    [email protected]:~# telnet 10.10.10.51 XXX
    Trying 10.10.10.51...
    Connected to 10.10.10.51.
    Escape character is '^]'.

    Nothing after this. :(

  • @psyberlupus - it's waiting for you to send it a command. Research commands for that service - then initiate a session with the proper command.

    likwidsec

  • okay, thanks for the nudge. But i had tried authentication commands but it didn't seem to respond, I remember working on a similar box in OSCP, but I didn't find it unresponsive... Nevermind, I will try again, harder. :)

  • It is working now, I see the server banner, which i couldn't before..

  • edited November 2017

    Are we absolutely sure we even need the command to run via the script? I'm pretty sure unlike the other lab that had a similar machine that actually required it to run the script for it to work this particular machine does not require it.... We can escape another way.

  • Got user already, and I'm going after root now. The exploit we're dealing with says something like "payload will be executed once somebody logs in."

    I'm doing all by hand, not using automated scripts available. I go in there and write the email to the "premium user" and bla bla bla. My question is: will it execute once somebody logs into the P**3 service or logs in via SSH? I tried both and didn't get intended result.

    Hack The Box

  • edited November 2017

    Hey JChris you are correct that it will trigger via one of those services. You probably won't get the intended result unless you have found the correct way of doing it. (I know that was a bunch of words to say nothing, but that is the nature of this forum after all) I would ask yourself what is it you are expecting the script to do for you and if it can be done manually without the script at all... The script might be running as intended even when you see the errors so be sure to check that it worked instead of assuming it errors out and didn't work. However that being said, I was able to get user and root without having to bother with the script. I confirmed this by resetting the machine and doing it again and it works just fine.

  • Also, this machine is one of the ones where the outcome of your actions is VERY MUCH affected by what previous users have done/tried in their attempts. I recommend resetting this machine before working with it each time you come back to it.

    likwidsec

  • Got Root. Nice experience.

    Hack The Box

  • it's almost always the same dirs to check on all machines, else use linenum.sh

    peek

  • Should i log into to the user with password to read the emails or there's another thing to do ?

  • Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file's owner, but I can't seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

  • @theNightMan said:
    Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file's owner, but I can't seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

    You can modify a file that can easily get you to your goal... Check and PM me if you need more help. :)

    DedSecK

  • @theNightMan said:
    Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file's owner, but I can't seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

    It sounds like you're on the right track. How are you executing that file? If you run it as mindy, even if the commands execute, I'm pretty sure they'll still execute as mindy. Is there a way to run this file as the owner instead?

    If all that stuff is right and it's still not working, the problem could be with your code. Or, it might just take a second to run and you might not get much of an indication that it executed, if that makes any sense.

    Feel free to PM me with what you're trying and I'll see if I can help.

    --Skunkfoot

  • Are there any hints to get reverse shell? i have tried manually sending cmds to ../.../../etc.conf user but when i log in with mindy i do not get a shell. Plese give a hint in the right direction

    lordsoahc
    CCNP, CCNAx3

Sign In to comment.