Scavenger

12346

Comments

  • edited December 2019
    Finally rooted, amazing box.
    Initial: Enumerate, enumerate, enumerate. Poke at every hole until you break through, then keep Digging.
    User: Someone else has left something behind here for you, but the usage isn't obvious at first.
    Root: Check every corner, do some OSINT, and work out what's different
    https://i.imgur.com/5dHg0XG.png

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
  • any hint for root?

  • Stuck on the s***l.php. Tried fuzzing a parametername with a lot of wordlists. Is this the right way? And if so, then which list should I use?

  • Type your comment> @g0stm5n said:

    Stuck on the s***l.php. Tried fuzzing a parametername with a lot of wordlists. Is this the right way? And if so, then which list should I use?

    You are on the right way. Choose a not too small and not too large wordlist among files of the fuzzer's wordlist directory.

    bumika

  • Thanks a lot. Got it now. Choosing the wrong lists cost me half a day....

  • I really enjoyed this box, thanks a lot @ompamo. I loved the background story and was a bit sad that I couldn't see all details.

    After I managed to get the content of root.txt, I gained root SSH access successfully. Since this process required a little change in the root user's attributes, I reset the box.

    bumika

  • edited December 2019

    Now I have time to write a little summary.

    Enumeration is the key factor to gain full access. There are several fine clues that help you to find vulnerabilities. You should record all little details and analyze them.

    First stage: Information gathering

    First exploit: nice idea to implement a well-known vulnerability type in an unexpected place. You need to use manual technique instead the usual open-source tool. It can cause problem for people who don't understand the essence of this attack, but easily solvable if you have basic manual practice in this area.

    Second "exploit": this is an old-school reconnaissance method, based on a configuration vulnerability which is very rare in modern environments, but I met it about 15 years ago.

    Second stage: Initial foothold

    This phase is based on a very original idea and answer why machine maker chose "Scavenger" as a name of the box. You need to execute a usual web enumeration process and spot some strange thing.

    Third exploit: after you find that strange thing, you need to do some fuzzing. If it is successful, you will have limited remote access to the box.

    Third stage: More enumeration

    This is the typical "cd subdir; ls -la;" loop. Check all directories that you can access, search for sensitive information. After you find that information, it will be obvious what you have to do. If you do it, you will have access a very important data source. Analyze it! You can use Google to find details about those things.

    Fourth stage: User access

    Fourth exploit: this is a public exploit, which is a module of a well-known penetration testing framework. The execution of this exploit is very slow, and you need to configure a timeout parameter and change the payload to run it successfully. I used this exploit to gain limited remote access in the name of another user.

    Fifth stage: Root access

    Using the new remote access opportunity, based on enumerated information from the third stage, you can find an important executable. You can download it easily and can execute a basic reverse engineering process to gain "magic" word. If you have that word, you can type only one line of instructions to gain the content of root.txt.

    Bonus stage: Unlimited root access

    Only two commands are needed to provide root SSH connection to the box. If you execute them, do not forget to reset the machine.

    bumika

  • Finally rooted. Thanks to @bumika for his help and @ompamo for this interesting experience.

    Really nice box! I learned a ton of new and interesting things.

  • Enumerated w***s and found everything that needs to be found. Explored the cap like web pages. No idea where to go next.

  • Type your comment> @unmesh836 said:

    Enumerated w***s and found everything that needs to be found. Explored the cap like web pages. No idea where to go next.

    You have more d s, which w---s gave up n s for, and there's another s ervice you can ask.. You dig?

  • Finally rooted!
    This one was an enumeration beast. You need to enumerate everyhing.
    Do not worry if you can't get a proper shell, it is not needed.

    Hack The Box

  • edited January 7

    Need a nudge. I know the magic word, have seen the source and checked the binary used on Scavenger. But how can you use it if you do not have a real tty shell? What cmd are passed to a "shell" in php space does not seem to work for this kind of exploit ... or is there some insane shell-fu redirection and fifo? Sooooo close!

    Edit: Got root!

    Thank you @bumika for the nudge.

    Root Hint: Look gift horses in the mouth before making assumptions of worth. It may well be worth making a personal inspection.

    Very fun, awesome box. I totally missed what is probably literally one of the oldest hideouts in the history of Unix for quite awhile, missed the breadcrumbs which pointed the way every time I looked. Thanks, @ompamo. :-)

  • edited January 10

    .

  • edited January 10

    hello all

    injected and digged around the world, our hero got all names he needs!!! But now stucked on M----s BT, right way? Go on or change to other name? thx

    Edit: Now I'm on P-----s--p as pwn----@pwn----.htb

    what a fantastic machine

  • Rooted! Thanks a lot to the people that helped me out on this one!

    If anyone is still doing this box: you might never get a full shell, but you don't need on either (for root or user)!

    Feel free to PM for hints!

    SIG

  • @ompamo this was a fantastic box! I'm really looking forward to the next one! I loved this as it seemed super realistic and it seems like you've put a lot of effort into it!

    SIG

  • Great box, had to use a a lot of different techniques to finish it.
    Thanks @bumika and @0X44696F21 for helping me when i was stuck :)

  • edited January 16

    Guys, how to deal with the error at initial part?
    nudge me on pm please.

    // Got it

    this is very weird

    [-] Exploit failed: NoMethodError undefined method `code' for nil:NilClass
    [*] Exploit completed, but no session was created.

    Hack The Box

  • Type your comment> @ls4cfk said:

    Guys, how to deal with the error at initial part?
    nudge me on pm please.

    // Got it

    this is very weird

    [-] Exploit failed: NoMethodError undefined method `code' for nil:NilClass
    [*] Exploit completed, but no session was created.

    Maybe it needs more time to run ...

  • edited January 18

    Type your comment> @zard said:

    I can’t find the ko file for the life of me. Any help will be appreciated!

    Same here. Could use a nudge.

    Nevermind!

  • edited January 19

    Can anyone PM me with some nudges? I'm enumerating everything I was able to dig vhosts and found w**** but I don't know what to do with it I can only query it and get some basic info. I'm probably missing something.

    EDIT: I was able to retrieve more things through w**** now I'm trying to emurate sites, there is a lot of thing here...

  • Would appreciate a nudge!

    I've found the magic word but I don't seem to be able to use it with s****.p*p. Issue with my syntax?

  • I've managed to get a tool to work on the injection, and I found some hostnames that I haven't found a use for. Can someone point me towards user?

  • Type your comment> @sysdd said:

    Type your comment> @ls4cfk said:

    Guys, how to deal with the error at initial part?
    nudge me on pm please.

    // Got it

    this is very weird

    [-] Exploit failed: NoMethodError undefined method `code' for nil:NilClass
    [*] Exploit completed, but no session was created.

    Maybe it needs more time to run ...

    It's weird. Changed the time to 600 seconds and it still fails.

    Hack The Box

  • Type your comment> @ls4cfk said:
    > Type your comment> @sysdd said:
    >
    > (Quote)
    > It's weird. Changed the time to 600 seconds and it still fails.

    What does failed mean? Did you get the same error message?
    There are more than one “time” parameters and you should choose the proper one.

    bumika

  • Type your comment> @bumika said:

    Type your comment> @ls4cfk said:

    Type your comment> @sysdd said:

    (Quote)
    It's weird. Changed the time to 600 seconds and it still fails.

    What does failed mean? Did you get the same error message?
    There are more than one “time” parameters and you should choose the proper one.

    Rooted without it, more simple way. i missed something ... :D

    Hack The Box

  • edited January 26

    [-] Exploit failed: NoMethodError undefined method `code' for nil:NilClass
    [*] Exploit completed, but no session was created.

    Also running into this. Tried everything I could find for increasing timeouts, but nothing seems to work. Even tried editing the exploit to add them in the code. Anyone have any tips?

    Edit: Figured it out. For anyone else struggling with this, I did have to modify the exploit itself. Take a look at the second argument here: https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#send_request_cgi-instance_method

    Edit2: Anyone manage to get a proper shell out of the second exploit? After a lot of hairpulling I realized the exploit was actually working, it was just my payload that's bad. Was really hoping to not have a repeat of the first user though, since owning root from such a limited shell sounds super painful.

  • Need a nudge on p*****s**p exploit, increased msf timeouts but I get no shell , exploit seems to be working as cookie is obtained but no code exec.

  • edited January 31

    Finally rooted, got stuck twice and could not see the way forward due to biases, @ompamo luckily provided nudges that helped me move on or confirmed I was on the good path . This is only my second hard box and loved every part of it as it seemed realistic . Box requires many different enumeration skills but involves no guessing which I appreciated most. Thank you @ompamo

    Open for nudges if anyone needs them , please state what has been tried so far.

  • Wow. What a box! Definitely couldn't have gotten root.txt without help from @bumika, @Chr0x6eOs and @SirVival. I learned so much from each of you, and of course @ompamo for the box.

    emilkloeden

Sign In to comment.