Traceback

1212224262730

Comments

  • @TazWake yeah I have been doing it by exploiting the service using the Up-Mo. files. I meant that I could get a reverse shell by exploiting the service, but I can't cp the flag or add my ssh in there to ssh In. Seems like no matter how fast I do it, haha.

    I have been echoing in my commands into the files, instead of editing the files manually. Do my user permissions carry through if I echo the commands to add to file, instead of doing it manually? My goddamn vi commands are all wonky trying to edit manually.

    It must be some little thing but it is bugging me haha.

  • @chicxulub said:

    @TazWake yeah I have been doing it by exploiting the service using the Up-Mo. files. I meant that I could get a reverse shell by exploiting the service, but I can't cp the flag or add my ssh in there to ssh In.

    Do you mean the shell you are getting is a low-priv shell?

    Seems like no matter how fast I do it, haha.

    Linux has a command which can help you win this race while you sit back and watch.

    I have been echoing in my commands into the files, instead of editing the files manually. Do my user permissions carry through if I echo the commands to add to file, instead of doing it manually? My goddamn vi commands are all wonky trying to edit manually.

    So, in theory, the privs you & the file have shouldn't matter. If you can modify the correct file it is triggered by a root process and the resulting exploitation should be as root.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake I know, it's wild, it has been stumping me for quite some time.

    Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

    But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn't do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

  • @chicxulub said:

    @TazWake I know, it's wild, it has been stumping me for quite some time.

    Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

    Ok, something isn't working correctly.

    But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn't do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

    The attack needs to be in the correct place and triggered in the correct way for it to work. It should be simple but as is so often the case, that just means lots of things can still go wrong.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake hmm.. yes, the correct place, perhaps that is it. Another reason why I was wondering about the echoing instead of manual edit, but I figured it shouldn't matter.

    It is for sure some little thing that I am doing wrong that I haven't realized yet, but I will eventually. One of those things you get and you're like "god how did I miss that". Thank you for your help!

  • After taking a break from HTB - it was nice to get back into with this machine.

  • Quick and easy one.
    Thanks @Xh4H for this fun learning experience.

    Hack The Box

  • Rooted. PM for nudges.

    Initial Foothold: OSINT using the information you find on the homepage for the web server. One of them will work. I suggest saving all their names to a text file and giving them to gobuster to do the heavy lifting. Need a password? How about you read the source code.

    User: Took me way too f**king long because I was trying to be too clever about it. Don't bother with a reverse shell for this stage, save that for once you actually get the user account. Start simple, with a shell. You're gonna need to "learn" a new language to get this shell to work. Also, don't be lazy... read the man page for sudo.

    Root: What processes are running. You probably won't be entirely too familiar with the process running, so do some Googling. Even 10 minutes is enough to get an idea of what you're going to have to do. You'll need two terminals. Don't bother editing any files directly, just append to whatever you wanna edit via >> rather than trying to edit and save. You wont be fast enough.

    Pretty fun box, and I actually enjoyed the CTF elements since they we're done well.

    Cheers @Xh4H

  • am stuck with root, I tried ssh thru web**mn but with no luck

  • I am getting this "load pubkey id_rsa : invalid format" error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?
  • Type your comment> @N00p said:

    am stuck with root, I tried ssh thru web**mn but with no luck

    Finally Rooted

  • @anir08 said:
    I am getting this "load pubkey id_rsa : invalid format" error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

    Try it with different acc

  • Type your comment> @N00p said:
    > (Quote)
    > Try it with different acc

    tried again and now the ssh says
    Warning: Identity file id_rsa not accessible: No such file or directory

    I even checked my public key when I escalated as sys***** abusing the said function.
  • Type your comment> @N00p said:

    @anir08 said:
    I am getting this "load pubkey id_rsa : invalid format" error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

    Try it with different acc

    check perms of authorized_keys should be 600

  • @anir08 said:
    Type your comment> @N00p said:

    (Quote)
    Try it with different acc

    tried again and now the ssh says
    Warning: Identity file id_rsa not accessible: No such file or directory

    I even checked my public key when I escalated as sys***** abusing the said function.

    check perms of authorized_keys should be 600

  • Rooted!
    First box that took me less than a day, also the first that I didn't have to message anyone for specific help about. Forum comments did help me though.
    I thought this was a good box that linked together a few different techniques that had come up in other boxes. It took me a while to think through the steps but it all made sense in the end.
    PM me if you need help!

  • All the hints for foothold are very cool, but!
    Git repository where you'll find the list of shells IS NOT THE AUTHOR'S
    Cause he has just the same repo, but other shells, stuck on it for soooo long lol

    Good game. well played!
    Arrexel

  • after editing the a*********_***s and I try to login, it doesn't accept it. I make sure that the the file is how I left it but nothing happens. Any hints? I also tried to run a lua script but didn't work

  • @AgentWhite said:

    after editing the a*********_***s and I try to login, it doesn't accept it. I make sure that the the file is how I left it but nothing happens. Any hints

    Chances are the file isn't how you left it. A lot of people don't understand the difference between > and >> so have a tendency to overwrite the existing files here.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Well, I didn't realized I was putting the wrong key actually and I feel dumb about it.
    Anyhow, I managed to get the flag but my question is, was this machine only to get root or is there user also?

  • @AgentWhite said:

    Well, I didn't realized I was putting the wrong key actually and I feel dumb about it.
    Anyhow, I managed to get the flag but my question is, was this machine only to get root or is there user also?

    All HTB boxes have both flags, this one is no exception.

    The user account you need to be in to get root has access to the user.txt flag.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • when trying to SSH to 10.10.10.181 I am getting a password prompt. I didn't configure any password while regenerating the ssh keys . Does anyone getting the same message , for a password prompt ?

  • edited April 2020

    Got root, Nice machine :)
    If you a nudge, feel free to PM me.

  • @Thanos17 said:

    when trying to SSH to 10.10.10.181 I am getting a password prompt. I didn't configure any password while regenerating the ssh keys . Does anyone getting the same message , for a password prompt ?

    If it is a password prompt from the server, your keys have been overwritten by someone else or haven't been installed correctly.

    If its a password to unlock the key, then either you messed up and did set a password or something really weird is going on.

    If you are using key based authentication (and I assume you've used -i correctly), the only password requests come from your machine, not the server.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Finally user and root. The biggest problem with this machine is the noise caused by other testers :(. I spent like an hour trying to exploit a /shell.php thinking that this was the backdoor...


    image
                         HTB Profile


  • Rooted, nice and easy. Didn't get a shell - no need. Always open to help, as per usual :)

    skunk

    Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!

  • Type your comment> @TazWake said:

    @Thanos17 said:

    when trying to SSH to 10.10.10.181 I am getting a password prompt. I didn't configure any password while regenerating the ssh keys . Does anyone getting the same message , for a password prompt ?

    If it is a password prompt from the server, your keys have been overwritten by someone else or haven't been installed correctly.

    If its a password to unlock the key, then either you messed up and did set a password or something really weird is going on.

    If you are using key based authentication (and I assume you've used -i correctly), the only password requests come from your machine, not the server.

    TazWake thanks I will remove all the existing keys and regenerate !!

  • PLEASE STOP RESETTING THE F*** MACHINE

  • PM me for help on this one i enjoyed it, finished doing my re write this morning

  • Could someone help me on this?
    1. I initially did OSINT and used the forum to Internetzzz the webpage and able to login.
    2. I checked that a programming language should be used which I had no idea but managed to get it from the history.
    3. Now as defined by sudo -l, I tried to swich user and run the command sudo -* s*** /home/sysadmin/luvit *.lua
    4. I performed the above command through the console of the backdoor
    I don't see anything after that.
    Please help me here to move further

Sign In to comment.