Official Spectra Discussion

13567

Comments

  • Type your comment> @foalma321 said:

    Type your comment> @sicario1337 said:

    Type your comment> @foalma321 said:

    Type your comment> @seiyathesinx said:

    Type your comment> @foalma321 said:

    I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

    I did it without MSF using one of the ways you used. It works

    UPDATE found a workable script on Github.

    There is an easier way using one kind of jewel... found in the sea :smile:

    Have managed it 3 ways now but your cryptic clue has me stumped ;-)

    woah woah, was dat?

  • Hi,
    Box rooted, fun box :)
    Anyone could help me understand how come we were able to get a RCE? This version should not have this vulnerability from my understanding. I don't want to put too much details here to avoid spoiling. If anyone could PM that would be great.

  • Type your comment> @Hybr0x said:

    Hi,
    Box rooted, fun box :)
    Anyone could help me understand how come we were able to get a RCE? This version should not have this vulnerability from my understanding. I don't want to put too much details here to avoid spoiling. If anyone could PM that would be great.

    If you have that account with that level of permissions, you have inherent RCE (by design)

  • Finally rooted. I learned funny things along the way!

    enum: It is right there, just think about what you have. You don't need to spend too much time so don't overthink.
    user: it's a bit hidden but if you enum well you only have to follow the dots
    root: pretty original and never heard before. was a bit hard for me since I didn't found many interesting information about this kind of privesc. You will need to enum a bit more and see what can you do.

    pm if you need help

  • Type your comment> @seiyathesinx said:

    Finally rooted. I learned funny things along the way!

    enum: It is right there, just think about what you have. You don't need to spend too much time so don't overthink.
    user: it's a bit hidden but if you enum well you only have to follow the dots
    root: pretty original and never heard before. was a bit hard for me since I didn't found many interesting information about this kind of privesc. You will need to enum a bit more and see what can you do.

    pm if you need help

    Nice :smile:

    sicario1337

    Happy to assist and 'Respect' is always appreciated
  • I found the unattended way I dont want to spoil it but you should see on linpeas, took 10 sec to get root

  • Great box and quite testing at times as I still required some nudges to find the way. Thanks to those that helped. Often the answer was right in front of me and although there was nothing particularly hard about this box I just got lost in all the other information.

  • edited March 9

    Foothold is not obvious to me. I have done scans and some enum. Probably just don't know what I should be looking for. Thanks.

  • Type your comment> @matt516 said:

    Foothold is not obvious to me. I have done scans and some enum. Probably just don't know what I should be looking for. Feel free to PM for any nudges. Thanks.

    See if you can read any file, the di****** li**** is what you should try and focus on. See every file, maybe not every file is visible directly?

  • I got the initial foothold, struggling with user, can anyone dm for a nudge?

    image
    Bug Bounty Hunter | SysAdmin | Cloud Architect

  • Finally rooted this box. Nice Privilege Escalation, have not seen this approach before. Feel free to PM me with any questions you might have.

    Hack The Box

  • edited March 8

    Did anyone have a problem with "i****tl: Unknown j**:...." on privesc?

  • This is doing my head in.
    I have logged into the cms. I have tried various pl**ins from the web to get a rs but none worked. I edited a the*me file for a ws which worked but when using it to launch a bash rs nothing happens.

    Am I in a rabbit hole?

  • Type your comment> @paddy3d said:

    This is doing my head in.
    I have logged into the cms. I have tried various pl**ins from the web to get a rs but none worked. I edited a the*me file for a ws which worked but when using it to launch a bash rs nothing happens.

    Am I in a rabbit hole?

    Nope, try using msf for reverse shell if other things aren't working.

  • Type your comment> @sonym said:

    Did anyone have a problem with "i****tl: Unknown j**:...." on privesc?

    You don't need to give the full name of that thing. Only the first part is needed

  • Finally rooted.
    I was blind to see the foothold part. It was right in front of me but it took me some time to see it.
    User part was enum (like going through everything)
    and root part was nice.

  • This was a fun box. I spent WAY too long on user.

    Getting user isn't hard if you look at the right file....but if you don't good luck. (thank you to person who helped get me back on track.)

    Root was a heck of a lot easier imo.

    DM me if your stuck :smile:

  • i'm lost..

    web stuff isn't my strong point though.. but everyone is saying this one is super easy. i cant figure it out. I'm looking at all the files, not really sure which one is supposed to stick out, because right now, none of them are sticking out lol

    tried to brute web login for administrator, didn't get any hits.

    Looked at the source of available pages, per someone's reply on here, but i dont see anything out of the ordinary there either.. wouldn't mind a hint to figure out where i'm supposed to be looking..

    My DM's are open if you want to reach out to me directly and not risk spoiling anything for anyone else

  • edited March 11

    Type your comment> @Galapag0s said:

    This was a fun box. I spent WAY too long on user.

    Getting user isn't hard if you look at the right file....but if you don't good luck. (thank you to person who helped get me back on track.)

    Root was a heck of a lot easier imo.

    DM me if your stuck :smile:

    can you help me a bit (guide to the right path) about user? Found a cred but already tried to connect to all users using that cred and didn't work... I've been rummaging all directories but couldn't find anything or missed

    Edit : got user. I really overlooked this part..

  • Need a nudge for user.
    Have run both linpeas and linenum but never noticed anything. have manually trawled through directories but not seeing anything.

  • This had to have been one of my favourite rooms recently. Thanks for the awesome room. The foothold was interesting and the root tested a few skills I hadn’t got used to.
  • Anyone can point me to the right direction?
    Got my foot in, trying to pivot to the user but can't find what everyone else found.

  • Type your comment> @umar0x01 said:

    Type your comment> @AbuQasem said:

    i spent hours trying to get a revshell and still cant get a connection back!
    tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!!

    Make sure you've the URI in msfconsole set to right path!

    Same here. Tried three different ways, they all fail. The box is sluggish when attemping two of the ways. I switched VPNs thinking that would help. Nope. Pretty strange, since the msf is straightforward and no tricks.

  • Type your comment> @phr0zengh0st said:

    Type your comment> @umar0x01 said:

    Type your comment> @AbuQasem said:

    i spent hours trying to get a revshell and still cant get a connection back!
    tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!!

    Make sure you've the URI in msfconsole set to right path!

    Same here. Tried three different ways, they all fail. The box is sluggish when attemping two of the ways. I switched VPNs thinking that would help. Nope. Pretty strange, since the msf is straightforward and no tricks.

    Look on Github, there are a few tools that will make the p****n for you, spawn a MS handler and once you upload the thing it made for you, you can a connection back. I couldn't get any of my regular methods to work either so I found a tool and it worked.

    I am always open to helping; however, please ensure you explain what you have tried first before asking for hints!
    Also, reps go a long way!

    Certifications: ITIL, eJPT, eCPPT (In Progress)

  • Can somebody help with the first foothold? I don' know what i searching for

  • Is the box glitched for anyone else? I have root but I can't see anything in the root directory even after a reset.

  • Type your comment> @baegmon said:

    Is the box glitched for anyone else? I have root but I can't see anything in the root directory even after a reset.

    Thats probably because you are in the docker as root and not the host.. try running "hostname" to confirm...

    sicario1337

    Happy to assist and 'Respect' is always appreciated
  • edited March 15
    Type your comment> @k01n said:
    > Can somebody help with the first foothold? I don' know what i searching for

    Enumeration is the key... try looking around the broken environment... you should be able to stumble on a juicy file that will immediately attract ur attention :wink:

    sicario1337

    Happy to assist and 'Respect' is always appreciated
  • I really enjoyed this box.

    Big thanks to Galapag0s for the nudges!

  • Phew, spent way too many hours on foothold. Rest of the box is pretty straightforward from there. Overall this machine was a good lesson in taking a look at what you have before resorting to tools.

    Thanks to Galapag0s as well for a nudge!

Sign In to comment.