SolidState

Hello, is it only me or did others have problem telneting to p**3 ? I set the creds on port 4… , can log into smtp but not the other, to read mails. any hints?

@psyberlupus said:
Hello, is it only me or did others have problem telneting to p**3 ? I set the creds on port 4… , can log into smtp but not the other, to read mails. any hints?

Read this …

I did , but the problem i am having is p**3 isn’t responding when i telnet to it… It just seems to do nothing after telneting to it… I don’t know why?
root@Gh0st:~# telnet 10.10.10.51 XXX
Trying 10.10.10.51…
Connected to 10.10.10.51.
Escape character is ‘^]’.

Nothing after this. :frowning:

@psyberlupus - it’s waiting for you to send it a command. Research commands for that service - then initiate a session with the proper command.

okay, thanks for the nudge. But i had tried authentication commands but it didn’t seem to respond, I remember working on a similar box in OSCP, but I didn’t find it unresponsive… Nevermind, I will try again, harder. :slight_smile:

It is working now, I see the server banner, which i couldn’t before…

Are we absolutely sure we even need the command to run via the script? I’m pretty sure unlike the other lab that had a similar machine that actually required it to run the script for it to work this particular machine does not require it… We can escape another way.

Got user already, and I’m going after root now. The exploit we’re dealing with says something like “payload will be executed once somebody logs in.”

I’m doing all by hand, not using automated scripts available. I go in there and write the email to the “premium user” and bla bla bla. My question is: will it execute once somebody logs into the P**3 service or logs in via SSH? I tried both and didn’t get intended result.

Hey JChris you are correct that it will trigger via one of those services. You probably won’t get the intended result unless you have found the correct way of doing it. (I know that was a bunch of words to say nothing, but that is the nature of this forum after all) I would ask yourself what is it you are expecting the script to do for you and if it can be done manually without the script at all… The script might be running as intended even when you see the errors so be sure to check that it worked instead of assuming it errors out and didn’t work. However that being said, I was able to get user and root without having to bother with the script. I confirmed this by resetting the machine and doing it again and it works just fine.

Also, this machine is one of the ones where the outcome of your actions is VERY MUCH affected by what previous users have done/tried in their attempts. I recommend resetting this machine before working with it each time you come back to it.

Got Root. Nice experience.

it’s almost always the same dirs to check on all machines, else use linenum.sh

Should i log into to the user with password to read the emails or there’s another thing to do ?

Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

@theNightMan said:
Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

You can modify a file that can easily get you to your goal… Check and PM me if you need more help. :slight_smile:

@theNightMan said:
Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

It sounds like you’re on the right track. How are you executing that file? If you run it as mindy, even if the commands execute, I’m pretty sure they’ll still execute as mindy. Is there a way to run this file as the owner instead?

If all that stuff is right and it’s still not working, the problem could be with your code. Or, it might just take a second to run and you might not get much of an indication that it executed, if that makes any sense.

Feel free to PM me with what you’re trying and I’ll see if I can help.

Are there any hints to get reverse shell? i have tried manually sending cmds to …/…/…/etc.conf user but when i log in with mindy i do not get a shell. Plese give a hint in the right direction

@theNightMan said:
Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

have a good look at what the original file does, how can you monitor it?

@lordsoahc said:
Are there any hints to get reverse shell? i have tried manually sending cmds to …/…/…/etc.conf user but when i log in with mindy i do not get a shell. Plese give a hint in the right direction

try various shells, not all variants will work, make sure you researched the application running on the server and how to use it to do what you want

Nailed it! This box was fun and a great learning experience. On to the next one…

why this machine are always going to freeze?