Stratosphere

got root hint:use ur power in the right place,

I am banging my head off the wall with this one. The RCE works, I can see the service and I can issue a connection request using the creds but everything else fails. I’ve tried creating scripts and uploading them but that errors out (as others have pointed out, I’ve even spent quite some time trying to get a reverse shell but to no avail).

If anyone is kind enough to PM with a nudge, it would be massively appreciated.

Why not just have a snoop around and see what you find, search some dirs. and output some files - with the RCE that should be possible. wink wink

The user and all related content has been deleted.

Keep digging, what else can you find and work with on the box to get more info and maybe even credentials if that file doesn’t work? Keep looking, or as they say here enumerate more.

got root but man good machine but bit lame at the end… getting root.!

overall good Box Thanks to the Creator

I feel I’ve spent several lifetimes doing that :smiley: Other than the stuff which screams out DB creds (and appear to work against the DB), I can’t get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

Still, back to stringing together long commands :smiley:

@TazWake said:
I feel I’ve spent several lifetimes doing that :smiley: Other than the stuff which screams out DB creds (and appear to work against the DB), I can’t get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

Still, back to stringing together long commands :smiley:

If the creds work, take a look inside.

That’s where it seems to fail - I can get to the point where it “looks like” they work (I am open to a login failure that I haven’t recognised though), but any attempts to issue exploration commands fails - with varying error’s, I’ve not been able to get any sense out of them yet.

So, at the very least, I can take away that I am probably on the “right path” - I just need to work out how to make it work, rather than spend months enumerating every readable file on the file system (I even toyed with the idea of creating a new webpage to see if that would do it).

I supposed this is half the fun and all the learning of HTB :smile: :smiley: :dizzy: :smile:

The webpage idea is interesting. If you can’t access it direct because of the access you have, what else could you read? May need a bit of sysadmin knowledge around it. PM if you need a nudge.

I’m a bit stuck at privesc. I think I know what needs to happen but I might be looking at the wrong stuff. Could someone shoot me a PM?

I need help with privesc. I’ve already seen the privileges i have to run the script, i did it and the root script doesn’t exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn’t seem to work. What else can i do?

@Blastware said:
I need help with privesc. I’ve already seen the privileges i have to run the script, i did it and the root script doesn’t exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn’t seem to work. What else can i do?

Nvm, i got root, very interesting technique. I’ll definitely try it with new machines!

@Bear said:

@TazWake said:
I feel I’ve spent several lifetimes doing that :smiley: Other than the stuff which screams out DB creds (and appear to work against the DB), I can’t get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

Still, back to stringing together long commands :smiley:

If the creds work, take a look inside.

I’m able to run queries, but can’t find anything in the DB. Am I on the wrong track?! took me hours to find the correct syntax :slight_smile: at least I’ll remember how to do it :slight_smile:

update: how is it possible you always get it right after posting ? :slight_smile:

@icyDux said:
Got RCE working, found a few important files but i don’t know how to escalate to user. I will be glad if someone wants to discuss this box.

Hi, can you help me in priv, a lot

Rooted! Thanks to @Bear for helping with the last step of user.
Finding user was a nice journey, it took me quite a lot. Getting to root was pretty straightforward, no need for enumeration in my opinion.

Hints for user are all in the thread: enumerate with fairly large directory lists, you don’t need a shell, find all credentials, watch out for syntax.

Rooted! Thanks to @Bear @KouPreY @Blastware.

Hint for all users.

On initial foothold, it has something to do with action. So google.

On getting the user, you will gain alot of information, but you will be limited in your capability. Some information is just right in front of you. You need to research on - if machine is going to fail, how do I backup and restore certain data.

On getting root, once you are in, you need to remember that HTB philosophy is not about brute forcing. You may want to check an Priv Esc check list to gain more information. Certain functions rely on some modules, if we can redirect those modules, damage can be huge…

hi @wilsonnkwan , wht r u mean by ‘if we can redirect those modules, damage can be huge…’ ??? hmmm would u pm me abt that ,

@Ju577Ry said:
hi @wilsonnkwan , wht r u mean by ‘if we can redirect those modules, damage can be huge…’ ??? hmmm would u pm me abt that ,

Bro, if you need help, you’ll PM me :slight_smile:

Finally after 3 days i got user…Now working on root thanks to @batman786