Stratosphere

That’s where it seems to fail - I can get to the point where it “looks like” they work (I am open to a login failure that I haven’t recognised though), but any attempts to issue exploration commands fails - with varying error’s, I’ve not been able to get any sense out of them yet.

So, at the very least, I can take away that I am probably on the “right path” - I just need to work out how to make it work, rather than spend months enumerating every readable file on the file system (I even toyed with the idea of creating a new webpage to see if that would do it).

I supposed this is half the fun and all the learning of HTB :smile: :smiley: :dizzy: :smile:

The webpage idea is interesting. If you can’t access it direct because of the access you have, what else could you read? May need a bit of sysadmin knowledge around it. PM if you need a nudge.

I’m a bit stuck at privesc. I think I know what needs to happen but I might be looking at the wrong stuff. Could someone shoot me a PM?

I need help with privesc. I’ve already seen the privileges i have to run the script, i did it and the root script doesn’t exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn’t seem to work. What else can i do?

@Blastware said:
I need help with privesc. I’ve already seen the privileges i have to run the script, i did it and the root script doesn’t exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn’t seem to work. What else can i do?

Nvm, i got root, very interesting technique. I’ll definitely try it with new machines!

@Bear said:

@TazWake said:
I feel I’ve spent several lifetimes doing that :smiley: Other than the stuff which screams out DB creds (and appear to work against the DB), I can’t get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

Still, back to stringing together long commands :smiley:

If the creds work, take a look inside.

I’m able to run queries, but can’t find anything in the DB. Am I on the wrong track?! took me hours to find the correct syntax :slight_smile: at least I’ll remember how to do it :slight_smile:

update: how is it possible you always get it right after posting ? :slight_smile:

@icyDux said:
Got RCE working, found a few important files but i don’t know how to escalate to user. I will be glad if someone wants to discuss this box.

Hi, can you help me in priv, a lot

Rooted! Thanks to @Bear for helping with the last step of user.
Finding user was a nice journey, it took me quite a lot. Getting to root was pretty straightforward, no need for enumeration in my opinion.

Hints for user are all in the thread: enumerate with fairly large directory lists, you don’t need a shell, find all credentials, watch out for syntax.

Rooted! Thanks to @Bear @KouPreY @Blastware.

Hint for all users.

On initial foothold, it has something to do with action. So google.

On getting the user, you will gain alot of information, but you will be limited in your capability. Some information is just right in front of you. You need to research on - if machine is going to fail, how do I backup and restore certain data.

On getting root, once you are in, you need to remember that HTB philosophy is not about brute forcing. You may want to check an Priv Esc check list to gain more information. Certain functions rely on some modules, if we can redirect those modules, damage can be huge…

hi @wilsonnkwan , wht r u mean by ‘if we can redirect those modules, damage can be huge…’ ??? hmmm would u pm me abt that ,

@Ju577Ry said:
hi @wilsonnkwan , wht r u mean by ‘if we can redirect those modules, damage can be huge…’ ??? hmmm would u pm me abt that ,

Bro, if you need help, you’ll PM me :slight_smile:

Finally after 3 days i got user…Now working on root thanks to @batman786

Ok finally i got root …
This box was really fun if anyone need hint i’m here to help.

GOOD LUCK GUYS

haha, finally rooted when i found what was right infront of me. Thanks to @MrBlackHat for pointing out the obvious.

I am at a loss. I have gotten RCE with e3.py and gotten the user and pass in tomcat-users, but I don’t know where to use this at, am I missing something minor? The pass wont work in /m

Good day guys, I have the manager directory but I can’t seem to get the username and password, any hint please?

Just got root :+1:
Cool box. If someone needs help PM me :slight_smile:

Ok, ■■■, this box was a hassle. It took me a while to get foothold, but its very easy to do, especially with some tips here.
The hardest part for me was priv esc, until I just sat there and looked at my enumerated data.
KEEP YOUR EYES OPEN. The priv esc to get root is right there in front of you.

Trying to get a foothold. I see what ‘actions’ i have to take just not sure how to take them. any exploits ive tried dont seem to be working. can anyone give me a nudge in the right direction?

could someone can help me with the commands used to connect to that service as I don’t even have a tty I don’t know how will i connect to it. The commands which i am using to list something always giving me an error invalid option

Edit: I am able to list databases but got nothing … any help?