Stratosphere

I need help with privesc. I’ve already seen the privileges i have to run the script, i did it and the root script doesn’t exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn’t seem to work. What else can i do?

@Blastware said:
I need help with privesc. I’ve already seen the privileges i have to run the script, i did it and the root script doesn’t exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn’t seem to work. What else can i do?

Nvm, i got root, very interesting technique. I’ll definitely try it with new machines!

@Bear said:

@TazWake said:
I feel I’ve spent several lifetimes doing that :smiley: Other than the stuff which screams out DB creds (and appear to work against the DB), I can’t get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

Still, back to stringing together long commands :smiley:

If the creds work, take a look inside.

I’m able to run queries, but can’t find anything in the DB. Am I on the wrong track?! took me hours to find the correct syntax :slight_smile: at least I’ll remember how to do it :slight_smile:

update: how is it possible you always get it right after posting ? :slight_smile:

@icyDux said:
Got RCE working, found a few important files but i don’t know how to escalate to user. I will be glad if someone wants to discuss this box.

Hi, can you help me in priv, a lot

Rooted! Thanks to @Bear for helping with the last step of user.
Finding user was a nice journey, it took me quite a lot. Getting to root was pretty straightforward, no need for enumeration in my opinion.

Hints for user are all in the thread: enumerate with fairly large directory lists, you don’t need a shell, find all credentials, watch out for syntax.

Rooted! Thanks to @Bear @KouPreY @Blastware.

Hint for all users.

On initial foothold, it has something to do with action. So google.

On getting the user, you will gain alot of information, but you will be limited in your capability. Some information is just right in front of you. You need to research on - if machine is going to fail, how do I backup and restore certain data.

On getting root, once you are in, you need to remember that HTB philosophy is not about brute forcing. You may want to check an Priv Esc check list to gain more information. Certain functions rely on some modules, if we can redirect those modules, damage can be huge…

hi @wilsonnkwan , wht r u mean by ‘if we can redirect those modules, damage can be huge…’ ??? hmmm would u pm me abt that ,

@Ju577Ry said:
hi @wilsonnkwan , wht r u mean by ‘if we can redirect those modules, damage can be huge…’ ??? hmmm would u pm me abt that ,

Bro, if you need help, you’ll PM me :slight_smile:

Finally after 3 days i got user…Now working on root thanks to @batman786

Ok finally i got root …
This box was really fun if anyone need hint i’m here to help.

GOOD LUCK GUYS

haha, finally rooted when i found what was right infront of me. Thanks to @MrBlackHat for pointing out the obvious.

I am at a loss. I have gotten RCE with e3.py and gotten the user and pass in tomcat-users, but I don’t know where to use this at, am I missing something minor? The pass wont work in /m

Good day guys, I have the manager directory but I can’t seem to get the username and password, any hint please?

Just got root :+1:
Cool box. If someone needs help PM me :slight_smile:

Ok, ■■■, this box was a hassle. It took me a while to get foothold, but its very easy to do, especially with some tips here.
The hardest part for me was priv esc, until I just sat there and looked at my enumerated data.
KEEP YOUR EYES OPEN. The priv esc to get root is right there in front of you.

Trying to get a foothold. I see what ‘actions’ i have to take just not sure how to take them. any exploits ive tried dont seem to be working. can anyone give me a nudge in the right direction?

could someone can help me with the commands used to connect to that service as I don’t even have a tty I don’t know how will i connect to it. The commands which i am using to list something always giving me an error invalid option

Edit: I am able to list databases but got nothing … any help?

Can anyone DM for a nudge on getting user?

got root thanks

Is there anyone in here got root.txt in root shell? i’ve got root shell before the .py file is run but now i try again it’s not work. I think it has more than one way to rooted this machine. Is there any problem here, can we PM to discuss about it?

[Update 1]
OK, it has 2 way to got root.txt at least, the 1st one is got root shell and got root.txt, the 2nd is some trick with a module. I did the 1st one in the 1st time but now it’s not work and i think it’s unintended way, i’ve just did the 2nd one to got root.txt again. Is there anyone rooted this machine to happy to discuss the idea?
[Update 2]
Ahhh, i think i’ve understood all the thing. Pri esc is cool and it has only a way to got it without solve the hashes. Thanks the author. If anyone need hint, feel free to PM and google is king.

P/S: Some people who got root this machine should reset or delete all the file that they’ve created.