onetwoseven

Have gotten a reverse shell and am working on root.

Is s*** /usr/bin/a****** u***** a rabbit hole, or should I continue along that path?

Well there is interesting thing I’m seeing there after running reverse shell command!
EDIT: Lol I was doing something a terrible wrong

Anyone have some hint for start ? I am able to upload via sftp, but php seems do not work :frowning:

Can someone please help… As stuck after the sftp access… Tried with many reverse shell for image or php none of them are working…

1 2 7 3
Gotta use sftp. :slight_smile:

Is the final step for root just a** takeover? Or am i just chasing ghosts here

Type your comment> @FlameOfIgnis said:

Is the final step for root just a** takeover? Or am i just chasing ghosts here

I’m in this same spot thinking the same thing.

so the sftp part was easy but not sure where to go from there … able to upload but not get callback … any hints?

Type your comment> @kilo5150 said:

so the sftp part was easy but not sure where to go from there … able to upload but not get callback … any hints?

same boat :slight_smile: i play with c** and g** maybe the right way but now just stuck any hint will be welcome :smiley:

Wow, really nice box @jkr, I liked that privesc, something we haven’t seen on HTB yet.

Spoiler Removed

This is really a great box, congrats @mprox for the bloods and super thanks to @jkr for this awesome box. That privesc is something special…

How on earth do you get anything through the uploader…? :scream:
Keeps on showing ‘success’ but files don’t appear anywhere… :skull:

Really nice box so far, but I’m stuck in on the priv esc from the shell. Found some interesting files, including the command a****** u***** which under some circumstances can be exploited to gain escalated privileges. However, it seems that the config files, etc., are hardened too much to take advantage of this method.

Been enumerating the system a couple of times now, maybe I’m missing something simple, maybe not. But I just keep getting drawn by the aforementioned command. Will someone PM wether it’s the path to walk or not?

Got user, thanks to some insight from Pavel!
Working on root. Haven’t found this upload plugin people are talking, but I think it has something to do with a hidden link but 6** is filtered. I tried to forward my way in, but the site wants what it wants. Name is making a lot more sense now, not sure how to get access to a***** page. Any hints?

Type your comment> @anamus said:

How on earth do you get anything through the uploader…? :scream:
Keeps on showing ‘success’ but files don’t appear anywhere… :skull:

If you know how the scripts work, you should be able to tell what happens to your upload - and what doesn’t :slight_smile:

@jkr that root was awesome!! Thanks a lot for this box!!

Can someone confirm, are we supposed to be able to get PHP to execute for the intial backdoor? Or something else?

got stuck after SFTP access … any hints what to do next. and i’m not able to upload shell in sftp. stuck!!! need help.

What a ride this weekend was for me seeing my box submission being released.

I did not think about something like stage fright before 7 UTC on Saturday but I must admit although I tested the box and tried to check every detail I was not sure if the box mechanics will work out. Also the longer I waited for the box to be released the more I was thinking if you as the HTB community might like the box or not.

I must say I was happy when the first blood for user was spilled so I knew someone found a way in and when @mprox got first root blood (to me astonishingly and impressive fast - kudos to you!) I was really delighted it all worked well.

During the first 6 hours I also had a look onto the server on eu-free-1 and sometimes watched and enjoyed watching you guys doing all the things on the machine. To me it looked kind of responsive most of the time - with the first reset after 4 hours as an additional good sign to me. I quickly learned that the HTB community is a real creative one finding the way to user and root. Good luck to all who are still or are not yet on their journey.

The very positive feedback I have gotten so far in this thread and via PMs (from the people who solved it and from those who gave some preliminary feedback while still on their way) makes me even happier! I really appreciate this very much! Thank you all for your support.