LaCasaDePapel

Type your comment> @p0wn3y said:

Hey Everyone,

I have read all of the threads and still need some help. I went the F** route and was able to manually run the exploit and get access through telnet. I am now stuck, i have used the help command and cant find anything useful. I also found how to run system commands but a security feature is disabling me from running them. Please give me some direction.

At this point, and after a lot of posts, it’s not a secret that you are inside a PHP evironment, similar as when you execute python in a shell. Well, from this point on, fin the proper PHP functions which allow you to do things you usually do with a regular shell, like, let’s say… listing directories, reading files… among others

Hey all,

New to hacking - wannabe pentenster.

SO far I have user flag, and initial shell as p********. Struggling to work out what to do from here. I have been painstakingly looking at ne/m******e js and ii for the last few hours hitting brick walls. Is this the right train of thought? I am still fairly new to linux as a whole, so what might be obvious for some, will take me ages to work out, especially when it’s those ones where things aren’t working as they should (as I don’t know for the most part how they should be working in the first place). Any sort of hints would be awesome!

Thanks heaps!

Currently stuck on user flag, and going slightly insane with the initial shell. Any help would be very welcome! Please PM if you can :slight_smile:

Type your comment> @M0rn1ngst4r said:

Currently stuck on user flag, and going slightly insane with the initial shell. Any help would be very welcome! Please PM if you can :slight_smile:

Same boat

I have a Private Key, but can’t get it to work with any of the users, any nudge would really help

EDIT - Logged into HTTPS, now just struggling with LFI

Type your comment> @M0rn1ngst4r said:

I have a Private Key, but can’t get it to work with any of the users, any nudge would really help

You are on the right spot, if you really try the key with each user in the system then reset the server :slight_smile:

this box took me way longer that it should have. Thanks for the hints. I can finally sleep.

hint for user: analyze whats happening when you click on links. There are multiple LFI injection points. Some give you good info that is useful on the next LFI. I spent a lot of time trying upload a reverse shell with no success. Reading files with LFI is enough to get you shell on the box.

hint for root: pay attention to whats happening on the box. Like most real world servers; there are processes and/or jobs that kick off a regular basis.

I have the stable shell, what do I have to do now?
Can you please help me, by pm.
Thank you!

This is slightly odd, but has anyone run into an issue with killing the HTTPS service when attempting LFI?

I learned a lot from getting user! Like many, I overthought root. hours of work for a couple minutes of effort.

Stuck on the privesc…never really encountered cr** j**s before, so any pointers would be very welcome

user — done
ssh shell — done
Thanks for @tehmoon and @r0t13weiler for help
Now for root

@ixxelles happy to always help congrats :slight_smile:

So I believe I’m very close to successful privesc… Have an easy in back into the box with the P user, 95% sure which file is the one I need (based on permissions), but I’m at a loss of how to use it.

@lattethunder if you think of permissions your going to lose track just focus on the file type

Anyone here can help me? I have been trying to use ***0 port for exploiting but then after some time it automatically closes and then i have to reset the machine to be able to do so again! Any one who has faced this issue and can tell a solution?

Type your comment> @hostilenode said:

This is slightly odd, but has anyone run into an issue with killing the HTTPS service when attempting LFI?

Use echo with -n flag to code … in case you want to code something of course :smiley:

Spoiler Removed

Type your comment> @r0t13weiler said:

@lattethunder if you think of permissions your going to lose track just focus on the file type

Rooted! Stumped me for a while but some much needed hints from @r0t13weiler got me going in the right direction. This community is awesome.

@ixxelles said:

@Kinjo said:

@hostilenode said:

This is slightly odd, but has anyone run into an issue with killing the HTTPS service when attempting LFI?

Use echo with -n flag to code … in case you want to code something of course :smiley:

Or use wellnow online service for encode in base64

Ah ■■■■’t. I had used websites like that in the past but was using the command line this time. I hadn’t thought about the need of the -n flag on echo.

I ended up working around the issue with a symlink, but I’ll try it again tonight just with the more straightforward LFI.

Thank you both.