onetwoseven

I am completely lost on this one! I have SFTP access… i can “proxy commands” using a SFTP flag but i can’t figure out how to tunnel correctly since i can’t get direct ssh connection!

I’ve even tried a tool i’ve used before, ch**el which helps with tunneling, and i was able to get it working, the client connects to my server but still cannot access the high port :-/

Could someone PM? I am really lost a the moment :frowning:

Thanks

I have finally rooted it. What a box, epic, terrible, painfull, long, wonderfull… Thank to @bullsonparade , @m4xp0wer, @sv1 for their valuable hints and support.

Looking for a nudge on a**-g** vector. Also, I think I blew by user flag =/
I’m working with the shell after plugin upload. Any help would be greatly appreciated.

PS: i linked /etcTill now i have the SFTP creds, and i am able to upload files and view it in the browser. Also I have tried linking a few files and accessing it. Succeded. But now i am kinda lost. I don’t know what EXACTLY i should do./passwd to see the list of all users.

any nudge?

and here i came across something unusual. it seems that you just can’t include /etc/ p a s s w d in comments

remove spaces in passwd

that was funny, lol. however any hint from here on?

can someone pm me some hints on root part?

Can I get some help on uploading the P*P shell via the admin page? Maybe I’m overlooking something I should know, but I just can’t figure it out.

Stuck on the final step, aka root via -***. Please DM me with details, feel like I am just banging my head against the wall and thinking just the syntax is the problem

Got user and currently sitting at upload stage. Not really sure about next move. It’s nudge nudge time…

i got my rev shell last night, lost it, got it back this morning. NOW i am stuck at enumerating stuff. Can’t wget. Any nudge?

Good box. All hints in this thread. Read it and think.

Got user! That was a ride, never exploited a box like this before :slight_smile:

Type your comment> @jaras said:

Type your comment> @virtualgoth said:

OK, I think I need some more help here… SFTP really seems to be a dead-end. I’ve looked at all the commands and none of them seem useful to me I’ve looked at all the commands with help, tried ridiculous stuff and nothing is working. I’ve tried tunneling to the high port and SSH tells me to ■■■■■■ off. I don’t need the whole Scooby-Doo rundown but I’m struggling here peeps. Any other suggestions?

SFTP is not a dead end. Think about how Apache may interpret some information differently than the SFTP environment. SSH tunneling does not require terminal connection, if you pass the correct option to it.

for those struggling with sftp. Any hint after that is a spoiler

I have tunneled correctly but keep getting forbidden on everything. Can someone dm me a hint?

Spoiler Removed

For the last step of root, it seems like it can be done by combining some readily available tools on a typical Kali box, or you can roll your own (trying not to give a spoiler here) – I’ve gotten this as a hint. I have already tried the former and now I’m trying the latter. I have my own custom solution that should work, but seemingly due to the intricacies of a** I get some weird behavior based on what I use as a “backend”.

Could someone that also wrote their own solution perhaps give me a message so I can discuss my solution with them and perhaps learn why mine doesn’t work yet?

I also had some weird behavior reaching a certain port earlier on the box and I’m starting to wonder if this is related to my problems with the root part.

Edit: Got root. There is no need to write your own custom solution for the p**** server part like I did, it only complicated everything a lot. Thanks to those that decided to help me!

Hi. Need a help with privesc part on onetwoseven box) PM me please)