Writeup

rooted…thanks to @jkr and working the second half with @djdale3 it benefits us to work in pairs or even teams on some of these boxes, it makes a huge difference. I have no hints other than what’s allready been said on this forum.

Great Box, learned a lot.

Big Respect to @HEXE and @deafheaven for the help at the last PE part!

P.M me for hints if you need help :wink:

Type your comment> @AfricanHippo said:

Type your comment> @doates12 said:

For the exploit for user, should I be using the /w****** or the /w******/a**** path?

Focus on the /w****** path - find a tool that can help identify what the website is running (databases, language written in… etc…) then find which one of the services are vulnerable

if u check the source code of the /w******* page u actually dont need any tool for enumeration. though the tool may come handy in other machines :wink: … im too stuck on login page … searching the google got an exploit on /w*****/a**** but there also no luck. any help much appreciated

Rooted!! Thanks and respect to @Shad0wQu35t

I’ll leave my mark on Root as it was the most difficult part for me.
What you want to use is a process monitor, the one told here was the best (p**y).
Once you get it to work, you may need to interact with it, maybe doing what you used to get here
You have to follow the PATH, even it keeps changing, so you will have to see how to make it not change, you should look for it if you are as lost as I was. IppSec’s Lazy Machine explained it very well, and documentation of PATH comes in handy.

Once you’ve done all of that, creating a file (in a writeable) called as what you’ve been monitoring all time should get you the reverse shell!

I hope all of this works to the person struggling with the box!
Thanks to @jkr for this amazing box! I’ve learned a lot of privesc :blush:

Straightforward box, very reminiscent of the OSCP lab machines. User is fairly straightforward through cve. Privesc was pretty simple, but required a decent understanding of linux environment to pull off. PM for hints/nudge. If you’re fairly experienced with HTB/ctfs, this will be a quick 0 to root in about an hour or two.

If you are struggling on privesc, check out pspy. Some of the other comments on here made it seem like it was alr on the box, I had to upload it myself. checkout what runs on the box and how your current permissions can be used to “trick” these processes. There is another comment on here referencing an ippsec video, you should prob find that.

Ready!! i got root some days ago, if you need some hints could you send me a DM…

User: Use a CVE and make sure that url work it, after this it’s a piece of cake

Root: Be careful with the cleanear and use pspy with others users, permission are very important

Rooted!
My summary for this machine:

  1. Eumerate all
  2. Basic enumerate but in this case to a popular port
  3. The CVEs are really helpful
  4. Don’t forget the salt!
  5. Here we can use the phase one :smiley:

Hint: Some pages are disctracted.
Hint2: I am noob in this themes and do it with only read the first three pages o this discussion and I can did it you too!

After a couple weeks rooted! Thanks to @OruX , @albertojoser and @GibParadox . If anyone need a hint pm me.

Yaay finally rooted. the user was easy but the root was kind of tricky.
If anyone need hints PM

Hi, im having a lot of problems in using w*** in the machine in order to get pspy. I don’t know if it’s the VM i’m using (VirtualBox), but i spent the past 6 hours trying to figure out how to download pspy binary and it’s impossible. It’s starts downloading and after 1.31kbs it stops and doesn’t download anymore. From local i can use the server as a normal one and it works perfectly. Does anybody know what’s the problem? Is it my VM or something else?

Thanks in advance

@sudogetgud said:
Just got root! Protip: The ippsec LAZY video is most useful starting at 18 mins in!

you are the real MVP! Have been stuck on this for a couple of weeks, going back and forth and had all the details in the puzzle, but didn’t knew how to use them.

On the initial foothold I cannot get my exploit to work because I get the error:
ImportError: No module named termcolor

How do I get this to work?

If I specify python3 then I get a bunch more errors.

Edit: I downloaded termcolor and am using python2 but still getting a bunch of errors…

Type your comment> @iQimpz said:

On the initial foothold I cannot get my exploit to work because I get the error:
ImportError: No module named termcolor

How do I get this to work?

If I specify python3 then I get a bunch more errors.

Edit: I downloaded termcolor and am using python2 but still getting a bunch of errors…

read the error and try to understand
try pip install termcolor

Finally rooted it, some rabit holes that drive me crazy

I’m just gonna leave this here for whomever needs this. Root was tougher than I expected on this box.

https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

Rooted, ask help if u want. hints user : kali enum tools + cve ; root : pspy, look for paths

Any1 else have issues when executing the python exploit 46***? It will crash out when trying to crack the password or often display garbage results that I know to be bogus and simply just crash out at some stage. Some results diff depending on each time i run it. Using Parrot atm , but issues running it too on Kali. Anyone know the reason or encounted this problem?

Type your comment> @Pwn2D4 said:

Any1 else have issues when executing the python exploit 46***? It will crash out when trying to crack the password or often display garbage results that I know to be bogus and simply just crash out at some stage. Some results diff depending on each time i run it. Using Parrot atm , but issues running it too on Kali. Anyone know the reason or encounted this problem?

I wasn’t… PM me and tell what staff you are putting on .py…

Can someone PM me a hint, I found some pages, but I don’t think I found them all, as enum is prevented … I’m probably missing something obvious…