Wall

Hi i’ve been stuck on the wall too much. i have discovered .php, p**.php, /m*********/ and /c*******/. So i have a web login page, of a vulnerable web app that require to be authenticated to exploited.
Any suggest? please it is so frustrating …

Finally ROOTED ! :smiley:

I wouldn’t have succeeded without some help for modify the CVE c****** to got the first shell.
(Thx @JadeWolf )

After, for the privesc you need to find the right exploit.
DM me if you need help.

wrongpost

PM for Nuggets

Hack The Box

Hi,
I’m hoping someone can help me?

I’ve managed to get into the C******* system and have found the CVE which I have modified to get RCE via both the script or manually through editing in the Web App and using Burp.
I know the RCE is working as I can ping myself and see request coming back with tcpdump and also read back results of commands i’ve passed (eg running whoami or ls commands). Whatever i seem to try though I’m not able to get an interactive reverse shell to work using this method. I’ve tried multiple types but none of them connect back? (I’m guessing due to the same thing that made getting the RCE working difficult)!
Should I be able to get a reverse shell from here or do i need enumerate further to get a shell?

TiA

@XsecSploit said:
Hi,
I’m hoping someone can help me?

I’ve managed to get into the C******* system and have found the CVE which I have modified to get RCE via both the script or manually through editing in the Web App and using Burp.
I know the RCE is working as I can ping myself and see request coming back with tcpdump and also read back results of commands i’ve passed (eg running whoami or ls commands). Whatever i seem to try though I’m not able to get an interactive reverse shell to work using this method. I’ve tried multiple types but none of them connect back? (I’m guessing due to the same thing that made getting the RCE working difficult)!
Should I be able to get a reverse shell from here or do i need enumerate further to get a shell?

TiA

i was able to make a basic interactive by modifying the exploit. basically put the cve exploit into a while loop but thats a far as i have gotten. did you try connecting back to your http server?

I am stuck on what to do next. Found the .p and p***.php and /m********. Is there something else im missing???

Rooted. Thanks to @lmal for the hints.

Feel free to PM me for tips.

ok found c******* but did not get in to m********
do i need to get in there first because the cve ask for creds?

Type your comment> @coolZero1473 said:

I am stuck on what to do next. Found the .p and p***.php and /m********. Is there something else im missing???

try testing what you found with request methods other than GET

@madhack said:
ok found c******* but did not get in to m********
do i need to get in there first because the cve ask for creds?

i was able to brute force the password, others are saying that isn’t necessary, id like to know how they did it

I managed to get user, but unsure how to escalate to root now…

.

Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.

Can some give me a tip/PM for implementation of the priv escalation. I think I am on the right way. But the sticky cve thing don’t let me pop a root shell. When I try to reverse shell I can’t redirect stdin/out for known reasons.

Type your comment> @cr0ssbon3s said:

Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.

Any hint to avoid the 403 on the user phase (m***.g**.p**)?

Finally rooted ! . i have gain the knowledge on Cen****n and WAF filters.

Thank you guys for providing the hints @r0xas and @zachosk

The previous comment was meant for the postman box, sorry about that. I hope I didn’t throw anyone off. My previous post has nothing to do with this box at all. Here - http://urfsecurity.info/posts/linuxprivesc/ please remove if this is a spoiler.

I’ve already modified many times the script, the standard one didn’t get the right token. But requests to m+++.g++.p++ always get 403.

NVM got it. First time it didn’t work… PM me if you need help.