Networked

Finally rooted, thanks to @blooch4 and @Hilbert advices !!

Hi guys, pretty new here and enjoying every minute. Iv’e gotten an initial shell on this box as a*****. Definitely having a hard time escalating to user. I know I am overthinking for sure. tried everything I can think of with the odd files but no luck. A DM with a slight nudge in the right direction would be much appreciated. Meanwhile, im gonna keep trying things haha

I could really use a hint for getting user.

  • I have a low priv shell.
  • I have found the script being run by the user.
  • I have stared at PHP code for way too long.
  • I can escape and run some code as the user
  • I don’t get the hint everyone gives about TOUCHING. When using that command I can create a file in the same location as the script is being run from. What am I supposed to do with that?
  • I have tried messing a lot with chown and I can get the user flag and get write rights in the directory etc.
  • I feel very limited without being able to use / in me code execution.

My brain has turned to porridge at the moment - can you please give a hint on how to proceed with what I have?

EDIT: Okay, so I just got user by some wonky use of chmod, but I don’t belive this is the way people are hinting at?

Type your comment> @S0l3x said:

trying to get root… i found the c*********.s* script but cannot find a way to gain command execution with it. I have tried all sorts of cmds for the NAME var but I just don’t see how it is executed per the code. any help via DM would be appreciated>

Ditto. Could someone give me a nudge in a PM? Also, I’m not sure it’s important but I don’t get any error messages in my reverse shell as user… Thanks.

Type your comment> @n0rdberg said:

I could really use a hint for getting user.

  • I have a low priv shell.
  • I have found the script being run by the user.
  • I have stared at PHP code for way too long.
  • I can escape and run some code as the user
  • I don’t get the hint everyone gives about TOUCHING. When using that command I can create a file in the same location as the script is being run from. What am I supposed to do with that?
  • I have tried messing a lot with chown and I can get the user flag and get write rights in the directory etc.
  • I feel very limited without being able to use / in me code execution.

My brain has turned to porridge at the moment - can you please give a hint on how to proceed with what I have?

EDIT: Okay, so I just got user by some wonky use of chmod, but I don’t belive this is the way people are hinting at?

Definitely in the same boat. Brain is mush, however still havnt gotten user.

Rooted!

User: It’s not complicated! PM me if you’re stuck

Root: Not hard but I was confused, I needed to hear from someone.
If you’re stuck PM me I’ll be happy to help you

Hi guys!
Finally got the root.
But still no clue, how does it works)
Why NE= ne b**h works?
Can anybody pm me, if found the answer

Type your comment> @n0rdberg said:

I could really use a hint for getting user.

  • I have a low priv shell.
  • I have found the script being run by the user.
  • I have stared at PHP code for way too long.
  • I can escape and run some code as the user
  • I don’t get the hint everyone gives about TOUCHING. When using that command I can create a file in the same location as the script is being run from. What am I supposed to do with that?
  • I have tried messing a lot with chown and I can get the user flag and get write rights in the directory etc.
  • I feel very limited without being able to use / in me code execution.

My brain has turned to porridge at the moment - can you please give a hint on how to proceed with what I have?

EDIT: Okay, so I just got user by some wonky use of chmod, but I don’t belive this is the way people are hinting at?

Okay, so I managed to get both user and root. Root was in my opinion much easier than the user. As far as I can see, you will have to complete this box by low priv → user → root.

I hope I am not spoiling too much - if so then just censor it, or let me know and I will leave out some details.

Low priv:
Standard enumeration should give you a quite obvious functionality on the web application that can be fairly easily exploited. When you find it, then just use a local proxy and modify the request to get around any security measures.

User:
Find the script being run by the user. Figure out how to escape the execution. I hope this is not spoiling, but the script looks at filenames. You can get code execution this way. Then be creative about how to use this newly found ability.

Root:
By doing your standard enumeration as the user - not the low priv - you will find an interesting script that the user can execute. Try to run it. In my opinion you don’t have to know what the script is meant to do exactly for this to work. Play around with the inputs to the script a bit like when you were trying to get user. I made this work by trial and error and it took me like 1/20 of the time user took.

Rooted, thanks for those who helped

initial foothold: follow ippsec techniques at the beginning of each video, enumeration, you will find interesting things, try to use them to get your shell.

User: refer to the article posted in previous pages of this forums.
root: enumerate, find interesting stuff, and try to see how you can use it.
I learned a lot from this box.

those who face a problem while trying to use sudo , see this article might help (sudo - How to run a specific program as root without a password prompt? - Unix & Linux Stack Exchange) If it’s a spoiler do inform me so I delete it

@zgordon96 said:
Type your comment> @Cooper24 said:

Type your comment> @zgordon96 said:

Can somebody please reset the box? Finally got the “thing” onto the “thing” but when i go to the “thing” page it’s just a dot… Somebody keeps either breaking it or trolling the ■■■■ out of us.

nope, that is all correct. the dot is used to be there :slight_smile:
what did you found so far?

So I uploaded the “thing”, went back to that page that shows the "“things”, but it’s literally just a dot. First time I got onto the box there was a list of all the stuff that people also placed onto that page, but now when I go back to it it’s just a dot. I imagine it cleared when it reset the box, but no matter how many times i upload it it won’t show up there, nor if I just type the name into the link… It says file uploaded, refresh gallery but there’s nothing there. Sorry if there were any spoilers, I tried to be vague

Hello All
I see the same behavior
File uploaded, go to the directory but nothing just a spot :confused:

little help please :slight_smile:

still struggling hard core on user. I feel like im so close but just cant grasp it. Might need a couple more hints. ive gotta be staring right at the answer…

Hey im pretty new could someone please point me in the right direction or give me some hints. and the web server is saying internal server error, im confused as to whether that is meant to be happening, i would appreciate any hints just PM me thanks.

ROOTED!!

Rooted. Finding the seclists.org vulnerability article is the key. You can also achive root by fuzzing the script parameter, but you will got the shell not knowing why lol

Got user shell thanks to a tip from noi.
Am able to touch a file to make a connection back to me from a dir, but all I get is another apache shell.
Literally no idea where to proceed from this apache shell.

Finally managed to figure out how I got root after getting a shell by accident. Feel free to PM for hints or how the exploit works

I just managed to get root, definitely learned a couple new things with this new box.

@nardin your tip about checking the seclist.org vulnerability was definitely a light spot for me! Many thanks for that.

Feel free to ping me in case of any doubts :slight_smile:

Finally rooted, if need help you can send me pm.

pwnd