Traverxec

Need help to get root user…
I am trying to get the command from GTFObins but someone told me to put the terminal smaller… i put terminal to show only one char but still doesnt work… and is it the last command in the server-stats.sh??

Type your comment> @notdeltron64 said:

so I had the same issue where you get absolutely no feedback in the terminal. type “shell” by itself and it should provide some ease in reading

In the meantime I’ve managed to transfer the tgz file blind by trial and error, unpacked it, and cracked the password. Logged in and got the content of a file in /home/user/

Thank you for the shell tip! I’ll remember it for next time.

Type your comment> @dirtyred said:

Hello!

I need some help. So far I gained access to the box with CVE 20**-8 exploit and /x/r_p**l payload but I’m having issue with commands. ls command lists everything, cd, base64 doesn’t work. I got the content of nh.f and .ht**d. Also have the username and hash which is 35 bytes long so I don’t know what to do with it.

Found the home/user/p*****_***/ dir in which I’ve found a tgz file which I unpacked but can’t cd or ls the home/user/.ssh/.

This shell is pretty dumb, not getting much response back from it. Any help is appreciated!

after u get the shell just change it from sh to bash(google how to spawn bash shell, its pretty easy, also this box is about how linux is structured from the ground up) take notes of the permissions for files and dir

wow finally got root , annoying how it was right infront of your face the whole time
thanks

Type your comment> @eliotnovel said:

after u get the shell just change it from sh to bash(google how to spawn bash shell, its pretty easy, also this box is about how linux is structured from the ground up) take notes of the permissions for files and dir

Will redo this whole box again after a good sleep. I’m learning alot pretty fast and that makes me happy. I’m writing down everything I find so it will be always at hand.

Tomorrow I’ll get to work on root and already have some ideas.

Thank you for the tips!

User was 10000% harder than root on this one.

Shell: SGT Google gave me the PoC to run some RCE. Its pretty simple and you are able to get revsh with it pretty easily (a revsh capable tool is already installed on the box). Ran basic enumeration and strafed around the dirs with my revsh until I found a hash. Cracked the hash and then went after services. The main service has its conf in plaintext, which gives you a good place to start digging (dir traversal = 404, not so much in your low shell). Finding the tgz and exfiltrating with the same thing I built my revsh with (you could also get it through a browser by using the cracked hash, .htaccess is a friend).

User: Crack the guts of the tgz and use the stuff inside to get some action on 22. Enumerate the users home dir, keys to root are right there.

Root: Like everyone else said, GTFOBINs are your friend. Its spelled out in the ******.sh in the user dir.

Rabbitholes I fell down: MooCows dont graze here, perl’s arent that shiny, gtfobins dont work without without getting user first, MSF revsh’s die after about 30seconds and arent worth it.

Fun box, but stop making us crack hashes to get to the end. Or, if youre gonna make us crack hashes, give us an idea of what dict to use (or just stick to rockyou for everything…). Im here to learn cool skills, not wait for hashcat to run a job.

If anyone needs halp, hit me up. Im no expert but im always down to help folks out. :3

Type your comment> @ghostuser835 said:

Need help to get root user…
I am trying to get the command from GTFObins but someone told me to put the terminal smaller… i put terminal to show only one char but still doesnt work… and is it the last command in the server-stats.sh??

You are on the right track. DM me, if you need a nudge.

Hi,
I have the low priv shell but i’m stuck to get the user, i know that i have to play with the c**** command… Can someone give me a hint?

id

uid=0(root) gid=0(root) groups=0(root)

Thx @jkr for this box. Very intresting. I learned a lot new thing.

Hint for root: just try to change something in your terminal. Do not focused on command name, which was mentioned here. Read the manual for keyword (already been mentioned here).

PM if you stuck.

Ya, okay, I’m stuck. Been on this for a few days now, it’s my first box.

I found the c**** dir and the interesting optional settings. I go to /~d*** in browser but don’t see anywhere to plug in the cracked pass from the .h******s file. I’m at my wits end and need some help. Please PM me.

Type your comment> @kingd0m said:

Ya, okay, I’m stuck. Been on this for a few days now, it’s my first box.

I found the c**** dir and the interesting optional settings. I go to /~d*** in browser but don’t see anywhere to plug in the cracked pass from the .h******s file. I’m at my wits end and need some help. Please PM me.

This type of situation is one of the most difficult decision makings. You get some “interesting/unusual/usually important” data and believe you can use it somewhere to solve a problem, but you cannot use it successfully. Is it a way to the user/root access or a rabbit hole?

My general advice is very simple: If you cannot use it immediately, I recommend you to make a note and move on.

in this case this data can be used in your hacking process after you find the name of a hidden directory. But at that situation you will have more simple method to gain user access.

root@traverxec:~# id
uid=0(root) gid=0(root) groups=0(root)

fun box, root really annoyed me

PM me if anyone needs a nudge

Got root. Still not 100% sure what’s the connection between trd ls mentioned in the man of j*****l and gtfobins example (I suspect it’s something similar to an overflow or the execution doesn’t stop until all lines are displayed) but after playing with it a bit it finally worked.

Could someone please point me in the right direction to learn more about it or explain it to me in a DM why it works?

Also, the exploit sometimes worked but many times it didn’t and had to rerun it. Not sure if my fault or just something random.

Thank you all for your help!

Edited before anyone sees my initial post :smiley:

Got shell into machine like everyone else. Got the password/hash from the conf file. Can’t seem to crack. Having fun with this but I am stuck. Need help plz dm me.

Type your comment> @TheMadGo65 said:

Got shell into machine like everyone else. Got the password/hash from the conf file. Can’t seem to crack. Having fun with this but I am stuck. Need help plz dm me.

Don’t waste time with the conf file. You have shell so try to get into the user’s home folder and you’ll find something suspicious there. If you don’t know the user’s name then you’ll find it in one of the files.

I was able to get user and root on this but I have a question regarding root because I dont understand why it worked the way it did. Can someone please PM me to discuss?

Thanks

I dont understand how gtfobins will help me

Type your comment> @dirtyred said:

Hello!

I need some help. So far I gained access to the box with CVE 20**-8 exploit and /x/r_p**l payload but I’m having issue with commands. ls command lists everything, cd, base64 doesn’t work. I got the content of nh.f and .ht**d. Also have the username and hash which is 35 bytes long so I don’t know what to do with it.

Found the home/user/p*****_***/ dir in which I’ve found a tgz file which I unpacked but can’t cd or ls the home/user/.ssh/.

This shell is pretty dumb, not getting much response back from it. Any help is appreciated!

same problem …please give us a hint or tip…

@dirtyred said:
Type your comment> @notdeltron64 said:

so I had the same issue where you get absolutely no feedback in the terminal. type “shell” by itself and it should provide some ease in reading

In the meantime I’ve managed to transfer the tgz file blind by trial and error, unpacked it, and cracked the password. Logged in and got the content of a file in /home/user/

Thank you for the shell tip! I’ll remember it for next time.

can you pm me how you do transfer the tgz file…