Sniper

Done & Dusted! Kudos to @MinatoTW & @felamos for a fun and challenging box.

still on my way to initial foothold. I’m sharing my script on S** service. when I execute the request to get a ping back, I see this in the service log:
[*] Incoming connection (10.10.10.151,49868) [*] AUTHENTICATE_MESSAGE (\,SNIPER) [*] User SNIPER\ authenticated successfully [*] :::00::4141414141414141 [*] Handle: 'ConnectionResetError' object is not subscriptable
and the connection is closed again. Anyone wanting to check with me, if this is a mistake in my syntax or a bug in the service script?

thanks in advance

PS C:\Users\Administrator\Desktop> whoami
whoami
sniper\administrator

I believe this CEO will stop mobbing.

Hack The Box

thanks to @oranath I finally got a web shell and enumerated for hours. But the only thing I got is some dbcreds. Don’t know how to use them for getting to User C****. Also tried getting reverse shells going . but PS seems to be lmited from the “indian” web shell. so also don’t know how to “switch” users with this.
Any hints would be appreciated. Thanks :slight_smile:

EDIT: is the DB important? should I try to get info from there? didn’t get mysql cmd to work. Maybe a more manual way then?

Type your comment> @jstnlmb2008 said:

Hi tupi,

Welcome to htb.

It’s been a while since I completed this one but you essentially have to make a listener on your device, then using the lfi you found get the page to call a script to progress you further.

I struggled here for a while but if I could give you a hint, don’t use a http or https listener. Instead think of other protocols that allow file access.

I also distinctly remember that only 1 script seemed to work and I had to Google alot to find one that worked.

You hint for not using http is big big help for me. Did not even know such thing is possible. Thanks

Type your comment> @theonemcp said:

EDIT: is the DB important? should I try to get info from there? didn’t get mysql cmd to work. Maybe a more manual way then?

nope, just try to switch user

Could somebody give me a nudge how to weaponize the file my CEO left undone, root? tried different things but none of them work.

Type your comment> @peek said:

Type your comment> @theonemcp said:

EDIT: is the DB important? should I try to get info from there? didn’t get mysql cmd to work. Maybe a more manual way then?

nope, just try to switch user

I still need the creds for that user, right? or is there a way to swith w/o creds. I still hav ethat limited webshell. SO I doupt switching users will work there.
PS doesn’t seem to work and all one-liners I tried so far need a password. :frowning: Any hints to how to go about this?

Spoiler Removed

Type your comment> @ShadowSuave said:

Just started this machine and I’m lost lol I’m currently trying to host a php from sa server, and access/execute from the ?lang= am I completely off base here? I can access the share from s****t but getting the page not found page from the webpage

nope you’re not off base, you’re exactly where you need to be. I wouldn’t worry about what the web page shows - just see if your payload got accessed/triggered.

Can someone assist me with the lfi? Or DM me and I can explain how i’m attempting the initial foothold. kinda new to this attack method.

Type your comment> @VbScrub said:

Type your comment> @ShadowSuave said:

(Quote)
nope you’re not off base, you’re exactly where you need to be. I wouldn’t worry about what the web page shows - just see if your payload got accessed/triggered.

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Type your comment> @ShadowSuave said:

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Sounds like I had the exact same problem. Do you see errors in the log of your share?
for me the script for getting a server, was the problem. the box was trying to fetch the script, but the connection got always closed.
I had to actually fireup/configure a server, and NOT use the usual script, to make it work

it seems that the rfi is not the intended way, found stuffs for another exploit, didnt root yet.

Hey Boss,
I’ve done with my tasks and I’m awaiting new challenges.
KR C****

I think the hints are already really comprehensive and I can only add, where I was stucking:
Foothold: RFI is not limited to HTTP.
User: if you have creds, use them.
Root: Don’t stop enumerating if you think you have what everybody in the forum is speaking about. Think about places which were not accessible in earlier stages.

Type your comment> @theonemcp said:

Type your comment> @ShadowSuave said:

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Sounds like I had the exact same problem. Do you see errors in the log of your share?
for me the script for getting a server, was the problem. the box was trying to fetch the script, but the connection got always closed.
I had to actually fireup/configure a server, and NOT use the usual script, to make it work

Yeah, I realized it was my payload that was the issue lol I eventually managed to get a meterpreter shell with a different pl but the session dies within 30 seconds. Gonna see if I can get something else working

Finally got user yesterday. Big thank you to @peek for beeing so patient with me.
Still don’t know why I had to do it a little bit different to make it work ?
Now on to root, I’m currently looking for that file everyone is talkinh about…

i got user but i need hint for root :neutral: pls help mee

Rooted this box. I agree with guys who said that the root is a bit weird. Exploit is unstable.

this box is kicking my a**, I have creds and have an idea of how im supposed to use them, but I’m stuck in this webshell and can’t seem to get an actual shell… I’ve tried uploading payloads via the webshell, i’ve tried executing a payload straight from my share… used exe, pdf… nothing seems to be working, where am i going wrong here?

Edit: got a shell ? creds are incorrect?(guess I’m using them wrong) ? this box is beating me up lol