Registry

I’m still fighting with the second user, but I’ll ave a question for the seasoned pentesters. I have created a setuid.c file (I compiled it), which sets the suid and guid to w**-d***, I managed to upload this file through the webapp (via webshell), so the owner of the file is w**-d****, I set the suid bit, I ran the file with user b***, and I could not escalate to w**-d***. Why is that? I checked the fs, and should not be there a nosuid mount. Any Ideas?

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

I think I got user the not intended way, I was able to ssh in with what I pulled from the blobs, then reseted the box because it was giving me issues and now I can’t ssh :neutral:

EDIT: Disregard - it was the intended way, I had a typo :blush:

Type your comment> @nando740 said:

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

The certificate will give you a clue about what website to visit

Type your comment> @gu4r15m0 said:

Type your comment> @nando740 said:

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

The certificate will give you a clue about what website to visit

I visited 2 API from the registry. The above error is when trying to d*** ln or d** p***.

@nando740 said:

I visited 2 API from the registry. The above error is when trying to d*** ln or d** p***.

The certificate error/warning is irrelevant, it is expected as the certificates are self-signed
Are you using wget to download something? try –no-check-certificate
If you are using curl, try -k

Type your comment> @gu4r15m0 said:

@nando740 said:

I visited 2 API from the registry. The above error is when trying to d*** ln or d** p***.

The certificate error/warning is irrelevant, it is expected as the certificates are self-signed
Are you using wget to download something? try –no-check-certificate
If you are using curl, try -k

I can download things. But trying to pull from the registry with d***** p***, always gives that error. Same for login to the registry with d***** l****.

Are the files I upload suppose to disappear? Can’t find a way around it :neutral:
Any nudges?

Type your comment> @gu4r15m0 said:

Are the files I upload suppose to disappear? Can’t find a way around it :neutral:
Any nudges?

Yea, gotta be fast.

Finally rooted. Thx for this cool box!

Solved my problem. Got user. On to root.

Does any1 have some FAIR documentation how the f* the r***** works? I cannot set up my server :S

Stuck on a login page for the c*s. :confused:

Done!

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Tue Mar 10 05:37:54 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   5.6% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 23%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for d----0:         172.17.0.1
  Processes:    159
Last login: Tue Mar 10 05:37:27 2020 from 10.10.14.36
root@bolt:~# sha256sum root.txt
029b18b4c0e2194ef4be039b9e362d32522a5b8ab5141af4487293e338d763fe  root.txt
root@bolt:~#

Great box, love it! Thank @deluqs 's help

I am stuck with the first user. I was able to s** in as b***. I found the login page but I can’t find login info. I tried a few basic username/password combos. Am I supposed to find it from /v**/w**? I found a few things but I am stuck.

Any help?

Any hints on finding creds for the login page?

Type your comment> @nando740 said:

Any hints on finding creds for the login page?

Explore the web server directory where you would find files associated with the web app. There will be a file of interest. :slight_smile:

Type your comment> @nando740 said:

Any hints on finding creds for the login page?

Think about where do webapps usually store creds, and look for that between the folders you can read.

Thanks. Had already thoroughly explored those dirs, but did not think about explore that file in so raw way. Had tried its utility (not present in the system).

Can concentrate on the vector now. A lot of RTFM of that r****c thing ahead. :frowning:

And rooted :blush:

Pulled hair on finding creds to the app (respects given to the helpers), but after that, the service manual solved the rest.