Traverxec

HTB Content Machines
, , , ,
1331

@th48th said:
I can’t seem to get a reverse shell.

@nyckelharpa said:
Got root. I’m a novice and this was quite difficult for me. It required some techniques that I don’t fully understand and only figured out by pure chance and the hints here.

My hints (definitely also take a look at the other hints!):

  • Foothold: Enumerate the machine. Anything more would give everything away. Don’t think too complicated :smile:
  • User: You might be able to find credentials on the box (that you need to crack first) and which might seem like you can’t use them anywhere. Don’t work on this too long. Finding the right place to use them is difficult and not necessary (but it is possible to use them!). Instead, have a look at the files of the service you exploited. Also, a hint which might seem paradoxical: Sometimes it is possible to access directories that themselves are in a directory you cannot access.
  • Root: Once you have user privileges, closely examine what is right in front of you. You might find something that contains interesting commands. Minimize the width of your terminal (hard to believe, but that’s not a joke!), execute and then GTFO (also not an insult or a joke, Google and other hints are helpful here).

PM me for advice. I’m willing to help. I just spent the better part of the day getting crazy because I couldn’t figure out what to do :neutral:

I would be very grateful if someone would be willing to explain to me WHY and HOW the technique to get root works. I don’t understand it at all. I can explain all of my steps and what worked for me and what didn’t. I’d also be interested in learning how to own root without resizing and how to defend against this resizing trick.
Thanks for everybody reaching out in advance! :blush:

the journal command (and several other executables) has a SUID permission set that allows it to be ran as root from another user. Shrinking your screen throws the command output into some type of display that you can run shell commands from. I think it is a know issue if the systems SUID commands are not set properly, you can exploit.