Traceback

rooted. This was a fair mix between CTF like and just plain ol misconfigurations. Learned a bit about lua, command execution and a unique form of privesc that you really have to google for to find. PM for hints if you like.

Owned root! I banged my head against the wall at certain points but over simple stuff. If you get stuck regarding how to use certain stuff, take a step back! Remember where you are at each point of this box and it’ll help you get to the next step.

Foothold: Enumerate, test it like a web app. OSINT will be necessary. Don’t be afraid of creating your own dirbuster wordlist.

User: Literally just enumerate. You’ll find exactly what you need to feed, just be sure to pay attention to its diet.

Root: I’ve never encountered obtaining root the way I did. Run some enumeration tools. Some really useful ones have been mentioned in this thread, read through it. You’ll eventually identify a regular pattern. Focus on it, and do research into what the subject of that pattern actually does and what it’s capable of. Use that to your advantage. Also consider not overwriting files with ‘echo >’. Instead, append to files using ‘echo >>’. This will make it easier for you, as well as everyone else trying the box.

Type your comment> @ncnx700 said:

Owned root! I banged my head against the wall at certain points but over simple stuff. If you get stuck regarding how to use certain stuff, take a step back! Remember where you are at each point of this box and it’ll help you get to the next step.

Foothold: Enumerate, test it like a web app. OSINT will be necessary. Don’t be afraid of creating your own dirbuster wordlist.

User: Literally just enumerate. You’ll find exactly what you need to feed, just be sure to pay attention to its diet.

Root: I’ve never encountered obtaining root the way I did. Run some enumeration tools. Some really useful ones have been mentioned in this thread, read through it. You’ll eventually identify a regular pattern. Focus on it, and do research into what the subject of that pattern actually does and what it’s capable of. Use that to your advantage. Also consider not overwriting files with ‘echo >’. Instead, append to files using ‘echo >>’. This will make it easier for you, as well as everyone else trying the box.

Thanks ncnx700
Rooted

Rooted this box finally!!! Learned some new tricks.

Here are some hints:

##Foothold

  • OSINT is your friend
  • Search for the right script
  • Login and reverse shell

##User

  • Get the right shell (output)
  • Enumerate
  • You gotta love it
  • Reverse shell it

##Root

  • Listen carefully to all processes
  • See how to manipulate
  • Perfect timing is needed

A special thanks to @s1gh for your help.

If anyone need help on this box you can PM me, I’ll give you a hint. But please be clear to me what you already did and where you are stuck now.

Thanks @Xh4H for the box

Have been trying to get root for a bit, I can execute a reverse shell no problem using the files / process, but I cannot put my ssh file in the root location, or cp the root flag using the same method.

I get a message permission denied, something like this: “cannot stat ‘/root/root.txt’: Permission denied”

Can anyone give me an idea why? I am executing from sysadmin shell, it’s super frustrating! haha.

For the first step, which is entering the machine, pay close attention to the response of the web page, analyze the message and google.
For the User: simple linux enumeration will give you a lot of information
For Root: Analyze the processes of the machines they will give you a lot of information, pspy can be your friend in this step.
Any questions can call me

@chicxulub said:

Have been trying to get root for a bit, I can execute a reverse shell no problem using the files / process,

If you can get a reverse shell that’s the job done. Not every box allows every possible combination of attacks.

but I cannot put my ssh file in the root location, or cp the root flag using the same method.

Syntax and timing might be the issue here.

I get a message permission denied, something like this: “cannot stat ‘/root/root.txt’: Permission denied”

That message implies the account trying to do something doesn’t have the right privileges to do what you are trying to do.

Can anyone give me an idea why? I am executing from sysadmin shell, it’s super frustrating! haha.

Without knowing what you’ve done, its hard to say. If you are executing the commands from sysadmin, you don’t have permissions to see the root files. If you are doing it by exploiting a service which runs as root, there may be some other issues in place. It largely depends on how much you care to determine how much effort you’d bother putting in to find out what it causing it.

@TazWake yeah I have been doing it by exploiting the service using the Up***-Mo**.* files. I meant that I could get a reverse shell by exploiting the service, but I can’t cp the flag or add my ssh in there to ssh In. Seems like no matter how fast I do it, haha.

I have been echoing in my commands into the files, instead of editing the files manually. Do my user permissions carry through if I echo the commands to add to file, instead of doing it manually? My ■■■■■■■ vi commands are all wonky trying to edit manually.

It must be some little thing but it is bugging me haha.

@chicxulub said:

@TazWake yeah I have been doing it by exploiting the service using the Up***-Mo**.* files. I meant that I could get a reverse shell by exploiting the service, but I can’t cp the flag or add my ssh in there to ssh In.

Do you mean the shell you are getting is a low-priv shell?

Seems like no matter how fast I do it, haha.

Linux has a command which can help you win this race while you sit back and watch.

I have been echoing in my commands into the files, instead of editing the files manually. Do my user permissions carry through if I echo the commands to add to file, instead of doing it manually? My ■■■■■■■ vi commands are all wonky trying to edit manually.

So, in theory, the privs you & the file have shouldn’t matter. If you can modify the correct file it is triggered by a root process and the resulting exploitation should be as root.

@TazWake I know, it’s wild, it has been stumping me for quite some time.

Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn’t do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

@chicxulub said:

@TazWake I know, it’s wild, it has been stumping me for quite some time.

Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

Ok, something isn’t working correctly.

But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn’t do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

The attack needs to be in the correct place and triggered in the correct way for it to work. It should be simple but as is so often the case, that just means lots of things can still go wrong.

@TazWake hmm… yes, the correct place, perhaps that is it. Another reason why I was wondering about the echoing instead of manual edit, but I figured it shouldn’t matter.

It is for sure some little thing that I am doing wrong that I haven’t realized yet, but I will eventually. One of those things you get and you’re like “god how did I miss that”. Thank you for your help!

After taking a break from HTB - it was nice to get back into with this machine.

Quick and easy one.
Thanks @Xh4H for this fun learning experience.

Rooted. PM for nudges.

Initial Foothold: OSINT using the information you find on the homepage for the web server. One of them will work. I suggest saving all their names to a text file and giving them to gobuster to do the heavy lifting. Need a password? How about you read the source code.

User: Took me way too f**king long because I was trying to be too clever about it. Don’t bother with a reverse shell for this stage, save that for once you actually get the user account. Start simple, with a shell. You’re gonna need to “learn” a new language to get this shell to work. Also, don’t be lazy… read the man page for sudo.

Root: What processes are running. You probably won’t be entirely too familiar with the process running, so do some Googling. Even 10 minutes is enough to get an idea of what you’re going to have to do. You’ll need two terminals. Don’t bother editing any files directly, just append to whatever you wanna edit via >> rather than trying to edit and save. You wont be fast enough.

Pretty fun box, and I actually enjoyed the CTF elements since they we’re done well.

Cheers @Xh4H

am stuck with root, I tried ssh thru web**mn but with no luck

I am getting this “load pubkey id_rsa : invalid format” error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

Type your comment> @N00p said:

am stuck with root, I tried ssh thru web**mn but with no luck

Finally Rooted

@anir08 said:
I am getting this “load pubkey id_rsa : invalid format” error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

Try it with different acc

Type your comment> @N00p said:

(Quote)
Try it with different acc

tried again and now the ssh says
Warning: Identity file id_rsa not accessible: No such file or directory

I even checked my public key when I escalated as sys***** abusing the said function.