OpenAdmin

Type your comment> @TazWake said:

@thescriptkiddy said:

Type your comment> @Fredriclesomar said:

try harder!

can you give me really small hint… if you dont mind…

Read the files and folders around where the RCE lands.

is it the .ht******.exam*** ???

@thescriptkiddy said:

is it the .ht******.exam*** ???

No.

If you want a bigger hint, do a list (with -al) and ignore anything with a recent (last month) timestamp.

Then look at folder names and decide if you’d expect to see them there. Any which look interesting or like they may be specific to the local machine should be investigated further.

Then its a case of keep looking and keep reading files.

Good box for newbies like me. I learnt a lot.

Initial foothold: knowing the web, search for an exploit.

User1: enumerate to know which files you have access to. Then analyse them to reach the most interesting one with a password.

User2: enumerate again to reach interesting .php files. Then think how to reach a website internally. Curl is your friend, and then John.

Root: see what you can execute with this user’s permissions and then surf on GTFOBins.

PM if you need more nudges.

can someone please assist me, i can’t figure out how to use curl on the m***.p** file to get the information i want.

Please dm

@cripDepression said:

can someone please assist me, i can’t figure out how to use curl on the m***.p** file to get the information i want.

Please dm

Enumerate more. Either read the previous responses to this question or find where the file is being served by reading the correct config files.

Can anyone give me a nudge in the right direction? I have the initial foothold after running a .sh script onto the right endpoint, i’m trying to get to user 1 level.
How am I supposed to do that though? Login via the web app? I have found a few things which look like they could be usernames or passwords in some files but have no idea how to use them? Also am I right in saying the flow is w**-a → jy → j****a → root ?

@5uP3Rn0v4 said:

Can anyone give me a nudge in the right direction? I have the initial foothold after running a .sh script onto the right endpoint, i’m trying to get to user 1 level.
How am I supposed to do that though? Login via the web app? I have found a few things which look like they could be usernames or passwords in some files but have no idea how to use them? Also am I right in saying the flow is w**-a → jy → j****a → root ?

Your flow is basically correct.

So reversing, if you have something that looks like a password you should try to see if it is a password.

You can get a list of valid users on a Linux system with a quick cat of the correct file. When you can confirm the user account names you can try to see if they’ve reused the password somewhere else.

Thanks TazWake, I have scanned that file and I have tried it on //**.**p but I get Password Incorrect, I must be confusing what I think is the password with the actual password. How deep is this password containing file from where you initially land? I feel like im grep’ing every file for keywords but cant find anything else

@5uP3Rn0v4 said:

Thanks TazWake, I have scanned that file and I have tried it on //**.**p

That might be the mistake. Try it somewhere else.

Ahha! Eureka moment. I’m in as user 1 and I think I found what I need to get user 2. Thanks alot!

@5uP3Rn0v4 said:

Ahha! Eureka moment. I’m in as user 1 and I think I found what I need to get user 2.
Thanks alot!

Nice work.

Stuck again. Going for user 2, used john to help and got a pass but its saying incorrect password. Can I get a nudge please?

Edit
Figured it out, now to shoot for root!

Edit 2
Rooted! Finally figured out how to get the f*** out of user 2 shell.

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Great machine - kudos to the maker!

For hints, I would say initial access is very simple, and then you just need to think lazy admin for the rest of the multi-step process.

Great Machine! It was fun cracking it. But I didn’t get all the points. I submitted both the root and user flag but was unable to get full points. Does anyone know, why is it so?

I’m stuck, can’t find the priv esc I need way from www to user, can I have a nudge? Maybe DM so I can talk about what I tried?

Rooted
For those who had an issue with John not working, I tried loading the ‘file’ in johnny (after doing *2john) and displayed what you’re looking for.

Rooted PM for hints

Type your comment> @H0ru5 said:

I’m stuck, can’t find the priv esc I need way from www to user, can I have a nudge? Maybe DM so I can talk about what I tried?

ENUMERATE… you will definitely find something

if anyone can give me a nudge for root, that wud be much appreciated… :slight_smile:

Type your comment> @thescriptkiddy said:

if anyone can give me a nudge for root, that wud be much appreciated… :slight_smile:

To quote yourself :slight_smile: ENUMERATE… and especially check what inventory of tools User1 and User2 has access to. Most tools can be used in more than one way :slight_smile:

Fell free to PM if you want more hint.