Aragog

@wbbugs said:
Got RCE. Any pointers to get a shell. SSH creds would be good but cant find nothing. Got user names. Is it a brute force ssh?

no need for that.

@wbbugs said:
Got RCE. Any pointers to get a shell. SSH creds would be good but cant find nothing. Got user names. Is it a brute force ssh?

Spent ages trying to figure this out and ended up on the next step early through enum…
So not sure how big a hint this is, but try and ssh manually

Any nudges for getting other user? I have first user. I got some hash and found job which runs but I cannot do anything from this user and I have no idea how to change to the other.

@w31rd0 said:

@macw141 said:

@w31rd0 said:

@macw141 said:

@owodelta said:
found the OWASP thing mentioned here, but have no idea on how to use it.
PM please

This is indeed a tricky one. When I got a nudge, everything became simple, till root. The key thing is how to submit the payload.

I figured out what happens with the content of the files (what happens if you submit it and what is returned).
but can not get an idea how to move that a step forward.
i need that moment of enlightment

Look what is displayed on the screen. Imagine how the application works and how output changes when you send input. It will quickly become clear how you need to format your payload.

I understood how the initial input is converted and displayed.
The part i am struggling is how to change the functionallity to something else (and if that is possible :stuck_out_tongue: )
although i haven;t done a lot of testing on it yet…

I too can see how my input is converted / output but cannot see how to inject anything. Need a steer in the right direction!

@Thun said:
Any nudges for getting other user? I have first user. I got some hash and found job which runs but I cannot do anything from this user and I have no idea how to change to the other.

If you have shell access, take another look into the services you know are running, take a look if there’s any messages left that might leave a clue on what to attack

@dneyed said:

@w31rd0 said:

@macw141 said:

@w31rd0 said:

@macw141 said:

@owodelta said:
found the OWASP thing mentioned here, but have no idea on how to use it.
PM please

This is indeed a tricky one. When I got a nudge, everything became simple, till root. The key thing is how to submit the payload.

I figured out what happens with the content of the files (what happens if you submit it and what is returned).
but can not get an idea how to move that a step forward.
i need that moment of enlightment

Look what is displayed on the screen. Imagine how the application works and how output changes when you send input. It will quickly become clear how you need to format your payload.

I understood how the initial input is converted and displayed.
The part i am struggling is how to change the functionallity to something else (and if that is possible :stuck_out_tongue: )
although i haven;t done a lot of testing on it yet…

I too can see how my input is converted / output but cannot see how to inject anything. Need a steer in the right direction!

if you have managed to see the behavior. you will see an extra tab apperaing somewhere (i guess you know where).
then refer to OWASP TOP 10 ( that advice is gold, i got user with it)

I think this is my first post, i need a nudge if possible in Privilege Escalation so please DM me or if i can DM anyone . I know the directory used, the two scripts running at a specific time and the command used on one for the scripts and what it does. One of the scripts is related to the blog message and I think it may have an issue. Am I in the correct path ? Do i need to be c…f to escalate ?

is anyone available to private message to run a few questions by?

Hi there, just p0wned it. The first foothold is easy; the second one is for those who have patience… Here’s a couple of tips:

  1. First-foothold: as someone else said, focus on *. file and **. file, the first one from some service and the second one from another service. Combine them together by reading some OWASP Top-10 vulnerability. No need to perform RCE or shell, you can grab user.txt in no time.

  2. Priv-Esc: have patience.

Good luck!

I can’t even get past the first stage. I see the open ports. Ran dirbuster but got nothing

I just pwned this box yesterday, anyone who needs help with it feel free to PM me :slight_smile:

my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

@w31rd0 said:

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

The key point here is understanding what is happening behind the scene exactly.

@junior said:

@w31rd0 said:

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

The key point here is understanding what is happening behind the scene exactly.

I toatally agree with that. that is why i am failing. as i have a general idea of what is going on. but can not connect the final dots

@w31rd0 said:

@junior said:

@w31rd0 said:

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

The key point here is understanding what is happening behind the scene exactly.

I toatally agree with that. that is why i am failing. as i have a general idea of what is going on. but can not connect the final dots

There is a tool created by one of the HTB members, you can find it in the tools section of the forum, running that helps a lot.

So I’ve got a shell onto the box as a user.

Can see theres a tool being run for the webserver and what it does

Not sure how to swich to other user or escal to root… Bit of a dead end with this one.

Any pointers ?

So looking for some insight. I have gotten straight ssh access to a user account and got the user flag. I see there is another user that has a lot of files with wide open permissions in a strategic spot but the service runs as a low level service and dropping a webshell there is kind of pointless since I have ssh. I was able to query another service that is running and used that data to log into the website but did not find anything. I also notice that every few moments something special happens though cant find where that something special gets executed from. Can some one give me some insight? Do I need to go from F to C before getting to R. Thanks

Anyone free to give me a slight nudge via PM? On the box and have a few pieces but a bit lost on PE.

@Dazzed said:
Anyone free to give me a slight nudge via PM? On the box and have a few pieces but a bit lost on PE.

I struggled a bit with this one, but managed to do it at the end. Overthinking can stop you. PM if you need a hint.