Aragog

I can’t even get past the first stage. I see the open ports. Ran dirbuster but got nothing

I just pwned this box yesterday, anyone who needs help with it feel free to PM me :slight_smile:

my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

@w31rd0 said:

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

The key point here is understanding what is happening behind the scene exactly.

@junior said:

@w31rd0 said:

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

The key point here is understanding what is happening behind the scene exactly.

I toatally agree with that. that is why i am failing. as i have a general idea of what is going on. but can not connect the final dots

@w31rd0 said:

@junior said:

@w31rd0 said:

@junior said:
my best advice to get root is to dig deep into everything you can see.
lots of files there with read and write access that you can easily manipulate.
use your imagination

as far as i have looked into this. the possible attack surface is vast.
need to enumerate in different places, some of which will end nowhere.
i am still struggling for priv esc to be honest. but as i can understand you need to be creative or perceptive (i guess)

The key point here is understanding what is happening behind the scene exactly.

I toatally agree with that. that is why i am failing. as i have a general idea of what is going on. but can not connect the final dots

There is a tool created by one of the HTB members, you can find it in the tools section of the forum, running that helps a lot.

So I’ve got a shell onto the box as a user.

Can see theres a tool being run for the webserver and what it does

Not sure how to swich to other user or escal to root… Bit of a dead end with this one.

Any pointers ?

So looking for some insight. I have gotten straight ssh access to a user account and got the user flag. I see there is another user that has a lot of files with wide open permissions in a strategic spot but the service runs as a low level service and dropping a webshell there is kind of pointless since I have ssh. I was able to query another service that is running and used that data to log into the website but did not find anything. I also notice that every few moments something special happens though cant find where that something special gets executed from. Can some one give me some insight? Do I need to go from F to C before getting to R. Thanks

Anyone free to give me a slight nudge via PM? On the box and have a few pieces but a bit lost on PE.

@Dazzed said:
Anyone free to give me a slight nudge via PM? On the box and have a few pieces but a bit lost on PE.

I struggled a bit with this one, but managed to do it at the end. Overthinking can stop you. PM if you need a hint.

@genxweb said:
So looking for some insight. I have gotten straight ssh access to a user account and got the user flag. I see there is another user that has a lot of files with wide open permissions in a strategic spot but the service runs as a low level service and dropping a webshell there is kind of pointless since I have ssh. I was able to query another service that is running and used that data to log into the website but did not find anything. I also notice that every few moments something special happens though cant find where that something special gets executed from. Can some one give me some insight? Do I need to go from F to C before getting to R. Thanks

Never mind I got it. sometimes you got to do things every way possible even though you think you already have all the data from another method. Def check out the tool by one of the members here in the tool forum. Unprivileged process monitoring super nice.

Got to say cool priv but anti climatic

got user flag without shell, but i need it now for the root flag.
i have the two files (t***.*** and h****.***), combined them for the user flag, but I can’t execute RCE…
I have noticed the strange header in one service, but I can’t figure out the true file name, nor “get” it… any hint on this?
PM if there are spoilers :slight_smile:

@gigi944 said:
got user flag without shell, but i need it now for the root flag.
i have the two files (t***.*** and h****.***), combined them for the user flag, but I can’t execute RCE…
I have noticed the strange header in one service, but I can’t figure out the true file name, nor “get” it… any hint on this?
PM if there are spoilers :slight_smile:

Try to ssh with that user and see what error you got. It may give you a hint.

So managed to get ssh and trying to then use the the blog to get priv es.

Keep getting re-directed to the host name which is breaking browsing the site.

Not sure what to backdoor to tamper with to get priv escal .

PM or help would be greatly appreciated with this box

EDIT -

Resolved issue with re-direct by adding "10.10.10.78 aragog " into / etc/hosts

Got user shell, got the control of the blog, but unable to get root D :

@gigi944 said:
Got user shell, got the control of the blog, but unable to get root D :

its definitely a different path than ive seen elsewhere… lots of good hints in these forums.

Got shell with uid 1000, got shell with uid 33. used pspy64, got blogs administrator. but still not able to find out what is i am missing to get root or at least shell using uid 1001. Please if any one can help DM me.

Spoiler Removed - Arrexel

Spoiler Removed - Arrexel