Thanks @TaxWake for helping me with the initial foothold!
To offer some of my own tips to people yet to complete:
Initial foothold: In hindsight the paths given by the confirmation page are accurate but this may not be apparent until you know the complete path. I definitely recommend installing the package locally and then finding the desired file on your own system. Again make sure you find the correct file as there may be multiple in different locations!
User: Go to war on this box, lazy admins are our friend, even though this admin could be lazier.
Root: Well documented exploit method did not work for me in the /tmp directory, had to try elsewhere. Storage backend type was also important.
I have finally managed to get a foothold, can anyone point me towards a resource that can help me figure out how to get a more useable reverse shell? i am using a java/jsp_shell_reverse_tcp payload and have tried upgrading it a meterpreter session using multi handler but still can’t spawn a pty or useable shell.
I have finally managed to get a foothold, can anyone point me towards a resource that can help me figure out how to get a more useable reverse shell? i am using a java/jsp_shell_reverse_tcp payload and have tried upgrading it a meterpreter session using multi handler but still can’t spawn a pty or useable shell.
Check the version of the software you are using to upgrade. Maybe the more recent one will work.
A very enjoyable box… I actually learned how to create an HTTP server with a single line of bash , and I didn’t even know it was possible before… lot of fun , 10/10
It is really useful by having a better shell via PTY module or socat. Enumeration and other check ups will come easier then.
Actually I had no issue doing the enumeration and check ups with the kind of broken shell I had. It was one of the step of the privesc that was stuck in a loop. Someone on the previous page gave me the answer on how to upgrade my shell, and boum it worked.
Just rooted the box. It’s the first box I tried on HTB (did about 5 from VulnHub before) and it was quite a frustrating experience. Took 3 days, 2.5 day were spent on finding a certain x** file. I actually had the right location very early but…well you know what the problem is…and then I over enumerated, including building from source etc. and went to location after location for days.
I’m torn on what to think about this little wrinkle because one of the first steps I did was to purposefully use a non-existing location to see what an error page would look like and well can’t say more without spoiling anything.
Lesson learned, I’ll always try different tools for this type of task in the future.
User: I think I got lucky by having the right idea very quickly, the file isn’t too horrible but one could create a giant rabbit hole there
Root: Pretty interesting, never did this before. Straightforward but cool. While I tried to gain root, the machine was rebooted a couple of tims which is frustrating. I can kind of understand why it happens, I was considering an avenue that requires rebooting.
So I guess this isn’t a spoiler but might prevent frustration for others…no rebooting required to root the box, don’t disturb the others working on the machine.
Thank you @egre55 for creating a nicely designed box.
Rooted !
First time I root a box without ever looking at any hints, I’m pretty happy about that
Foothold was a pain but I learnt a bunch of things getting it so even though that was depressing at times, it was worth it !
I recently told myself I was too quick at reading enumeration reports so I really took my time here and I can’t stress enough how much it helped to carefully read about anything strange or unknown that popped on my screen.
Really nice box, it took me time but I enjoyed it a lot, thanks @egre55 !
P.S : I had troubles submitting both user and root flags. For some reasons HTB wouldn’t accept them. The only solution I found after trying to reconnect a few times was to reset the box, unfortunately Sorry for anyone who was working there with me…
A very enjoyable box… I actually learned how to create an HTTP server with a single line of bash , and I didn’t even know it was possible before… lot of fun , 10/10