Admirer

does anyone have a problem of opening port 3306? i tried various conf files but to no avail. i just cannot allow remote connections to my 3306:(

Type your comment> @minhobrandon said:

does anyone have a problem of opening port 3306? i tried various conf files but to no avail. i just cannot allow remote connections to my 3306:(

Did you check mariadb settings and iptables ?
Maybe go through:

and recheck remote access ? Of course you need to grant access (at mariadb level) for a remote user using GRANT …

Root obtained:

root@admirer:/tmp# hostname
hostname
admirer
root@admirer:/tmp# whoami
whoami
root
root@admirer:/tmp# 

Edit: Worked once I changed which server I’m VPNd into.

Root part was very informative for the future :slight_smile:

Rooted - Message for help with what you have tried so far

ROOTED !
Intial foothold not too easy but a breeze from there,Funbox DM for nudges.

@GibParadox I have to say, for me it has been the best box I ever solve. No guesswork, nice challenges, totally liked.

Type your comment> @Rucker said:

@GibParadox I have to say, for me it has been the best box I ever solve. No guesswork, nice challenges, totally liked.

Awesome! Glad you liked it!

I am at the very last step before getting root, but my attack is falling down somewhere and I don’t know why! I have successfully hijacked s*****.. If I run the commands from b***.** in the interpreter, my code gets executed, but not when I call a****_t****.** Would really appreciate it if someone could PM me…

waldo@admirer:/tmp$ uid=0(root) gid=0(root) groups=0(root)

I really hated the foothold/user but the root path was awesome and made up for the prior annoyance. I have some leftover questions about the a*****r bypass that I can’t find in the exploit docs so if anyone can help DM me please.

Foothold: My problem was none of the relevant words were in my wordlists

User: Very odd for an easy box, requires some effort.

Root: A really cool idea, learned a lot and its valuable for the future.

If you need any help DM me!

I cant get any login page despite enum with dirseach,gobuster,dirbuster at most I got forbidden dirs…I need a pointer any direction please?

@SuperRaptor said:

I cant get any login page despite enum with dirseach,gobuster,dirbuster at most I got forbidden dirs…I need a pointer any direction please?

Why does there need to be a login page?

If you have fuzzed it fully you may have found something you need which tells you how to get access to something which can give you something you need to find out where to go with the next step.

Just finished this box after a couple of days.

Foothold was annoying and I only got it by reading some posts in here (and also used a tool I hadn’t used before which is pretty nice).

User was straightforward with some fiddling around with config stuff. I had never used/seen this method so that’s good.

Root…wandered down a completely wrong path but learned a lot about an exploit that doesn’t work on this box along the way. Finding the right place was just a basic post-exploit step. I read and understood what was going on and kind of what I had to do but messed up a small detail.

So my advice
Foothold: if in doubt, think big.
Root: pass don’t set.
Hope that’s not too spoiler-y.

Enjoyable box, but if this is easy…I have a long way to go. I only did this and Tabby so far, I’d say overall this box was harder but they are hard to compare.

hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)? there is a vulnerabilty on ad***_tas***.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

@xenofon said:

hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)?

At a basic level (and I don’t mean to sound sarcastic) but if you cant see a good reason to do this, don’t do it.

Work your own path. You may have seen things which hint at this, but the hints could be wrong.

However, if nothing else works, you might want to go back to this.

there is a vulnerabilty on ad***_tas***.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

I certainly didn’t. If you get it to work, then it is the right path. If it doesn’t work, it is the wrong one. Its literally that simple. Just because something looks like it might be vulnerable, doesn’t mean it is - until you test it. Not every instance of shell_exec is vulnerable to exploitation - you’d need to be able to control what it executes and then you are limited to the privileges the code runs under.

Some boxes have multiple routes to exploitation and if you find genuinely unintended ones, you can let HTB know and they’ll patch it.

One question I would ask though:

You’ve seen hints saying “try $X” but you’ve also found a possible exploit for $Y but no one else appears to have mentioned it. You can’t get $Y working.

Does that imply it is the right path or the wrong path?

Type your comment> @TazWake said:

@xenofon said:

hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)?

At a basic level (and I don’t mean to sound sarcastic) but if you cant see a good reason to do this, don’t do it.

Work your own path. You may have seen things which hint at this, but the hints could be wrong.

However, if nothing else works, you might want to go back to this.

there is a vulnerabilty on ad***_tas***.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

I certainly didn’t. If you get it to work, then it is the right path. If it doesn’t work, it is the wrong one. Its literally that simple. Just because something looks like it might be vulnerable, doesn’t mean it is - until you test it. Not every instance of shell_exec is vulnerable to exploitation - you’d need to be able to control what it executes and then you are limited to the privileges the code runs under.

Some boxes have multiple routes to exploitation and if you find genuinely unintended ones, you can let HTB know and they’ll patch it.

One question I would ask though:

You’ve seen hints saying “try $X” but you’ve also found a possible exploit for $Y but no one else appears to have mentioned it. You can’t get $Y working.

Does that imply it is the right path or the wrong path?

i understand your point,but the thing that i do not understand is that,why we fuzzing a directory (util…-sc…) when we see the contents of it from ftp, why we need to scan it throught the web…?that is my question,and why adm***.p*p is not visible?

Type your comment> @xenofon said:

Type your comment> @TazWake said:

@xenofon said:

hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)?

At a basic level (and I don’t mean to sound sarcastic) but if you cant see a good reason to do this, don’t do it.

Work your own path. You may have seen things which hint at this, but the hints could be wrong.

However, if nothing else works, you might want to go back to this.

there is a vulnerabilty on ad***_tas***.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

I certainly didn’t. If you get it to work, then it is the right path. If it doesn’t work, it is the wrong one. Its literally that simple. Just because something looks like it might be vulnerable, doesn’t mean it is - until you test it. Not every instance of shell_exec is vulnerable to exploitation - you’d need to be able to control what it executes and then you are limited to the privileges the code runs under.

Some boxes have multiple routes to exploitation and if you find genuinely unintended ones, you can let HTB know and they’ll patch it.

One question I would ask though:

You’ve seen hints saying “try $X” but you’ve also found a possible exploit for $Y but no one else appears to have mentioned it. You can’t get $Y working.

Does that imply it is the right path or the wrong path?

i understand your point,but the thing that i do not understand is that,why we fuzzing a directory (util…-sc…) when we see the contents of it from ftp, why we need to scan it throught the web…?that is my question,and why adm***.p*p is not visible?

maybe a file was included after the upload to the ftp server?this is what we examine by fuzzing utl…-sc…??

@xenofon said:

maybe a file was included after the upload to the ftp server?this is what we examine by fuzzing utl…-sc…??

As I said, if it doesn’t make sense, don’t do it - some hints are simply wrong.

However, I don’t think this one is.

Just because you find some files in an archive, doesn’t mean you’ve found all the files. If I was managing a server and I was adding content every week but taking a monthly backup, if you look at the back up you do not see the live environment unless you get really, really lucky.

When we have two sets of information - such as an archive and a live version, being able to see if there is a difference between the two can lead to some interesting discoveries.

Type your comment> @TazWake said:

@xenofon said:

maybe a file was included after the upload to the ftp server?this is what we examine by fuzzing utl…-sc…??

As I said, if it doesn’t make sense, don’t do it - some hints are simply wrong.

However, I don’t think this one is.

Just because you find some files in an archive, doesn’t mean you’ve found all the files. If I was managing a server and I was adding content every week but taking a monthly backup, if you look at the back up you do not see the live environment unless you get really, really lucky.

When we have two sets of information - such as an archive and a live version, being able to see if there is a difference between the two can lead to some interesting discoveries.

thank you very much for the info

~~I have the User flag but once I pasted the hash it doesnt wotk ! … I spent a lot of time with local database with some basic things hahaha !! ~~

Today is working !! :slight_smile: