Official Compromised Discussion

Type your comment> @Sys7em said:

Type your comment> @CyberVaca said:

I got webshell but I can’t get reverse shell :(, any hint?

This box does not allow network connection…
ssh is here the “key” "gen"erally :wink:

thank you @D4nch3n - nice box!

True, I saw what I was missing. Thx u dude

Does the CVE actually work on this box ? Running it seems to do nothing but a blank page.

I hav got a webshell but when i go to it i get blank stuff

When certain file is uploaded, just for test sake, seems web server is crashing. Not sure if that is intended behavior, but machine reset is needed.
Someone if could confirm same…

same issue. Seems like the the machine would’ve had to reset every time someone pushed up a invalid file.

Spoiler Removed

Type your comment> @sparkla said:

Got code execution and the next regret I tried again. Cause after CE goes nothing.

@choupit0 said:
On recrute ! ? We are hiring!
Looking for a job.

Invitation sent :wink:

rooted i like the box in the first part
my hints:
-simple enum can you in the place
-you are there take a look what you can do the cve gives issues simulate with burp
-you are there ,limited but there, dont forgot its compromised
-the attacker can come back so think how with everything limited
-you found the way get in dont be shied
-ok stay at home its not safe out
-think how the attacker can gain root he must left a backdoor

hope its not a big spoile
thanks to @TheCyberGeek for hints this guy is geek really
also thanks to @D4nch3n for this box

Can’t seem to get the exploit to work. Getting 200s, but nothing else. Hmm. Probably missing something simple.

Type your comment> @sparkla said:

Type your comment> @pizzapower said:

Can’t seem to get the exploit to work. Getting 200s, but nothing else. Hmm. Probably missing something simple.

Remember, php can give you some info() :wink:

Still looking how to continue after CE

Yeah, I just thought of that, and now I’m stumped again. Gonna need to do a little research. My php is rusty, lol

Edit: that didn’t require as much research as I thought, edit: more research than I thought

I uploaded a webshell using the exploit from e*****tdb and the admin credentials but the shell doesn’t seem to respond, I don’t know if I’m getting the upload path wrong or somehow it’s getting deleted, if anyone got the same issue and could help with nudges I would appreciate very much! (I tryied some other things and I think I took the box down :neutral:)

PS: I manage to make uploads manually using burp. but still can’t get much response… At least I now know that the upload is successful since when I try to trigger a reverse shell which daemonise itself I get a common error: "WARNING: Failed to daemonise. This is quite common and not fatal. () " but still no connection. I was also able to upload a file with only the content “test” and it gets succesfully displayed but I can’t make it parse any commands to the system…

Type your comment> @sparkla said:

Once you got rce, here’s a little script you can use. It’s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

yeah those commands can’t be executed while php has blocked all of those functions :frowning:

Spoiler Removed

I’m already the sys***** user but I don’t see ■■■■ to go to root

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

Type your comment> @FTNTT said:

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

If you are new to php, you must have used echo “hello world” ?

Hi
can anyone give me nudge for user part?
I already have RCE

Rooted. I found the user part very interesting.
No hints from my side , I believe that are enough ones left on the forum. PM for nudges.

Thanks to @D4nch3n for this funny box :smiley:

rooted!