Official Compromised Discussion

Type your comment> @sparkla said:

Type your comment> @pizzapower said:

Can’t seem to get the exploit to work. Getting 200s, but nothing else. Hmm. Probably missing something simple.

Remember, php can give you some info() :wink:

Still looking how to continue after CE

Yeah, I just thought of that, and now I’m stumped again. Gonna need to do a little research. My php is rusty, lol

Edit: that didn’t require as much research as I thought, edit: more research than I thought

I uploaded a webshell using the exploit from e*****tdb and the admin credentials but the shell doesn’t seem to respond, I don’t know if I’m getting the upload path wrong or somehow it’s getting deleted, if anyone got the same issue and could help with nudges I would appreciate very much! (I tryied some other things and I think I took the box down :neutral:)

PS: I manage to make uploads manually using burp. but still can’t get much response… At least I now know that the upload is successful since when I try to trigger a reverse shell which daemonise itself I get a common error: "WARNING: Failed to daemonise. This is quite common and not fatal. () " but still no connection. I was also able to upload a file with only the content “test” and it gets succesfully displayed but I can’t make it parse any commands to the system…

Type your comment> @sparkla said:

Once you got rce, here’s a little script you can use. It’s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

yeah those commands can’t be executed while php has blocked all of those functions :frowning:

Spoiler Removed

I’m already the sys***** user but I don’t see ■■■■ to go to root

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

Type your comment> @FTNTT said:

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

If you are new to php, you must have used echo “hello world” ?

Hi
can anyone give me nudge for user part?
I already have RCE

Rooted. I found the user part very interesting.
No hints from my side , I believe that are enough ones left on the forum. PM for nudges.

Thanks to @D4nch3n for this funny box :smiley:

rooted!

Seems interesting! I got everything I need, still the public exploit missing away. :blush:

Got user. Very cool box so far. Kudos to the creator

I discovered a .sh***p file in the downloaded archive. However when opening it in browser it gives a blank page and with curl I get a 404. It’s a rabbit hole I guess, or is it not?

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

@solid5n4k3 said:

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

The box can be done without having a reverse shell.
If you have RCE and not just P** CE, you can assume that something is blocking you from getting one.

Spoiler Removed

Type your comment> @sparkla said:

Once you got rce, here’s a little script you can use. It’s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

Thank you

Got root. Needed a few nudges for root but got there in the end. If you need help let me know

I finally managed to get command execution, with a very limited shell. Don’t quite know where to go from here…