Iām already the sys***** user but I donāt see ā ā ā ā to go to root
can someone please give me a hint, with which non-deactivated PHP function I get RCE?
Type your comment> @Furie said:
can someone please give me a hint, with which non-deactivated PHP function I get RCE?
The same question
Type your comment> @FTNTT said:
Type your comment> @Furie said:
can someone please give me a hint, with which non-deactivated PHP function I get RCE?
The same question
If you are new to php, you must have used echo āhello worldā ?
Hi
can anyone give me nudge for user part?
I already have RCE
Rooted. I found the user part very interesting.
No hints from my side , I believe that are enough ones left on the forum. PM for nudges.
Thanks to @D4nch3n for this funny box
rooted!
Seems interesting! I got everything I need, still the public exploit missing away.
Got user. Very cool box so far. Kudos to the creator
I discovered a .sh***p file in the downloaded archive. However when opening it in browser it gives a blank page and with curl I get a 404. Itās a rabbit hole I guess, or is it not?
Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.
@solid5n4k3 said:
Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.
The box can be done without having a reverse shell.
If you have RCE and not just P** CE, you can assume that something is blocking you from getting one.
Spoiler Removed
Type your comment> @sparkla said:
Once you got rce, hereās a little script you can use. Itās almost like a real shell
(Your script must support a get param named cmd)#!/bin/bash cmd='' while [[ $cmd != 'exit' ]]; do read -p '$ > ' cmd curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd" done
Thank you
Got root. Needed a few nudges for root but got there in the end. If you need help let me know
I finally managed to get command execution, with a very limited shell. Donāt quite know where to go from hereā¦
Rooted. What a ride.
Thank you @D4nch3n for a fun box. The hardest part for me was getting the first user. Once I figured out what things were āleft behindā I was able to progress quicker.
User->root was very nifty. I definitely went down more than a couple of rabbit holes before I figured out where the attackers had left their calling card.
Type your comment> @zilwah said:
Spoiler Removed
why ?? this was a simple *nix command not specifically related to any machine, vuln or exploit ?
For anyone feeling lost in the bac**p files, what made it super easy for me is to think which files were modified when and keep your eyes peeled. Could shave some time off of your file-diving
Finally rooted. This one requires you to take care with your enumeration. I needed two nudges for user that I wouldnāt have if I had been more thorough and thoughtful.
My only other piece of advice is to practice your file searching tools (grep
, find
, etc). They will help you a lot. I agree with @HumanFlyBzzzz
PM me if you need nudges. Let me know what youāve tried so I donāt spoil anything.