Official Compromised Discussion

Iā€™m already the sys***** user but I donā€™t see ā– ā– ā– ā–  to go to root

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

Type your comment> @FTNTT said:

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

If you are new to php, you must have used echo ā€œhello worldā€ ?

Hi
can anyone give me nudge for user part?
I already have RCE

Rooted. I found the user part very interesting.
No hints from my side , I believe that are enough ones left on the forum. PM for nudges.

Thanks to @D4nch3n for this funny box :smiley:

rooted!

Seems interesting! I got everything I need, still the public exploit missing away. :blush:

Got user. Very cool box so far. Kudos to the creator

I discovered a .sh***p file in the downloaded archive. However when opening it in browser it gives a blank page and with curl I get a 404. Itā€™s a rabbit hole I guess, or is it not?

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

@solid5n4k3 said:

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

The box can be done without having a reverse shell.
If you have RCE and not just P** CE, you can assume that something is blocking you from getting one.

Spoiler Removed

Type your comment> @sparkla said:

Once you got rce, hereā€™s a little script you can use. Itā€™s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

Thank you

Got root. Needed a few nudges for root but got there in the end. If you need help let me know

I finally managed to get command execution, with a very limited shell. Donā€™t quite know where to go from hereā€¦

Rooted. What a ride.

Thank you @D4nch3n for a fun box. The hardest part for me was getting the first user. Once I figured out what things were ā€œleft behindā€ I was able to progress quicker.

User->root was very nifty. I definitely went down more than a couple of rabbit holes before I figured out where the attackers had left their calling card.

Type your comment> @zilwah said:

Spoiler Removed

why ?? this was a simple *nix command not specifically related to any machine, vuln or exploit ?

For anyone feeling lost in the bac**p files, what made it super easy for me is to think which files were modified when and keep your eyes peeled. Could shave some time off of your file-diving :wink:

Finally rooted. This one requires you to take care with your enumeration. I needed two nudges for user that I wouldnā€™t have if I had been more thorough and thoughtful.

My only other piece of advice is to practice your file searching tools (grep, find, etc). They will help you a lot. I agree with @HumanFlyBzzzz

PM me if you need nudges. Let me know what youā€™ve tried so I donā€™t spoil anything.