Official Compromised Discussion

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

Type your comment> @FTNTT said:

Type your comment> @Furie said:

can someone please give me a hint, with which non-deactivated PHP function I get RCE?

The same question

If you are new to php, you must have used echo “hello world” ?

Hi
can anyone give me nudge for user part?
I already have RCE

Rooted. I found the user part very interesting.
No hints from my side , I believe that are enough ones left on the forum. PM for nudges.

Thanks to @D4nch3n for this funny box :smiley:

rooted!

Seems interesting! I got everything I need, still the public exploit missing away. :blush:

Got user. Very cool box so far. Kudos to the creator

I discovered a .sh***p file in the downloaded archive. However when opening it in browser it gives a blank page and with curl I get a 404. It’s a rabbit hole I guess, or is it not?

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

@solid5n4k3 said:

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

The box can be done without having a reverse shell.
If you have RCE and not just P** CE, you can assume that something is blocking you from getting one.

Spoiler Removed

Type your comment> @sparkla said:

Once you got rce, here’s a little script you can use. It’s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

Thank you

Got root. Needed a few nudges for root but got there in the end. If you need help let me know

I finally managed to get command execution, with a very limited shell. Don’t quite know where to go from here…

Rooted. What a ride.

Thank you @D4nch3n for a fun box. The hardest part for me was getting the first user. Once I figured out what things were “left behind” I was able to progress quicker.

User->root was very nifty. I definitely went down more than a couple of rabbit holes before I figured out where the attackers had left their calling card.

Type your comment> @zilwah said:

Spoiler Removed

why ?? this was a simple *nix command not specifically related to any machine, vuln or exploit ?

For anyone feeling lost in the bac**p files, what made it super easy for me is to think which files were modified when and keep your eyes peeled. Could shave some time off of your file-diving :wink:

Finally rooted. This one requires you to take care with your enumeration. I needed two nudges for user that I wouldn’t have if I had been more thorough and thoughtful.

My only other piece of advice is to practice your file searching tools (grep, find, etc). They will help you a lot. I agree with @HumanFlyBzzzz

PM me if you need nudges. Let me know what you’ve tried so I don’t spoil anything.

Accidentally reset my entire desktop and panels while messing around waiting for nmap to finish. Spent the last 45 min trying to get everything fixed. Can finally start this box now