Official Compromised Discussion

Can someone please give me a nudge for initial foothold. Iā€™ve got the tar and Iā€™ve got the exploit, but I canā€™t seem to figure out what to do next

@Qtang said:

Can someone please give me a nudge for initial foothold. Iā€™ve got the tar and Iā€™ve got the exploit, but I canā€™t seem to figure out what to do next

Read the files. Look for things which might be useful leads. Follow the crumbs and see if they exist. If they do, read whats in them. Find loot. Use that loot.

ok iā€™m wasting too much time and not learning anymoreā€¦need a push.

I can list dirs, read files, but I cannot figure out how to get RCE so I can do what I need to do with the user who should not be able to login. Iā€™ve tried every method I could find for this situation and none of them will work.

anyone in the mood to slap me upside the head?

@b3nd0 said:

ok iā€™m wasting too much time and not learning anymoreā€¦need a push.

I can list dirs, read files, but I cannot figure out how to get RCE so I can do what I need to do with the user who should not be able to login.

You have the password for that user, so you can issue queries against what it would normally be. Then you can use the functionality that has to give yourself a way in.

Iā€™ve tried every method I could find for this situation and none of them will work.

anyone in the mood to slap me upside the head?

This was quite a fun box, mainly focused on enumeration. In almost every step, if you have found the thing you supposed to find, exploiting/using it isnā€™t that difficult or time consuming. Finding it can beā€¦
There are some great hints on the forum, to which I donā€™t have anything to addā€¦ But if someone needs a small nudge, feel free to send me a PM :slight_smile:

@TazWake

Where tf did you find it? :joy: I searched for at least an hour or two before giving in and asking Taz

@LMAY75 Yea I tried my damnedest to not ask for help, but i had to ask taz too. makes me laugh when i imagine the day he must have on here, like a drill instructor walking through a field of shananagans:

ā€œCode with two hands boy, this isnā€™t a rap concert. Private, why will your exploit not fire?..your magazine is upside down son! How did YOU end up on your own botnet?ā€

@b3nd0 Thatā€™s funny lol. ??

@b3nd0 said:

@LMAY75 Yea I tried my damnedest to not ask for help, but i had to ask taz too. makes me laugh when i imagine the day he must have on here, like a drill instructor walking through a field of shananagans:

ā€œCode with two hands boy, this isnā€™t a rap concert. Private, why will your exploit not fire?..your magazine is upside down son! How did YOU end up on your own botnet?ā€

:lol: :smile: :lol: :love:

Type your comment> @TazWake said:

@b3nd0 said:

@LMAY75 Yea I tried my damnedest to not ask for help, but i had to ask taz too. makes me laugh when i imagine the day he must have on here, like a drill instructor walking through a field of shananagans:

ā€œCode with two hands boy, this isnā€™t a rap concert. Private, why will your exploit not fire?..your magazine is upside down son! How did YOU end up on your own botnet?ā€

:lol: :smile: :lol: :love:

As a JROTC guy I find this especially funny

@LMAY75 said:

Type your comment> @TazWake said:

@b3nd0 said:

@LMAY75 Yea I tried my damnedest to not ask for help, but i had to ask taz too. makes me laugh when i imagine the day he must have on here, like a drill instructor walking through a field of shananagans:

ā€œCode with two hands boy, this isnā€™t a rap concert. Private, why will your exploit not fire?..your magazine is upside down son! How did YOU end up on your own botnet?ā€

:lol: :smile: :lol: :love:

As a JROTC guy I find this especially funny

To round off the comedy, 15 years ago I was a basic training sergeant/instructor.

I need a nudge. phpinfo saddened me deeply on my way to foothold and I do not know how to proceed.

@sparrow1 said:

I need a nudge. phpinfo saddened me deeply on my way to foothold and I do not know how to proceed.

There is a way to bypass the things which are disabled. Its googleable.

Type your comment> @TazWake said:

@LMAY75 said:

Type your comment> @TazWake said:

@b3nd0 said:

@LMAY75 Yea I tried my damnedest to not ask for help, but i had to ask taz too. makes me laugh when i imagine the day he must have on here, like a drill instructor walking through a field of shananagans:

ā€œCode with two hands boy, this isnā€™t a rap concert. Private, why will your exploit not fire?..your magazine is upside down son! How did YOU end up on your own botnet?ā€

:lol: :smile: :lol: :love:

As a JROTC guy I find this especially funny

To round off the comedy, 15 years ago I was a basic training sergeant/instructor.

How did you go from that to infosec

@LMAY75 said:

How did you go from that to infosec

It was only a posting so after 2 years I returned to my trade.

Finally got root. This one was really hard to me but mostly because Iā€™m not very good on the vector needed for privesc. BTW, if anyone knows about good resources to work on that, please DM me.

+1 respect to @TazWake and @c4ph00k for their help! Thx guys!

Really struggling with the exploit, have the creds already, but canā€™t do anything from there. Anybody can pm or give a little hint?

Type your comment> @LegendHacker said:

Really struggling with the exploit, have the creds already, but canā€™t do anything from there. Anybody can pm or give a little hint?

This box is marked HARD. The flow seems a bit easy/classic but it cannot work out of the box otherwsie the box would be easy. So you may be onto the right thing but he usual functions and checks youā€™d expect to use will not work. Find alternative functions or google for alternative functions to what youā€™d expect to work, but which doesnā€™t work.

Also, not showing any output doesnā€™t mean it didnā€™t work.

The flow is rather classic but the path is tortuous (at least it was for me). I needed hints, thanks @TazWake.
For those who found @sparklaā€™s script useful, check this one out https://github.com/mxrch/webwrap (a wee bit better).
My 2cents (everything has been said!):
Foothold: if you want to get a shell, bypassing the restrictions in place is googleable.
User1: one function will help you do what you need to do to get access. You can land directly here without the foothold above.
User2: enum.
Root: quite a common backdoor.

What is wrong with the box rn? It is not curling my links. Not even curl localhost

Nothing is wrong. It is supposed to be like that.