Official Compromised Discussion

Finally rooted after a few very long days! Thank you @gunroot and @LMAY75 for the nudges. Some of the tips one here are exactly what you need! Enumeration is a big part to the box. Information for user1 can be found in multiple places… once of which you have probably used already :wink:

Happy to help nudge if you need help, provide what you have done and where you are up to in a PM.

Really interesting box.
I learnt something trying to get a webshell, but its entirely not necessary (and its probably easier not to get a webshell).

I found it usefull to rewrite what was changed and print it, as i had all the letters right but not the order.

I can read files list directories but I am coming empty. I see couple of users that have bash in passwd but I am not finding info to compermise those users. Any hints would be appriciated

Real fun box, I got stuck at root, thanks to @LMAY75 for the nudge.
On a hindsight, it was obvious.

I loved scripting to own this box, this is my take on the “Not A Reverse Shell”, nothing new but since nobody posted something similar (having history, history search and emacs style special keys).

#!/usr/bin/env python3
import cmd


def execute(line):
    import requests
    target="http://YOURRCE"
    r = requests.get(target, params={"YOURCMDARG":line})
    if r.status_code == 200:
        return r.text
    else:
        return f"{r.text}\r\nnars> ERROR: http response code was {r.status_code}"

class NotAReverseShell(cmd.Cmd):
    prompt="nars> "

    def do_help(self, line):
        print("Not A Reverse Shell, a pseudo shell when you cannot have one.")

    def default(self, line):
        print(execute(line))

    def do_EOF(self, line):
        print()
        return True

    def do_exit(self, line):
        return True

    def do_quit(self, line):
        return True

if __name__ == "__main__":
    NotAReverseShell().cmdloop()

Beautiful box!

Type your comment> @shubhanshu7 said:

Umm, Hey guys just started the box today found the backup and an exploit for “l*** c***” but it requires the user credentials. Can someone help or if i am going down a rabbit hole please alert me!!

You are on the right track , enumerate through the backup… as other comments have mentioned it is very worthwhile learning grep,find,locate to help with your searching. Another helpful comment was pay attention to dates :slight_smile:

Thanks man!! was off from htb for quite a time but gonna try it

damnnn… I just don’t know at this point. It’s been a while I’m stuck on the my*** user and can’t move forward. I saw hints pointing to the home dir of the user, but i couldn’t find anything too useful. Any hints?

@iWillBeFamous said:

damnnn… I just don’t know at this point. It’s been a while I’m stuck on the my*** user and can’t move forward. I saw hints pointing to the home dir of the user, but i couldn’t find anything too useful. Any hints?

This wont cheer you up but look closer at the things you think aren’t too useful.

Noice :slight_smile:

Got root! Thanks @TazWake for hint at user stage.

Hi Guys

@Vigneshar said:

Hi Guys

Hi

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back. I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

@abogaida said:

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back.

As well as reading files, what else can you do to them?

I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

Type your comment> @TazWake said:

@abogaida said:

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back.

As well as reading files, what else can you do to them?

I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

I tried writing them but it didn’t work. I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

@abogaida said:

I tried writing them but it didn’t work.

Possibly investigate how you are using them. There is a lot of stuff in this thread about how to issue the commands in a way which should give you the access you want.

I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

I never noticed any restrictions like that. It might be worth double-checking what is happening.

So, I’m pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the “current other” user doesn’t have any privileges on that folder, too).
If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :slight_smile:

@HomeSen said:

So, I’m pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the “current other” user doesn’t have any privileges on that folder, too).
If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :slight_smile:

Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

DM me for more specific language because I appreciate the vagueness here might be confusing.

Thanks, @TazWake. Will look into the other stuff tomorrow. Now it’s time for some overdue sleep :smiley:

Men im about to say bad words !!! Why in the ■■■■ i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! ■■■■

@Jk3r said:

Men im about to say bad words !!! Why in the ■■■■ i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! ■■■■

it quite often means something went wrong with Pentestmonkey’s reverse PHP shell.

It doesn’t always mean the shell failed so you might want to check if anything is hitting the listener or if something else is the problem.

If other shells are failing you might need to do some deeper troubleshooting.