Official Compromised Discussion

@Vigneshar said:

Hi Guys

Hi

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back. I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

@abogaida said:

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back.

As well as reading files, what else can you do to them?

I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

Type your comment> @TazWake said:

@abogaida said:

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back.

As well as reading files, what else can you do to them?

I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

I tried writing them but it didn’t work. I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

@abogaida said:

I tried writing them but it didn’t work.

Possibly investigate how you are using them. There is a lot of stuff in this thread about how to issue the commands in a way which should give you the access you want.

I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

I never noticed any restrictions like that. It might be worth double-checking what is happening.

So, I’m pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the “current other” user doesn’t have any privileges on that folder, too).
If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :slight_smile:

@HomeSen said:

So, I’m pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the “current other” user doesn’t have any privileges on that folder, too).
If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :slight_smile:

Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

DM me for more specific language because I appreciate the vagueness here might be confusing.

Thanks, @TazWake. Will look into the other stuff tomorrow. Now it’s time for some overdue sleep :smiley:

Men im about to say bad words !!! Why in the ■■■■ i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! ■■■■

@Jk3r said:

Men im about to say bad words !!! Why in the ■■■■ i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! ■■■■

it quite often means something went wrong with Pentestmonkey’s reverse PHP shell.

It doesn’t always mean the shell failed so you might want to check if anything is hitting the listener or if something else is the problem.

If other shells are failing you might need to do some deeper troubleshooting.

If other shells are failing you might need to do some deeper troubleshooting.

That’s the f**king problem, Im not good at php ! :lol:

@TazWake said:

Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

DM me for more specific language because I appreciate the vagueness here might be confusing.

The vagueness was just right. Managed to grab user. Thanks :slight_smile:

And for the last step, I assume that something else was left behind, somewhere. Guess, I need to enum even more :confused:

@HomeSen said:

The vagueness was just right. Managed to grab user. Thanks :slight_smile:

Phew - glad to have helped a bit.

And for the last step, I assume that something else was left behind, somewhere. Guess, I need to enum even more :confused:

Yeah, they might have changed something to get in through the back door.

This box FAQ my head off :lol: Anyway rooted !! Thanks @TazWake for the help. Pm if anyone need help …

Rooted. What an awesome ride. Thank you @TazWake for the nudges along the way. I really need to dig deeper into Linux forensics.
Thank you @D4nch3n for a great box. Really loved it from start to finish :slight_smile:

Done & Dusted!

Boy that trip caused several “Double Palm” / “DOH!!!” moments as well as “walk away… just walk away…” moments. @TazWake again thank you for your hints and advice in these forums / discussions they were just the nudges I needed without having to “call a friend” :wink:

Cheers @D4nch3n for the fun / maddening at times machine.

Rooted!
Really interesting BOX!

Thanks @D4nch3n !

Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

@weeeeeeeeee said:

Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

This is on purpose. I suggest taking a look at @TazWake’s response, here: Official Compromised Discussion - #161 by TazWake - Machines - Hack The Box :: Forums

Type your comment> @HomeSen said:

@weeeeeeeeee said:

Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

This is on purpose. I suggest taking a look at @TazWake’s response, here: Official Compromised Discussion - #161 by TazWake - Machines - Hack The Box :: Forums

Understood, and thank you for the refresher. I did find that juicy nugget. Was working that avenue but so far hit has been unfruitful. Maybe it’s time to use a bigger hammer against it.

----Edit: found the right hammer, this box is dope so far. Definitely mirrors some real world applications.