Official Doctor Discussion

Got root today. Fun box! Initial foothold was definitely the toughest.

Feel free to DM if you find yourself stuck and need a nudge.

faced a rabbit hole while trying to get root. Noticed that python2 binary has cap_sys_ptrace capability. And I thought it is the way to root, but after several hours I realized that kernel.yama.ptrace_scope is set on Ubuntu and there is no possibility to change it on runtime…

Finally got root, nice box, not so easy as I thought!

can anyone help with the foothold im on m*******g and know i will need to exploit si but nothing works. i also found the a*e where titles show up but no si

@karimwassef said:

can anyone help with the foothold im on m*******g and know i will need to exploit si but nothing works. i also found the a*e where titles show up but no si

Do you have the right s**i?

Initial foothold was a little difficult, but everything after that was pretty straightforward. Plenty of tips in this thread but PM me if you need a nudge.

Stuck with port scan in Doctor machine… all ports are filtered :frowning:
used syn stealth scan…

Type your comment> @TazWake said:

@karimwassef said:

can anyone help with the foothold im on m*******g and know i will need to exploit si but nothing works. i also found the a*e where titles show up but no si

Do you have the right s**i?

I honestly don’t know, i haven’t really messed around with it before

@karimwassef said:

I honestly don’t know, i haven’t really messed around with it before

One of the payloads on payloads all the things works.

do i have to split the e**l c****g payload into seperate messages for it to work because i keep getting a 500

Type your comment> @karimwassef said:

do i have to split the e**l c****g payload into seperate messages for it to work because i keep getting a 500

Didnt use that one , all the things have one that just needs an adjusted payload.

Currently have user but just wondered if anyone can tell me if S****k is the way to root ? have exploit but wondering if can be run without creds. Or am i in the wrong direction ?
Thanks

@foalma321 said:

Currently have user but just wondered if anyone can tell me if S****k is the way to root?

Yes

have exploit but wondering if can be run without creds. Or am i in the wrong direction ?

You need creds - don’t you have them?

Type your comment> @TazWake said:

@foalma321 said:

Currently have user but just wondered if anyone can tell me if S****k is the way to root?

Yes

have exploit but wondering if can be run without creds. Or am i in the wrong direction ?

You need creds - don’t you have them?

No. guess i need to enumerate more…
Thanks for letting me know im on the right path.

seems like i do have creds, got it working but not executing payload yet more tinkering needed .If the quite exploit does infact work.

Type your comment> @foalma321 said:

seems like i do have creds, got it working but not executing payload yet more tinkering needed .If the quite exploit does infact work.

I can get it to run commands , have tried ping and have netcatted a file transfer, wrote a file…but cannot get a reverse sheel to pop…am i looking at this wrong ?

Type your comment

OK Have root flag and have RCE on box but cannot get a reverse sheel as root.So dont know if i can say ive rooted it.

@foalma321 said:

OK Have root flag and have RCE on box but cannot get a reverse sheel as root.So dont know if i can say ive rooted it.

If you have the root flag, you’ve achieved the objective of an HTB box.

If you can run commands as root, you’ve rooted it.

I think I just fundamentally don’t have the knowledge needed to approach this box. I’m in DSM obviously, and I’m aware of that service that can be used for local priv esc, but I’m unsure how to proceed.

No directories or files I’m able to fuzz seem useful. Tried some guess work with some certain names to see if anyone posted anything interesting, but nothing there either. I could rock the DSM but that seems dubious at best. Injection yields no result.

Whatever the foothold here is, I’m not seeing it.

Currently looking into W******g and things related, but I feel like I’m grasping at straws.

@RJGordon said:

I think I just fundamentally don’t have the knowledge needed to approach this box. I’m in DSM obviously, and I’m aware of that service that can be used for local priv esc, but I’m unsure how to proceed.

That might be distracting you. You aren’t looking for a local privesc at the start, you need to get a foothold and then you can privesc.

No directories or files I’m able to fuzz seem useful. Tried some guess work with some certain names to see if anyone posted anything interesting, but nothing there either. I could rock the DSM but that seems dubious at best. Injection yields no result.

It depends what you inject and where you look for the responses.

Its worth remembering, if you visit a web page and get a blank page, the server has sent something to your machine, otherwise you get a predictable error message.

Whatever the foothold here is, I’m not seeing it.

Currently looking into W******g and things related, but I feel like I’m grasping at straws.

This is the right path.