Official Doctor Discussion

OK Have root flag and have RCE on box but cannot get a reverse sheel as root.So dont know if i can say ive rooted it.

@foalma321 said:

OK Have root flag and have RCE on box but cannot get a reverse sheel as root.So dont know if i can say ive rooted it.

If you have the root flag, you’ve achieved the objective of an HTB box.

If you can run commands as root, you’ve rooted it.

I think I just fundamentally don’t have the knowledge needed to approach this box. I’m in DSM obviously, and I’m aware of that service that can be used for local priv esc, but I’m unsure how to proceed.

No directories or files I’m able to fuzz seem useful. Tried some guess work with some certain names to see if anyone posted anything interesting, but nothing there either. I could rock the DSM but that seems dubious at best. Injection yields no result.

Whatever the foothold here is, I’m not seeing it.

Currently looking into W******g and things related, but I feel like I’m grasping at straws.

@RJGordon said:

I think I just fundamentally don’t have the knowledge needed to approach this box. I’m in DSM obviously, and I’m aware of that service that can be used for local priv esc, but I’m unsure how to proceed.

That might be distracting you. You aren’t looking for a local privesc at the start, you need to get a foothold and then you can privesc.

No directories or files I’m able to fuzz seem useful. Tried some guess work with some certain names to see if anyone posted anything interesting, but nothing there either. I could rock the DSM but that seems dubious at best. Injection yields no result.

It depends what you inject and where you look for the responses.

Its worth remembering, if you visit a web page and get a blank page, the server has sent something to your machine, otherwise you get a predictable error message.

Whatever the foothold here is, I’m not seeing it.

Currently looking into W******g and things related, but I feel like I’m grasping at straws.

This is the right path.

Type your comment> @TazWake said:

@foalma321 said:

OK Have root flag and have RCE on box but cannot get a reverse sheel as root.So dont know if i can say ive rooted it.

If you have the root flag, you’ve achieved the objective of an HTB box.

If you can run commands as root, you’ve rooted it.

Lovely ROOTED then thanks.

Well that was brutal for me. Thanks to TazWake for a nudge to point me in the right direction, and was able to get both user and root flags. Definitely not an easy box for me, but well worth the effort with what I’ve learned over the past few days.

Finally:
root@doctor:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@doctor:/#

When i try to open http://dxxxxxs.htb in kali 2020.4 i got this: We’re having trouble finding that site and instead http://blabla mozilla put http://www.blabla …on parrot i got this :Please log in to access this page. …and everithing is work fine …where si problem ?

You probably haven’t updated the hosts file.

This is way harder than I expected, i thought there would be a guide to assist you in some way. Why is this labelled beginner. I’m completely stuck

@LightOrithm said:

This is way harder than I expected, i thought there would be a guide to assist you in some way. Why is this labelled beginner. I’m completely stuck

To be fair, it isn’t labelled beginner as such - it says “easy”. That rating is because there is almost no requirement to use customised exploits.

Type your comment> @TazWake said:

@LightOrithm said:

(Quote)
To be fair, it isn’t labelled beginner as such - it says “easy”. That rating is because there is almost no requirement to use customised exploits.

Yea, I’ll give you that. I assumed it would start you off lightly but It doesn’t seem to be that way unfortunately- ah well…

@LightOrithm said:

Yea, I’ll give you that. I assumed it would start you off lightly but It doesn’t seem to be that way unfortunately- ah well…

If you can clarify what you are stuck on, it might be possible to give some help.

If you’ve completely hit a blank, I’d suggest trying the Starting Point labs or the Academy (not the box).

@TazWake

Thanks, I registered and then it was just the next thing it said to do Haha. I’ll have a look at the starting point labs. I’m near the end of the Doctors ~ Stuck on Injection without saying too much.

@LightOrithm said:

@TazWake

Thanks, I registered and then it was just the next thing it said to do Haha. I’ll have a look at the starting point labs. I’m near the end of the Doctors ~ Stuck on Injection without saying too much.

Ok. What you need to do is make sure you’ve done enough enumeration to fully understand what gets processed where. You need to make sure you have looked at all the responses from the server to have an idea of what types of injection are likely, then try them.

Once you work out the right type, there are online payloads which work perfectly to get you a shell. (Albeit with minor modifications)

I have tried * but cant seem to get anything, am i missing something??

@LightOrithm said:

I have tried * but cant seem to get anything, am i missing something??

Its likely you have missed the page where the injection is triggered.

back again working on the machine.

i’m encountering some weird stuff -
after

sudo do**** ex** -it aimforthehead bash

i’m getting kicked out after a minute with no options to change the sec****.y**
file or run the train console.

is there any workaround for this ?
I’m know my way to shell, but can’t manage to send the payload.

any thoughts ? @TazWake

@aimforthehead said:

back again working on the machine.

i’m encountering some weird stuff -
after

sudo do**** ex** -it aimforthehead bash

i’m getting kicked out after a minute with no options to change the sec****.y**
file or run the train console.

is there any workaround for this ?
I’m know my way to shell, but can’t manage to send the payload.

any thoughts ? @TazWake

Hmm - I don’t think I understand your attack here. Is this for privesc?

@TazWake said:

Hmm - I don’t think I understand your attack here. Is this for privesc?

Based on the command, he probably is talking about the Laboratory machine