Official Compromised Discussion

Type your comment> @freez3r said:

Hi anyone i can dm about user ?

If you shoot me a dm I might be able to help out.

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Definitely an interesting privesc technique, gonna keep that one in my back pocket. :wink:

Iā€™m stuck with foothold :frowning: I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

I would be very grateful for hints.

Type your comment> @netburger said:

Iā€™m stuck with foothold :frowning: I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

I would be very grateful for hints.

Read the b***up, find the log, readt it, and you might find the creds !

Type your comment> @Jk3r said:

Read the b***up, find the log, readt it, and you might find the creds !

I found them. Because of them I am able to browse files.
My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile:

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile:

Ping me !

@netburger said:

I found them. Because of them I am able to browse files.
My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile:

You can use the creds to enumerate a part of the service which allows users to define functions.

Does anyone have a link, an article, anything, that would help me understand what Iā€™m supposed to do to get user ? I can read files via a very unhandy way of commands, but everything Iā€™ve tried so far to retrieve informations from the user that shouldnā€™t be able to log in has been a dead end.

P.S : Generally speaking, if your hint is ā€œEnumā€ or ā€œGoogleā€, donā€™t bother please.

@dragonista said:

Does anyone have a link, an article, anything, that would help me understand what Iā€™m supposed to do to get user ? I can read files via a very unhandy way of commands, but everything Iā€™ve tried so far to retrieve informations from the user that shouldnā€™t be able to log in has been a dead end.

P.S : Generally speaking, if your hint is ā€œEnumā€ or ā€œGoogleā€, donā€™t bother please.

Have a look at @TazWakeā€™s hint, here: Official Compromised Discussion - #161 by TazWake - Machines - Hack The Box :: Forums
It exactly tells you what to look for :wink:

@cyberpathogen said:
Iā€™m so close to root. So close, I can see it on two linesā€¦ but it seems iā€™m not getting the information I need from them. Is there someone who can give me a sanity check towards root?

edit: got it. Great box, love the confidence building enumeration in the beginning, only to beat the ever-loving ā– ā– ā– ā–  out of you right when you figure out rce!

my only hint to those who might get stuck where i was: sometimes things are a little bit inside-out.

Thereā€™s another path I want to try taking too.

I think I am stuck at the very same spot and tried already every combination I can think of. May I humbly ask for a nudge? :neutral:

Edit: Finally rooted! I feel so stupid, because I did everything right with these two lines but used them in the wrong place m(

This is an awesome box and I learned very much from it.
Feel free to PM me, if you need help.

ok, after reading alot from this discussion i build an idea and it worked!
Rooted!

i found so many method to get to root, nothing is wrong as long as it worked, lol :wink:

iā€™m open for help if you guys needed.

Stuck in my way to root. I can see what they have changed, but canā€™t understand it fully. Would anyone be so kind to send me some resources/tips to read on?

Thank you!

Type your comment> @jaybloggs said:

Stuck in my way to root. I can see what they have changed, but canā€™t understand it fully. Would anyone be so kind to send me some resources/tips to read on?

Thank you!

when iā€™m on my way to root, i look for recently modified things, and found something that can escalate me. the key is the name of the machine ā€œcompromisedā€
so i just tried to follow the footprint and it lead me to root.

Type your comment> @itsdafafo said:

when iā€™m on my way to root, i look for recently modified things, and found something that can escalate me. the key is the name of the machine ā€œcompromisedā€
so i just tried to follow the footprint and it lead me to root.

Hi thanks, I found whatā€™s required but still need to find out where to use it.

Edit: got it.

Interesting box. Even though I saw immediately what was done it took me hours to escalate to root. Need to work out on my r*****e skills

Rooted the box after so many days, holy ā– ā– ā– ā– 

root@compromised:~# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:~#

Big thanks to @itsdafafo for keeping me motivated to keep pushing and completing the box
PM if anyone needs a nudge

Type your comment> @deepansh0xB said:

Rooted the box after so many days, holy ā– ā– ā– ā– 

root@compromised:~# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:~#

Big thanks to @itsdafafo for keeping me motivated to keep pushing and completing the box
PM if anyone needs a nudge

Congrats. Itā€™s not an easy one.

Would anybody be able to give me a bit of a nudge about where to find the creds for m****? Iā€™ve found the rules as to why I canā€™t establish an outbound connection, Iā€™ve bypassed some of the P** restrictions and can poke around the system and Iā€™ve found the user who shouldnā€™t have what it has but I havenā€™t been able to find anything to elevate to the next steps. Been banging my head against the wall, my access is very limited and typical enumeration like linpeas and the like havenā€™t revealed anything about the creds to me

@jw0 said:

Would anybody be able to give me a bit of a nudge about where to find the creds for m****?

Have you downloaded some files and looked in there?

@TazWake /b____p/_.t__? I used the creds i found in there to exploit the CVE. Am I an idiot and those creds are also used for m* or do I need to have a closer look?