Official Compromised Discussion

I’m stuck with foothold :frowning: I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

I would be very grateful for hints.

Type your comment> @netburger said:

I’m stuck with foothold :frowning: I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

I would be very grateful for hints.

Read the b***up, find the log, readt it, and you might find the creds !

Type your comment> @Jk3r said:

Read the b***up, find the log, readt it, and you might find the creds !

I found them. Because of them I am able to browse files.
My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile:

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile:

Ping me !

@netburger said:

I found them. Because of them I am able to browse files.
My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile:

You can use the creds to enumerate a part of the service which allows users to define functions.

Does anyone have a link, an article, anything, that would help me understand what I’m supposed to do to get user ? I can read files via a very unhandy way of commands, but everything I’ve tried so far to retrieve informations from the user that shouldn’t be able to log in has been a dead end.

P.S : Generally speaking, if your hint is “Enum” or “Google”, don’t bother please.

@dragonista said:

Does anyone have a link, an article, anything, that would help me understand what I’m supposed to do to get user ? I can read files via a very unhandy way of commands, but everything I’ve tried so far to retrieve informations from the user that shouldn’t be able to log in has been a dead end.

P.S : Generally speaking, if your hint is “Enum” or “Google”, don’t bother please.

Have a look at @TazWake’s hint, here: Official Compromised Discussion - #161 by TazWake - Machines - Hack The Box :: Forums
It exactly tells you what to look for :wink:

@cyberpathogen said:
I’m so close to root. So close, I can see it on two lines… but it seems i’m not getting the information I need from them. Is there someone who can give me a sanity check towards root?

edit: got it. Great box, love the confidence building enumeration in the beginning, only to beat the ever-loving ■■■■ out of you right when you figure out rce!

my only hint to those who might get stuck where i was: sometimes things are a little bit inside-out.

There’s another path I want to try taking too.

I think I am stuck at the very same spot and tried already every combination I can think of. May I humbly ask for a nudge? :neutral:

Edit: Finally rooted! I feel so stupid, because I did everything right with these two lines but used them in the wrong place m(

This is an awesome box and I learned very much from it.
Feel free to PM me, if you need help.

ok, after reading alot from this discussion i build an idea and it worked!
Rooted!

i found so many method to get to root, nothing is wrong as long as it worked, lol :wink:

i’m open for help if you guys needed.

Stuck in my way to root. I can see what they have changed, but can’t understand it fully. Would anyone be so kind to send me some resources/tips to read on?

Thank you!

Type your comment> @jaybloggs said:

Stuck in my way to root. I can see what they have changed, but can’t understand it fully. Would anyone be so kind to send me some resources/tips to read on?

Thank you!

when i’m on my way to root, i look for recently modified things, and found something that can escalate me. the key is the name of the machine “compromised”
so i just tried to follow the footprint and it lead me to root.

Type your comment> @itsdafafo said:

when i’m on my way to root, i look for recently modified things, and found something that can escalate me. the key is the name of the machine “compromised”
so i just tried to follow the footprint and it lead me to root.

Hi thanks, I found what’s required but still need to find out where to use it.

Edit: got it.

Interesting box. Even though I saw immediately what was done it took me hours to escalate to root. Need to work out on my r*****e skills

Rooted the box after so many days, holy ■■■■

root@compromised:~# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:~#

Big thanks to @itsdafafo for keeping me motivated to keep pushing and completing the box
PM if anyone needs a nudge

Type your comment> @deepansh0xB said:

Rooted the box after so many days, holy ■■■■

root@compromised:~# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:~#

Big thanks to @itsdafafo for keeping me motivated to keep pushing and completing the box
PM if anyone needs a nudge

Congrats. It’s not an easy one.

Would anybody be able to give me a bit of a nudge about where to find the creds for m****? I’ve found the rules as to why I can’t establish an outbound connection, I’ve bypassed some of the P** restrictions and can poke around the system and I’ve found the user who shouldn’t have what it has but I haven’t been able to find anything to elevate to the next steps. Been banging my head against the wall, my access is very limited and typical enumeration like linpeas and the like haven’t revealed anything about the creds to me

@jw0 said:

Would anybody be able to give me a bit of a nudge about where to find the creds for m****?

Have you downloaded some files and looked in there?

@TazWake /b____p/_.t__? I used the creds i found in there to exploit the CVE. Am I an idiot and those creds are also used for m* or do I need to have a closer look?

@jw0 said:

@TazWake /b____p/_.t__? I used the creds i found in there to exploit the CVE. Am I an idiot and those creds are also used for m* or do I need to have a closer look?

it isn’t cred reuse but you may want to re-check those files.

Grrr this ones frustrating me. I don’t know what I’m missing… I can see which files the attacker has modified, I can see the differences between the b____p and the live pages, I can see what the attackers inserted (although I can’t figure out why they’ve added it in l**u***.i**.p**, on the other page I understand). With my limited access it’s hard to test against m__. It’s going to be one of the obvious things that’s staring me in the face the whole time isn’t it?

EDIT: OMFG. I was right. I am an idiot. If you’re reading this and you’re in the same boat as me you’re an idiot too. It’s right there in front of your face, double, triple, quadruple check your syntax. Can’t believe myself, wasted soooo much time on something I tested a few times with incorrect syntax. Yes it’s that obvious. Do it again.

Rooted. This one was fun. When it wasn’t painful.