Official ScriptKiddie Discussion

Type your comment> @dhart16 said:

the server executes commands based off of user input. think of exactly what commands are being run on the server (with arguments), and search for vulns from there

Thanks for the hint. Pretty straightforward.

rooted, i struggled with privesc to root much more than i’d like to admit. Make sure you closely pay attention to how a script is formatting input you provide!

Please PM for hints, always happy to help :smiley:

I rooted this a few days ago but just found time to leave some feedback here. Firstly, thanks to @jamesa for the nudge!

foothold
I concur with a lot of the comments here about the box’s biggest challenge is overlooking at or overthinking about the attack surface. I also concur with another person’s comments about the main theme of the box being using the script kiddie’s own tools against them. Look carefully for weaknesses in these tools as there is one that will open the door.

user
as I said before, its about using the script kiddie’s tools against them. Enumerate locally without straying to far from where you landed. There is a pretty ■■■■ cute thing that happens when you try to hack the site (will even warn you about it). I am very interested in learning from other people how they were able to ‘insert’ themselves into that process - like literally.

root
once you’ve got the user, you should be in business. LPE SOP should be useful here (or check out your cheat sheets, the answer should be right there). One big hint here is you’ve probably heard this from many people - never run this particular app as root (though in the old backt**ck days it used to run as that).

Let me know if you have any questions!

Just got root. Oof! the privesc was not easy! I have a lot to learn still!

Rooted.


Foothold & User

Just play around with the stuff in the site. Analyze what you are given and once you identify the tool that the site uses to generate stuff, fight fire with fire. Ask Google what to do next.

Privesc

Enumerate around a little bit, but don’t go too far away from where you belong. What you need is right there.

Root

Actually easiest root I’ve ever gotten. Just do the usual enumeration and you’ll know what to do next.


Btw forgot to mention, thanks for the box @0xdf! Really nice. I learnt something new and practiced some of my favorite things.
If anyone needs some help or wants to discuss anything, feel free to PM, although the information already posted in this discussion is enough to root.

Hi,

I’ve found the sl***.sh. I’ve inserted my payload into the file readed by the script but the shell I receive is not from the expected user… Anyone have an idea why?

For the foothold, do I need an ext template?

@lackofgravitas said:

For the foothold, do I need an ext template?

Not an ext as far as I am aware. Other letters may work better.

Type your comment> @Y0urM4m4 said:

Hi,

I’ve found the sl***.sh. I’ve inserted my payload into the file readed by the script but the shell I receive is not from the expected user… Anyone have an idea why?

Having this exact same issue. I thought if you get a correct reverse shell syntax in to the sl***.sh it would connect back with the p** user as that is who the owner of the script is? Still confused as to how that is actually being executed as well.

Type your comment> @Pieceratops said:

Type your comment> @Y0urM4m4 said:

Hi,

I’ve found the sl***.sh. I’ve inserted my payload into the file readed by the script but the shell I receive is not from the expected user… Anyone have an idea why?

Having this exact same issue. I thought if you get a correct reverse shell syntax in to the sl***.sh it would connect back with the p** user as that is who the owner of the script is? Still confused as to how that is actually being executed as well.

I also had this issue.
You should try redirecting the output to a place you know your target has permission to write to just to check that your commands are actually being injected. Also, try with other ways of injecting commands into other commands.
You can PM if you want.

Also, please remove this if it is a spoiler :slight_smile:

Rooted!

User: Upgrade msf, and use your search skills based on what you found on index.

Lateral Pwn: Visit all homes, read through and you will know what to do. You can write to it directly, you know!

Root: Actually, didn’t have to break out from that. Once I got into the console, I could directly cat out the flag. Shouldn’t we try for proper shell? Is that console equivalent to sh/bash already… most commands seem to work directly? Any comments on this are appreciated.

Finally, a proper easy box!

A nudge please. I got my foothold as one of the users. Uploaded linpeas.sh and nothing stands out to me. I looked at some of the scripts and couldn’t figure out anything. Not sure if the attack path is the same as my way in. Attacking an attacker, good concept much to learn.

@kiteboarder said:

A nudge please. I got my foothold as one of the users. Uploaded linpeas.sh and nothing stands out to me. I looked at some of the scripts and couldn’t figure out anything. Not sure if the attack path is the same as my way in. Attacking an attacker, good concept much to learn.

Look for things the account you want to move into owns, examine them. Look for how it relates to something running on the box. Exploit that thing.

Thanks to @imClara , I’ve remembered that ’ is not the same as " nor ` :wink:

Feel free to remove if this is consider a spoiler!

@TazWake thank you for the nudge. After understanding the attack vector i was able to move laterally and escalate privs.

When exploiting the vulnerability, is there a way to pass the reverse shell command without using the metasploit?

PS: Please ignore my comment as I was overcomplicating a script.

Rooted. Great box - lots of fun. Thanks to @imClara for the hint and thanks to 0xdf for creating it - great idea.

A nudge please? I have tried out many ways still not getting the shell

@ukasha96 said:

A nudge please? I have tried out many ways still not getting the shell

Look at what you can upload. Google some of them to see if there is an exploit. Find the exploit. Create an upload. Upload it. Exploit the box. Get a shell.

Somehow got the user without a reverse shell; struggling to get a reverse shell to deep dive into root but none of the reverse shell payloads are working.

Can anyone point me to a proper reverse shell payload that would work.