Official Spectra Discussion

Type your comment> @dutchinho said:

got root, nice box. Has someone done it without ***?

Please pm me if you have…

Do you mean getting foothold with it?

Done and Dusted!!!

This was a fun box …thnx @egre55

Done the OSCP way … a.k.a No MSF

  • Foothold
    We all know how 2020 was a shitty year… same here! so maybe try going back a year or three ( your preference)… once there, nothing works!..yes! you can see the “id”, look around and that’s about it … don’t be heart broken…As the saying goes… All roads lead to Rome … just think out of the box… probably you could use a "Trojan Horse Technique (If you watched Troy, you know what am talking about :smiley: ) … and thats it… and it starts raining shells

  • User
    Don’t waste your time on the enum scripts… basic enumerations will suffice. The path is unusual, so once you spot it, your spider instincts will automatically kick in :smile:

  • Root
    See what you can do… it might be your first time experiencing it (just like me)… go and read about it… learn how it works and where its config files reside… from there, its a piece of cake.

Hope nothing is too revealing… tried to keep it as cryptic and fun as possible … Hope it helps those in search for a nudge or two…

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I got my shell without using MSF. I couldn’t get my usual attempts to get a shell to work either. I found an interesting script on GitHub to generate a plugin and start a listener and that worked.

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

There is an easier way using one kind of jewel… found in the sea :smile:

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

I did it raw, the hard way I guess.

worked like a charm

spectra ~ #
root
uid=0(root) gid=0(root) groups=0(root)

Type your comment> @sicario1337 said:

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

There is an easier way using one kind of jewel… found in the sea :smile:

Have managed it 3 ways now but your cryptic clue has me stumped :wink:

Type your comment> @foalma321 said:

Type your comment> @sicario1337 said:

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

There is an easier way using one kind of jewel… found in the sea :smile:

Have managed it 3 ways now but your cryptic clue has me stumped :wink:

woah woah, was dat?

Hi,
Box rooted, fun box :slight_smile:
Anyone could help me understand how come we were able to get a RCE? This version should not have this vulnerability from my understanding. I don’t want to put too much details here to avoid spoiling. If anyone could PM that would be great.

Type your comment> @Hybr0x said:

Hi,
Box rooted, fun box :slight_smile:
Anyone could help me understand how come we were able to get a RCE? This version should not have this vulnerability from my understanding. I don’t want to put too much details here to avoid spoiling. If anyone could PM that would be great.

If you have that account with that level of permissions, you have inherent RCE (by design)

Finally rooted. I learned funny things along the way!

enum: It is right there, just think about what you have. You don’t need to spend too much time so don’t overthink.
user: it’s a bit hidden but if you enum well you only have to follow the dots
root: pretty original and never heard before. was a bit hard for me since I didn’t found many interesting information about this kind of privesc. You will need to enum a bit more and see what can you do.

pm if you need help

Type your comment> @seiyathesinx said:

Finally rooted. I learned funny things along the way!

enum: It is right there, just think about what you have. You don’t need to spend too much time so don’t overthink.
user: it’s a bit hidden but if you enum well you only have to follow the dots
root: pretty original and never heard before. was a bit hard for me since I didn’t found many interesting information about this kind of privesc. You will need to enum a bit more and see what can you do.

pm if you need help

Nice :smile:

I found the unattended way I dont want to spoil it but you should see on linpeas, took 10 sec to get root

Great box and quite testing at times as I still required some nudges to find the way. Thanks to those that helped. Often the answer was right in front of me and although there was nothing particularly hard about this box I just got lost in all the other information.

Foothold is not obvious to me. I have done scans and some enum. Probably just don’t know what I should be looking for. Thanks.

Type your comment> @matt516 said:

Foothold is not obvious to me. I have done scans and some enum. Probably just don’t know what I should be looking for. Feel free to PM for any nudges. Thanks.

See if you can read any file, the di****** li**** is what you should try and focus on. See every file, maybe not every file is visible directly?

I got the initial foothold, struggling with user, can anyone dm for a nudge?