Official Spectra Discussion

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

I did it raw, the hard way I guess.

worked like a charm

spectra ~ #
root
uid=0(root) gid=0(root) groups=0(root)

Type your comment> @sicario1337 said:

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

There is an easier way using one kind of jewel… found in the sea :smile:

Have managed it 3 ways now but your cryptic clue has me stumped :wink:

Type your comment> @foalma321 said:

Type your comment> @sicario1337 said:

Type your comment> @foalma321 said:

Type your comment> @seiyathesinx said:

Type your comment> @foalma321 said:

I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.

I did it without MSF using one of the ways you used. It works

UPDATE found a workable script on Github.

There is an easier way using one kind of jewel… found in the sea :smile:

Have managed it 3 ways now but your cryptic clue has me stumped :wink:

woah woah, was dat?

Hi,
Box rooted, fun box :slight_smile:
Anyone could help me understand how come we were able to get a RCE? This version should not have this vulnerability from my understanding. I don’t want to put too much details here to avoid spoiling. If anyone could PM that would be great.

Type your comment> @Hybr0x said:

Hi,
Box rooted, fun box :slight_smile:
Anyone could help me understand how come we were able to get a RCE? This version should not have this vulnerability from my understanding. I don’t want to put too much details here to avoid spoiling. If anyone could PM that would be great.

If you have that account with that level of permissions, you have inherent RCE (by design)

Finally rooted. I learned funny things along the way!

enum: It is right there, just think about what you have. You don’t need to spend too much time so don’t overthink.
user: it’s a bit hidden but if you enum well you only have to follow the dots
root: pretty original and never heard before. was a bit hard for me since I didn’t found many interesting information about this kind of privesc. You will need to enum a bit more and see what can you do.

pm if you need help

Type your comment> @seiyathesinx said:

Finally rooted. I learned funny things along the way!

enum: It is right there, just think about what you have. You don’t need to spend too much time so don’t overthink.
user: it’s a bit hidden but if you enum well you only have to follow the dots
root: pretty original and never heard before. was a bit hard for me since I didn’t found many interesting information about this kind of privesc. You will need to enum a bit more and see what can you do.

pm if you need help

Nice :smile:

I found the unattended way I dont want to spoil it but you should see on linpeas, took 10 sec to get root

Great box and quite testing at times as I still required some nudges to find the way. Thanks to those that helped. Often the answer was right in front of me and although there was nothing particularly hard about this box I just got lost in all the other information.

Foothold is not obvious to me. I have done scans and some enum. Probably just don’t know what I should be looking for. Thanks.

Type your comment> @matt516 said:

Foothold is not obvious to me. I have done scans and some enum. Probably just don’t know what I should be looking for. Feel free to PM for any nudges. Thanks.

See if you can read any file, the di****** li**** is what you should try and focus on. See every file, maybe not every file is visible directly?

I got the initial foothold, struggling with user, can anyone dm for a nudge?

Finally rooted this box. Nice Privilege Escalation, have not seen this approach before. Feel free to PM me with any questions you might have.

Did anyone have a problem with “i****tl: Unknown j**:…” on privesc?

This is doing my head in.
I have logged into the cms. I have tried various pl**ins from the web to get a rs but none worked. I edited a the*me file for a ws which worked but when using it to launch a bash rs nothing happens.

Am I in a rabbit hole?

Type your comment> @paddy3d said:

This is doing my head in.
I have logged into the cms. I have tried various pl**ins from the web to get a rs but none worked. I edited a the*me file for a ws which worked but when using it to launch a bash rs nothing happens.

Am I in a rabbit hole?

Nope, try using msf for reverse shell if other things aren’t working.

Type your comment> @sonym said:

Did anyone have a problem with “i****tl: Unknown j**:…” on privesc?

You don’t need to give the full name of that thing. Only the first part is needed

Finally rooted.
I was blind to see the foothold part. It was right in front of me but it took me some time to see it.
User part was enum (like going through everything)
and root part was nice.

This was a fun box. I spent WAY too long on user.

Getting user isn’t hard if you look at the right file…but if you don’t good luck. (thank you to person who helped get me back on track.)

Root was a heck of a lot easier imo.

DM me if your stuck :smile: