Official TheNotebook Discussion

Rooted! Nice machine! Thank you! It was a little heavy for me as I did not have previous experience with the attack vectors.

My hints:

Initial foothold: check how the application works. Basic enumeration should lead you to change what you need to get access.
User: pretty basic enumeration too. If you’re stuck check for hints on the application posts.
Root: this one took me some time. Basic enumeration should give you what you need. What is a bit tricky is to research for what will help you get root and make it work.

Hi guys, good afternoon! I’m stuck on the w part and for some reason I can’t get a request to my local webserver to get the file (the w is fine and poiting to http://MYIP:7070) but I can’t see any requests from there: “Serving HTTP on 0.0.0.0 port 7070 …” Could someone shed me a light? Thank you!

Finally rooted!!! nice machine.
The foothold and root part took me some time but it was worth it.

Very nice box! The foothold took me the longest as I wasn’t familiar with the technology.

You should be able to root it with the hints from the last couple pages but feel free to PM if you need a hint. Just let me know what you’ve tried until now.

Thank you, @mostwanted002 for a really fun box!

Foothold and root both took me ages, but the “light bulb” moments were very rewarding.

foothold and user were relatively straightforwarded. but now i am stuck on root. I think i got the right path but would like to check with someone if I am on the right track as I couldnt get a shell back yet with the exploit I am trying to use. pls pm me.
rooted: took me a while to understand how this works and to get the exploit to work properly. thanks @xDragon for resolving an issue with the final exploit.
funny thing … just learned the things I needed for foothold/user last week … and what I learned for root I can apply to a current running pentest. So this is was a full on machine experience. well done … :smiley:

finally get root shell.
DM if you are really stuck

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

@spellanser said:

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

Are you running two sessions? The approach needs the exploit running in one, while you “exploit” it properly in the second before the first one finishes.

Type your comment> @TazWake said:

@spellanser said:

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

Are you running two sessions? The approach needs the exploit running in one, while you “exploit” it properly in the second before the first one finishes.

Yeap, I’m running in two sessions.

Type your comment> @spellanser said:

Type your comment> @TazWake said:

@spellanser said:

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

Are you running two sessions? The approach needs the exploit running in one, while you “exploit” it properly in the second before the first one finishes.

Yeap, I’m running in two sessions.

■■■■ it, I’m an idiot. Found my mistake.

Hint: remember, that then you remove file on Linux, which is used by a running process, it will not be removed. It’s inode still there.

Hey Folk,
I am stuck on the foothold. I’ve enumerated everything and I feel like I have a good understanding of how the web app works.
I’ve also found out how to make the machine GET an HTTP request to my machine (using the k** field of the J*T). But I can’t really get my head around this and how to exploit it.
Would anyone give me a hint? I have the feeling it’s just something basic I haven’t thought about.

Thanks

EDIT: I figured it out. Hint for who will struggle next, the path is right, but the RCE is a consequence not the first aim.

@Tw1st3dxF4t3 do you understand what that field you’ve modified is used for?
if you want to discuss this in more detail just send me a private message.

@xaif7aLe yes, I think I do. But still can’t make it useful for RCE. I’ll pm you.

Type your comment> @Tw1st3dxF4t3 said:

@xaif7aLe yes, I think I do. But still can’t make it useful for RCE. I’ll pm you.

RCE sounds like a rabbit hole. tamper with what defines who you are

Very great box. Absolutely loved the root part, very interesting topic to learn. Thanks @mostwanted002

Finally got root !!!. Love the foothold and root part.
There are some rabbit holes in there guys, be aware !!!
PM me if you need any help, please tell me what have you tried before asking for hints !!

This machine is interesting. Some thoughts:

##Foothold
Intercept your web requests. Classic tempering with data.

User

Enumeration. A folder stands out.

Privesc

  • What commands can you run as root? → Google that vulnerability
  • Grab a coffee, cause takes a while to understand.

Notes

I had the executable build correct and commands executed well. It took me a solid hour rerunning the same thing before the root shell actually popped. If you’re certain, keep at it. I think that it I might have been to slow every time.

Can some one DM me to help with foothold? I think I’m missing something here.

Spoiler Removed