Official Knife Discussion

Type your comment> @TazWake said:

@Tw1st3dxF4t3 said:

Hey everybody,

Stuck with foothold.
I have been spending way too much time Googling around, and the only thing I found which could lead to RCE is a CVE applicable to one of the services running on the machine and with a nice GitHub repository provided by some Chinese with a py code ready to run.

However, I tried to run that code, and it simply does nothing. I tried to change a bit the code or the input parameters with no results.

Am I in a rabbit hole? any hint?

Possibly, you don’t need any python scripts here.

Visit the server, look closely at what it tells you, google the information. The biggest clue is that it a thing that was in the tech news quite a bit from about the end of March.

Sorry sir, but here’s a python RCE Script of the version of that service. He might be using different thing. I’ve pwned this box from that script. Have a nice day. :smiley:

@realhawwk said:

Type your comment> @TazWake said:

@Tw1st3dxF4t3 said:

Hey everybody,

Stuck with foothold.
I have been spending way too much time Googling around, and the only thing I found which could lead to RCE is a CVE applicable to one of the services running on the machine and with a nice GitHub repository provided by some Chinese with a py code ready to run.

However, I tried to run that code, and it simply does nothing. I tried to change a bit the code or the input parameters with no results.

Am I in a rabbit hole? any hint?

Possibly, you don’t need any python scripts here.

Visit the server, look closely at what it tells you, google the information. The biggest clue is that it a thing that was in the tech news quite a bit from about the end of March.

Sorry sir, but here’s a python RCE Script of the version of that service.

Totally - you can create python scripts to automate anything. You clearly don’t need one though as it’s just a modification of one line.

He might be using different thing. I’ve pwned this box from that script. Have a nice day. :smiley:

I suppose it hinges on did you use a python script from the repo the OP describes?

Here are my two cents:

For the Initial foothold I got stuck for too many hours, just because I was always thinking that something more complicated needed to be checked on the box. It ended to be not that hard, but I needed to review the forum to have an idea about it.

From there, user and root were simple, and now I got the rating of the box. If you are stuck and need some hints let me know.

Pepe

User: A good enumeration is the key of the user - google research
Root: Remember the name of machine and good basic Priv Esca enumeration - enumeration

recommended tools Nikto, masscan, netcat, ruby, curl

Type your comment> @TazWake said:

@Tw1st3dxF4t3 said:

Hey everybody,

Stuck with foothold.
I have been spending way too much time Googling around, and the only thing I found which could lead to RCE is a CVE applicable to one of the services running on the machine and with a nice GitHub repository provided by some Chinese with a py code ready to run.

However, I tried to run that code, and it simply does nothing. I tried to change a bit the code or the input parameters with no results.

Am I in a rabbit hole? any hint?

Possibly, you don’t need any python scripts here.

Visit the server, look closely at what it tells you, google the information. The biggest clue is that it a thing that was in the tech news quite a bit from about the end of March.

Thanks. Apparently, there are two vulnerabilities with exploits written from Chinese guys that you can find when googling what you enumerated in this machine. But yeah, I was using the wrong one.

Hint for who is stuck on my same wrong python script: if it’s not recent (2021) it’s the wrong one.

Root is pretty straightforward.

Rooted !!

User: Just first two lines of nikto are sufficient for gaining initial foothold.
Root: See what things you can do!! ( just with a simple command). Enumerate more about what the binary is doing.

DM Me For hints

■■■ guys finally after 4 hrs … got root … feeling happy.

Type your comment> @divyansc said:

Rooted !!

User: Just first two lines of nikto are sufficient for gaining initial foothold.
Root: See what things you can do!! ( just with a simple command). Enumerate more about what the binary is doing.

DM Me For hints

Would love to know what you did with nikto.

Stuck on root and could use some help. I know it’s e*** but I cannot get this syntax right for the life of me, any tips would be appreciated

@DemiScuzz said:

Would love to know what you did with nikto.

I cant speak for @divyansc but I ran Nikto, read the output and then found the attack path.

Rooted.
Thanks’ for @TazWake, @Lnevx

Rooted!!! My second active box ever. This thread helped, thank you guys!! User is pretty trivial and an easy google…the resulting shell I got was pretty strange. No way to update it in a usual way. Maybe someone got any info on that part? Was there a way to get a decent shell before escalating? And why it was like that? I got a feeling, that it does not show st err? Am I right? Can anyone please elaborate on this part a little bit?

I was able to get a foothold pretty quick, just spent a long time running in circles trying to get root. I finally got it with some help from @Z3R013 .

Fun box :slight_smile:
Nice exploit and new tool to learn for root

Type your comment> @Ykey said:

Rooted!!! My second active box ever. This thread helped, thank you guys!! User is pretty trivial and an easy google…the resulting shell I got was pretty strange. No way to update it in a usual way. Maybe someone got any info on that part? Was there a way to get a decent shell before escalating? And why it was like that? I got a feeling, that it does not show st err? Am I right? Can anyone please elaborate on this part a little bit?

Read before you launch. :wink:

@flast101 said:
Type your comment> @Ykey said:

Rooted!!! My second active box ever. This thread helped, thank you guys!! User is pretty trivial and an easy google…the resulting shell I got was pretty strange. No way to update it in a usual way. Maybe someone got any info on that part? Was there a way to get a decent shell before escalating? And why it was like that? I got a feeling, that it does not show st err? Am I right? Can anyone please elaborate on this part a little bit?

Read before you launch. :wink:

Thank you, yeah. I guess I know what you mean. My bad for blindly copy/pasting the payload from a cheat sheet :slight_smile:

is this box unstable for anyone else? I keep getting a foothold no problem, and even manage to get a few commands off (including throwing another shell back to myself at another port) but probably w/in 5 mins the box goes unresponsive. I dont know if someone else is killing the instance i’m working on or what but I can’t get a stable shell to save my life.

rooted!

foothold : something fairly recent if you follow cybersecurity / CVE news. was interesting to get to exploit this as I have had a lot of conversation about it at work recently.

root: should be one of the first things you check. path should be evident once you do, and do a bit of research.

box is a fun little sunday morning box to run while having some coffee. respects to @infosecjack for putting together a great learning box for beginners and for allowing me to run exploits against vulnerabilities that are fairly recent.

Hi, could someone give me a push to get root?

@jcbm97 said:

Hi, could someone give me a push to get root?

Look at what your account can run. Run it with something that can give you a shell.