I hit a blind man with a stick and here I am still waiting while I read something h4h4
This is extremely timeconsuming. I think I know what I want to exfiltrate but I don´t know where it´s stored. And it takes forever to read avery byte. User in 2 hours… I am impressed.
Type your comment> @f1rstr3am said:
This is extremely timeconsuming. I think I know what I want to exfiltrate but I don´t know where it´s stored. And it takes forever to read avery byte. User in 2 hours… I am impressed.
Maybe being blind is not the right way to read files
As you have found the permission, try different ways of reading files
Type your comment> @f1rstr3am said:
I had strange timeouts yesterday so I gave up not knowing if it was HTB infrastructure or perhaps a WAF doing its job. Today I realised that my manual approach using a tool did not work but when I dumped file from Burp Suite and let it work with that it seems to work. I can´t see why but I am obviously missing something in the request. Gonna go back later and learn from it, now I at least have found something to work with.
Last night I gave up scanning for anything, this morning scanning I’m finally seeing open ports!
I am trying to exploit what I found in the web code. But get stuck on the payload. Can someone give me a hint?
Type your comment> @Kalimoe said:
I am trying to exploit what I found in the web code. But get stuck on the payload. Can someone give me a hint?
If you are trying foothold from this, I don’t think this is the right way.
Got user. My hint would be not to bother using the automated tool for this one. It takes far too long
Got user but stuck on privesc. Do I have to do anything with the other vhost?
Type your comment> @Kevoenos said:
Got user but stuck on privesc. Do I have to do anything with the other vhost?
How did you get the user then?
Got creds for a service. Don’t know where to go from there. I would gladly take a hint PM me!
Type your comment> @FQuen said:
Got creds for a service. Don’t know where to go from there. I would gladly take a hint PM me!
Enumerate which files you can edit
Type your comment> @jsarmz said:
Type your comment> @Kevoenos said:
Got user but stuck on privesc. Do I have to do anything with the other vhost?
How did you get the user then?
Probably the unintended way, by bruteforcing… I’ll try it the intended way first then.
Finally Rooted my first machine done a few hours after release!
User was quite complicated, since my enumeration process did not pick up everything. The tool I used for the foothold did help in some way, although I ended up copying the generated payload and used it by hand at the end.
Root was fun - the initial foothold is right there, however the system does bite back so it is absolutely crucial to understand what happens on the system . I ended up taking multiple steps to get root.
Very fun machine overall (although it took me more time for user than I expected), although I am not sure if there are multiple ways to exploit it since there are some services that I did not use at all in the end.
Was able to use an OWASP top 10 vuln and found I can read various files on the server. Does not seem like I can find the ones I need to, however
Nice box, rooted.
Privesc to root : can’t have a proper reverse shell !!
(user j*** not in group m*******)
well, rooted. Funny box
Rooted Is Nice For
User: Look To OWASP 10
Root: look in cronjonb and P****** The User k*** not in group m******* The j*** is In Group
Rooted. Priv esc was a lot easier than foothold imo, although I got trolled for a while by my shell after getting user j**n
root@writer:~# id
uid=0(root) gid=0(root) groups=0(root)
Rooted, forgot the basics.
Thank’s sharkmoos