Official Feline Discussion

LMAY75 · September 22, 2020, 7:57pm

Now this is an interesting foothold vuln. Don’t see much of this on htb

LMAY75 · September 22, 2020, 8:31pm

I get the file uploaded and execute it, but the shell doesn’t connect back to my machine. If anyone can help could they DM me?

Edit: Finally got it after 2 hrs of spamming the exact same command

sparrow1 · September 23, 2020, 1:56am

Yeah, the foothold requires pretty esoteric syntax of the command. I encountered it by chance on some random github bug report. Would never know otherwise.

LMAY75 · September 23, 2020, 2:11am

Spoiler Removed

LMAY75 · September 23, 2020, 4:12pm

Sorry I guess that gave too much away ^^

Can somebody help with the port forwarding though? I swear I’m doing everything right but it isn’t working.

gunroot · September 23, 2020, 4:57pm

Type your comment> @LMAY75 said:

Can somebody help with the port forwarding though? I swear I’m doing everything right but it isn’t working.

What about chisel and googling ?

LMAY75 · September 23, 2020, 5:24pm

Type your comment> @gunroot said:

Type your comment> @LMAY75 said:

Can somebody help with the port forwarding though? I swear I’m doing everything right but it isn’t working.

What about chisel and googling ?

Thats what I’ve tried. I swear I set up the chisel correctly, but the exploit doesn’t work. Says the service on the box is offline

LMAY75 · September 23, 2020, 5:59pm

Well here’s some good news, the tunnel is correct

There must be an issue with my shell script, a curl request to my server went through perfectly fine.

y0k4i · September 23, 2020, 6:22pm

Type your comment> @LMAY75 said:

Type your comment> @gunroot said:

Type your comment> @LMAY75 said:

Can somebody help with the port forwarding though? I swear I’m doing everything right but it isn’t working.

What about chisel and googling ?

Thats what I’ve tried. I swear I set up the chisel correctly, but the exploit doesn’t work. Says the service on the box is offline

If it says the service is offline then your port forwarding is probably wrong. There is an enhanced version of an ordinary tool that works pretty well in this case.

LMAY75 · September 23, 2020, 6:23pm

Spoiler Removed

TazWake · September 23, 2020, 6:32pm

@LMAY75 said:

Turns out the tunnel is good. Instead of using the shell command I used a curl just to test and it went through and grabbed a test file from my server.

Make sure you are launching your exploit at the right target.

LMAY75 · September 23, 2020, 7:19pm

Spoiler Removed

TazWake · September 23, 2020, 8:35pm

@LMAY75 said:

The script executes, gets the root key and says yay we added the process successfully. Unfortunately, no shell ever connects back to my nc listener.

My first suggestion would be to try other things. There are no guarantees that any one technique will work, so sometimes it is a case of trial and error.

I know that the command is executing, because I set up a server and then used a curl request as a payload. My server picked up the request as coming from the box and sent over a ‘test.txt’ file.

So chances are the bash shell is the problem…

Since we have a functioning tunnel, and the script is able to run commands, my question is why wont the shell execute?

I don’t know, there could be a lot of reasons - the box creator may have disabled it, or configured it so it won’t work. You cant work this out remotely, so I’d be tempted to try something else and when you get a shell you can investigate it further if it matters.

0xdaff · September 23, 2020, 10:02pm

This box was excellent, the hints here are also very good already.

Feel free to PM for nudges, hints or sanity checks

LMAY75 · September 24, 2020, 7:21pm

As I go to enter the root flag, the flag changes :neutral:

Edit: Flag is broken what do you know. Just contacted support.

Edit 2: Nvm it adds an exclamation point to the front of the flag. Make sure to take it off not sure why it gets added.

LMAY75 · September 24, 2020, 11:07pm

id
uid=0(root) gid=0(root) groups=0(root)

That was a Rollercoaster. Learned some new skills but the syntax is incredibly picky. Special thanks to @TazWake for spending at least 6 hrs with me trying to tweak the foothold to work. That man has some incredible patience.

If you need help feel free to dm me

m9rcin · September 27, 2020, 10:04pm

Rooted today. It took way to long than it should. Looking back at the machines and hints available in this forum, it should not be a piece of cake, but not so painful as it was. I will not give extra hints cause a lot is already here and the rest can be easy found using google-fu. Just pay attention and stay focused. Small, stupid mistakes may cost you a lot of time otherwise.
Many thankx to @LMAY75 for help in correcting (idiotic) mistakes.
Overall very nice machine and initial foothold really enjoyable.

meldancehall · September 30, 2020, 9:18pm

I ve been stuck for hours. Still haven t found the way to execute my uploaded payload. I guess i haven t found the right path with the J*****D. I may need some nudges.

thanks,

Update: Finally got the user flag after many hours of experimenting…LOL thanks @TazWake

TazWake · September 30, 2020, 9:19pm

@meldancehall said:

I ve been stuck for hours. Still haven t found the way to execute my uploaded payload. I guess i haven t found the right path with the J*****D. I may need some nudges.

thanks,

Experimentation helps here.

bugeyemonster · October 2, 2020, 6:15pm

great box learned some new tools, user was quick but it took a long time and a lot of reading for me to find the path to root.