Getting started | Knowledge Check

Hello. I stuck on final stage of module “Getting started” on academy. I’d solved first exercize with openning user.txt by metasploitable + getsimple RCE exploit. But next task is getting root.txt file is need to run LinPEAS.sh to find any ways to escalate pivilege.

So i can’t figure out how to do it. The next step recomended in tutorial is " Python3 pty trick to upgrade to a pseudo TTY" but i can’t run it through meterpeter or sh on local target machine.

Another vector is that “sudo -l” on target says that all users may run /usr/bin/php. I’ve wrote shell with “<?PHP system(\$_GET['cmd']);?>” uploaded on target and curl it but nothing happend.

So i now be able to spawn a bash reverse shell and run linpeas. But it says nothing intresting besides php NOPASSWD running that i know before by ‘sudo -l’
Keep searching

hey guys iam so stuck, the website is so slow and the upload button ist not working, i have try to upload it with metasploit but it didnt work too. And now i dont know how i can get this. Can anyone help :slight_smile: please

Same problem of Enzo anyone have same problems?? i litteraly can’t upload with the button or meta (i think is a server problem, it take up to 3 minutes to get a simple page).
someone of the staff can please help ??

any news guys? still unable to complete this module

If anyone needs a bit of a nudge, feel free to hit me up on the Discord.

The site use flash player plus is so so so slow, i mean i know what to do, but the site itself is tressing, who was able to bypass that?

same problem as reported above, i cannot access the upload button… its not reacting to my clicks. i have tried 3 browsers.

This problem still exists, I’m on this part today and feel confident in what I’m going to do - loading the webpages just takes forever though so it’s really painful to do anything. The main page isn’t too bad but when you try to browse to any other directory its really slow.

Seeing lots of calls to ajax.googleapis.com taking a while, and then it tries to contact 172.16.27.5 and also takes a long time.

Not sure if that helps anyone troubleshoot the target image, hopefully it’s resolved soon though.

Can message me for hint if your still stuck

Go back and REALLY pay attention to types of shells…I mean until you’re eyes bleed…I nearly cried when I realized

Is there any other Way to get into without using metasploit(Because using metasploit was pretty simple in this one i was able to capture the Userflag without any hustle) because i was able to login as admin and i was searching possible vulns on the web but i am not able to find any successful method(I tried editing the themes for php Reverse shell but there was no response) I am still trying to look for a potential way to exploit it without using Metasploit… If anyone has found something …we can Discuss :smile:

Hey guys. I’m still working on this task (almost 1 week) and I have no idea how escalate privileges. I use metasploit for it and already improve the shell but whats next? Could someone give a little nudge?

I’m stuck on the priv esc portion as well, I’m sure that the /usr/bin/php binary plays a role in escalating privileges, I’m just not quite sure how to proceed

Type your comment> @galertaw said:

So i now be able to spawn a bash reverse shell and run linpeas. But it says nothing intresting besides php NOPASSWD running that i know before by ‘sudo -l’
Keep searching

How were you able to transfer the Linpeas and how does your sudo -l worked? i was not able to access any other commands like sudo and echo … but i was able to spawn a web shell using the ThemeEditor it was working but still was not able to use other commands only ls and cat and may be some more of the defaults.

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

Finally!!! Jessus…you have to be fast, otherwise the machines just dies

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.