Official discussion thread for AdmirerToo. Please do not post any spoilers or big hints.
User is tricky. Any hint for root? I ve got access to some web app that wasn’t accessible before, but CVE is not working.
I’ve got user, but still working for root. I’ve also found a CVE but it is not working. still checking options
Maybe, it could be the same cve.
The one I’ve found is to exploit using ~tilde and whois for fail2ban vulnerability. Is it this one you also found?
No? I tunneled 8080, and am looking at like 6 hours at it and cannot figure it out. It is supposed to be vulnerable by the version, but I cannot exploit it…
But that might be helpful. HAHA
Why do you think that is vulnerable, since no services are enabled in fail2ban jail config?
CVE on 8080 is a rabbit hole. it is exploitable, but no use due to permission.
(lookup user in configuration, and find writable location)
to get RCE via 8080, focus on directory permissions. patched now.
1 Like
If boxes are being patched that is so lame. If you release a box, it should bne as is imo. Somebody might spend hours on an exploit, just to later find out it has been patched. -rep for for this one for htb.
agree.
now have to go back to CVE.
1 Like
Yeah, write access has been removed from /opt. What is the point of 8080 application then.
Use the CVE on 8080 for arbitrary file write.
you need to find out the root path first. (check fail2ban vulnerability as posted above). on the path use CVE on 8080 to write needed file. (no RCE for the account now)
2 Likes
I also tunneled 8080 and I tried to exploit the app, but no lucky. The exploits that I found , they didn’t work.
I was scanning with sqlmap and I noted something was blocking for 30 minutes the access to mysql.
Then occurred me the fail2ban and I found it the is might be vulnerable. Someone else also told me this. I could be wrong as you are saying fail2ban is not configured
1 Like
One works… But it is limited.
#user 
Nice box so far; I’ll look into root tonight I think ^^
Edit:
#rooted 
Thanks @mach1ne for your help at the end.
I found the privesc way and methodology very fast… and tried HOURS to make it work… because of some quotes problem… So, if I can spare you hours of debugging: if your final payload does not work with double quotes… just use simple quotes instead!
Glad I’m done with that one
1 Like
Rooted, fun but complex.
I’m trying to write up my notes, and going back I can’t see how I would have found the “hidden” service (o******b) for foothold without a hint. The bouncy method seems super cumbersome to perform a port scan. I think the status on the port changed since release unless my hinter got their own hint… Was there some other hint pointing to it that I just missed? (Yes I saw those 2 similar filtered ports on initial scan and can guess a whole bunch of other possible services running, but again that seems cumbersome.)
Hello,
I found it after my nmap -p- -A gave me some filtered port.
Since these ports not accessible from the outside, they might be accessible from the inside ^^ And indeed they were
Nope?
Recently? Or when the box was first released? It’s most definitely not filtered anymore. Once inside you can see the firewall rules are set to deny.
Edit: I missed the -A option and had totally forgotten about it’s abusive behaviour to get what we need. Thank you @clure!
Oh it was last week !
Let me check that when I get back home !
If it’s filtered, maybe like in another box I recentrly did where you could wfuzz something like
/proc/FUZZ/cmdline
edit: there is no LFI here but we could bruteforce 127.0.0.1 for each port to see what’s running
?