Official Chemistry Discussion

Same thing happened with me, tried accessing the contents and it bricked the shell, theres a nifty trick with nc you can use to move the db file off the machine to access it locally instead if needed - hopefully that help if you’ve not got past that already :slight_smile:

1 Like

I’m at the stage of getting root access. My web application vulnerability scanner found a vulnerability related to accessing server files through the ai*-**** library. It clearly showed me the request that was sent and that the server responded with the contents of /etc/passwd. I tried to reproduce this using Postman, curl, and other tools, but I keep getting a 404 error. Can anyone explain why the scanner was able to get data from the server while I couldn’t? Am I not on the right path?

Got there in the end…

If you’re struggling with getting the ‘user’ password by accessing a certain file and your shell crashes, try moving that file to your own machine to view it locally.

As for root - linpeas will show you what you need… pay attention to your ports and services and think of ways to access what you need. If you’re as far as using the exploit and struggling to get it to work, do your enumeration and you’ll notice something you can add into the exploit which should get it to work… :eyes: if you need any help or guidance feel free to drop a DM

Very nice machine with LFI techniques. This machine will be very easy for those who have taken the learning path of CPTS :slight_smile: … I’m available to help :slight_smile: if required.

Having trouble with privesc :slight_smile:
Is anyone else experiencing issues with port forwarding to | port 8080 | ? I used ligolo-ng for local port forwarding and even tried to curl localhost on that server within the victim machine and it says connection refused. Anyone else having issues?

I used local TCP forwarding via SSH, and I was able to access port 8080 on my machine. Hopefully, this helps you resolve your issue

Am i on the right track ?
did the port forwarding via ssh
ssh -R 8080:localhost:8080 r***a@remote_server
and now doing the curl and getting response
curl localhost:8080/assets/
403: Forbiddenr

and

curl localhost:8080/assets/…/…/…/etc/passwd
404: Not Found

and not able to access this url via browser

any hint ? what am i missing ?

thanks i got the root flag and figured it out

Did anyone have success using the polkit CVE from linp***? And can you forward the port before getting user creds?

Spent hours tweaking the polkit exploit to no avail then failed to forward the port (possibly due to my inexperience with non-ssh port forwarding), both right after the foothold.

I eventually realized I had strayed too far, found db, used ssh forwarding, and was on my way.

I’m also just getting 404: Not found

Are you able to give a hint now you’ve got it please?

You’re having 403 because of an ACL. You have to run the payload with r*** user. To do so, go in the app/ins*** folder and switch to r*** user, after that you can run the LFI payload successfully :slight_smile:

Thanks already rooted

1 Like

Heyyyyy you madlad I love you.
I took a break for a day and came back to it. still took like 3 hours to figure out the command you mentioned, then took forever to figure out the hashing situation.
But I got it!
As I’m typing this i realize i have one more thing to get…so… on to the next thing…
Still thank you so much for your reply!
(again im new to this)

Im a newbie here and I am having trouble trying to get pass the busybox nc script.

Had to reach out but managed to figure out how much I had over thought this box. Thanks for the nudges in the right direction!

1 Like

I have the root flag, but I am trying to get root creds. Anyone been able to successfully escalate?

can anyone help
i dont know how to exploit the cif file
i have enumerate the dir but still cant find anything helpful

Hey, what exploit are you using? To successfully gain initial access to the system, you’ll first need to open a port on your attacking machine to listen for connections. Then, you’ll need to upload the CIF file with the code injection to establish a connection back to your attacking machine (CVE-2024-23346). Show me how you’re using the PoC in DM, and I can help guide you further!

Hi,

I got creds for r### user, what to do next?
I see some comments related to port forwarding. But how to figure out if this is the next step or something else?

TIA

Both foothold and getting root can be obtained by figuring out the technology used in the backend ( related to python module, library, framework etc ) and searching for any available vulnerability and exploit for it

  • For foothold, we have to connect some dots by googling with the CIF thingy ( google properly )
  • For root, it’s right infront of your eyes

How to figure out the Technology ?

Answer : Response Headers

Edit

For those people, who might complain for not being verbose in root part, i already told the most important thing, without spoiling i hope, but since the root part need something to be done beforehand → enumeration is the key ( linPEAS ), port forwarding ( most people already talk a lot about it ), directory busting and all

Note : port forwarding is not necessary, if you figure out the directory part. I did it cause the machine was too slow too respond

1 Like