Official Compromised Discussion

HTB Content Machines
21

@Raekh said:

@Caracal For low level people “enum enum enum” doesn’t help. If it’s something we missed, okay. But I’ve been sitting in the l*g folder for a while, and I simply don’t have knowledge to distinguish what I can use or not. I’ve tried getting the authors to hydra, hijacking the cookies, but nothing.

It’s not about low level people. If you found the file, i say “enum,enum,enum” because it should be clear what you have to do and how to do it.
It’s not even about level, but more about clearness, you have a CVE, you need password, and if you have that file, it’s just about enum, and it’s clearly impossible to give a clue, without spoiling that part.
You don’t need to hijack anything, you don’t need to bruteforce creds.

For foothold:

  • If you don’t have it, common list will help you to get to it.
  • If you have it, just search what you need in it.
22

I just found admin creds after bashing my head against the wall for a while.

Tip: When people say look for logs, don’t get tunnel vision like i did. Instead, once you find something remotely interesting, then follow it all the way even if it means navigating to other directories. You won’t find the creds in the backup folder only a way to find them.

(Please remove if i gave away too much)

23

I just can’t find the creds, I’ve been searching for hours!!!

24

the creds are not in the tar file… but if you read the contents of that archive carefully… then you will find a path where to look for creds

PS: assume that is not a spoiler, either you have found the tar file or you have not

25

Hello, creator here, just gonna repost the hint that I have made public in the discord chat, if you are stuck at a certain part.

“Trace the attacker’s steps, see what persistence they laid out. One way is by turning a user who normally cannot login, be able to login, and tampering with its service to get persistent access into the box. Maybe they didn’t clean up very well?”

I’m no longer really active on the forums (trying to reduce the number of accounts to check :stuck_out_tongue: ), but DM me on discord for further hints.

26

the little side hint @tang0 and @cool4coder gave here are important. And Thanks !

27

Type your comment> @Sys7em said:

Type your comment> @CyberVaca said:

I got webshell but I can’t get reverse shell :(, any hint?

This box does not allow network connection…
ssh is here the “key” "gen"erally :wink:

thank you @D4nch3n - nice box!

True, I saw what I was missing. Thx u dude

28

Does the CVE actually work on this box ? Running it seems to do nothing but a blank page.

29

I hav got a webshell but when i go to it i get blank stuff

30

When certain file is uploaded, just for test sake, seems web server is crashing. Not sure if that is intended behavior, but machine reset is needed.
Someone if could confirm same…

31

same issue. Seems like the the machine would’ve had to reset every time someone pushed up a invalid file.

32

Spoiler Removed

33

Type your comment> @sparkla said:

Got code execution and the next regret I tried again. Cause after CE goes nothing.

@choupit0 said:
On recrute ! ? We are hiring!
Looking for a job.

Invitation sent :wink:

34

rooted i like the box in the first part
my hints:
-simple enum can you in the place
-you are there take a look what you can do the cve gives issues simulate with burp
-you are there ,limited but there, dont forgot its compromised
-the attacker can come back so think how with everything limited
-you found the way get in dont be shied
-ok stay at home its not safe out
-think how the attacker can gain root he must left a backdoor

hope its not a big spoile
thanks to @TheCyberGeek for hints this guy is geek really
also thanks to @D4nch3n for this box

35

Can’t seem to get the exploit to work. Getting 200s, but nothing else. Hmm. Probably missing something simple.

36

Type your comment> @sparkla said:

Type your comment> @pizzapower said:

Can’t seem to get the exploit to work. Getting 200s, but nothing else. Hmm. Probably missing something simple.

Remember, php can give you some info() :wink:

Still looking how to continue after CE

Yeah, I just thought of that, and now I’m stumped again. Gonna need to do a little research. My php is rusty, lol

Edit: that didn’t require as much research as I thought, edit: more research than I thought

37

I uploaded a webshell using the exploit from e*****tdb and the admin credentials but the shell doesn’t seem to respond, I don’t know if I’m getting the upload path wrong or somehow it’s getting deleted, if anyone got the same issue and could help with nudges I would appreciate very much! (I tryied some other things and I think I took the box down :neutral:)

PS: I manage to make uploads manually using burp. but still can’t get much response… At least I now know that the upload is successful since when I try to trigger a reverse shell which daemonise itself I get a common error: "WARNING: Failed to daemonise. This is quite common and not fatal. () " but still no connection. I was also able to upload a file with only the content “test” and it gets succesfully displayed but I can’t make it parse any commands to the system…

38

Type your comment> @sparkla said:

Once you got rce, here’s a little script you can use. It’s almost like a real shell :smiley:
(Your script must support a get param named cmd)

#!/bin/bash

cmd=''
while [[ $cmd != 'exit' ]];
do
        read -p '$ > ' cmd
        curl -G http://compromised.htb/findThePathYourself/your-cmd-shell.php --data-urlencode "cmd=$cmd"
done

yeah those commands can’t be executed while php has blocked all of those functions :frowning:

39

Spoiler Removed

40

I’m already the sys***** user but I don’t see ■■■■ to go to root