Official Compromised Discussion

FInally I managed to get root.
Thanks for great machine @D4nch3n. I learned something new especially about php backdoors. Also searching for compromise leftovers was something new for me - guess I wouldn’t be a good sysadmin :wink:
Many thanks @TazWake and @LMAY75 for your great hints along the way.

Umm, Hey guys just started the box today found the backup and an exploit for “l*** c***” but it requires the user credentials. Can someone help or if i am going down a rabbit hole please alert me!!

Edit: I got the user name for " l*** c*** "

Type your comment> @shubhanshu7 said:

Umm, Hey guys just started the box today found the backup and an exploit for “l*** c***” but it requires the user credentials. Can someone help or if i am going down a rabbit hole please alert me!!

You are on the right track , enumerate through the backup… as other comments have mentioned it is very worthwhile learning grep,find,locate to help with your searching. Another helpful comment was pay attention to dates :slight_smile:

Rooted. If you need some help, DM me.

User:Find correct vuln web to upload webshell and search some creds with webshell.
Root: think like a “heartbleed” It’s not about the heartbleed. Only exploitation type is similar.

Finally rooted after a few very long days! Thank you @gunroot and @LMAY75 for the nudges. Some of the tips one here are exactly what you need! Enumeration is a big part to the box. Information for user1 can be found in multiple places… once of which you have probably used already :wink:

Happy to help nudge if you need help, provide what you have done and where you are up to in a PM.

Really interesting box.
I learnt something trying to get a webshell, but its entirely not necessary (and its probably easier not to get a webshell).

I found it usefull to rewrite what was changed and print it, as i had all the letters right but not the order.

I can read files list directories but I am coming empty. I see couple of users that have bash in passwd but I am not finding info to compermise those users. Any hints would be appriciated

Real fun box, I got stuck at root, thanks to @LMAY75 for the nudge.
On a hindsight, it was obvious.

I loved scripting to own this box, this is my take on the “Not A Reverse Shell”, nothing new but since nobody posted something similar (having history, history search and emacs style special keys).

#!/usr/bin/env python3
import cmd


def execute(line):
    import requests
    target="http://YOURRCE"
    r = requests.get(target, params={"YOURCMDARG":line})
    if r.status_code == 200:
        return r.text
    else:
        return f"{r.text}\r\nnars> ERROR: http response code was {r.status_code}"

class NotAReverseShell(cmd.Cmd):
    prompt="nars> "

    def do_help(self, line):
        print("Not A Reverse Shell, a pseudo shell when you cannot have one.")

    def default(self, line):
        print(execute(line))

    def do_EOF(self, line):
        print()
        return True

    def do_exit(self, line):
        return True

    def do_quit(self, line):
        return True

if __name__ == "__main__":
    NotAReverseShell().cmdloop()

Beautiful box!

Type your comment> @shubhanshu7 said:

Umm, Hey guys just started the box today found the backup and an exploit for “l*** c***” but it requires the user credentials. Can someone help or if i am going down a rabbit hole please alert me!!

You are on the right track , enumerate through the backup… as other comments have mentioned it is very worthwhile learning grep,find,locate to help with your searching. Another helpful comment was pay attention to dates :slight_smile:

Thanks man!! was off from htb for quite a time but gonna try it

damnnn… I just don’t know at this point. It’s been a while I’m stuck on the my*** user and can’t move forward. I saw hints pointing to the home dir of the user, but i couldn’t find anything too useful. Any hints?

@iWillBeFamous said:

damnnn… I just don’t know at this point. It’s been a while I’m stuck on the my*** user and can’t move forward. I saw hints pointing to the home dir of the user, but i couldn’t find anything too useful. Any hints?

This wont cheer you up but look closer at the things you think aren’t too useful.

Noice :slight_smile:

Got root! Thanks @TazWake for hint at user stage.

Hi Guys

@Vigneshar said:

Hi Guys

Hi

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back. I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

@abogaida said:

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back.

As well as reading files, what else can you do to them?

I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

Type your comment> @TazWake said:

@abogaida said:

Can I get some nudge please? I can read files and list dirs. I tried to extract info from proc but none of use. I used m**** to read files of the user home of m**** but couldn’t get anything back.

As well as reading files, what else can you do to them?

I know I need to use s** with m**** but I seem to miss where to get the data that will allow me to do that.

I tried writing them but it didn’t work. I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

@abogaida said:

I tried writing them but it didn’t work.

Possibly investigate how you are using them. There is a lot of stuff in this thread about how to issue the commands in a way which should give you the access you want.

I see I am restricted to one dir with the m**** user and it is the place that I would like to drop something to allow not to s**

I never noticed any restrictions like that. It might be worth double-checking what is happening.

So, I’m pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the “current other” user doesn’t have any privileges on that folder, too).
If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :slight_smile: