Official Compromised Discussion

@HomeSen said:

So, I’m pretty sure I know what to do to get from foothold to the next user, but without write-privileges to that certain folder, I have no idea how to achieve this. A certain config setting of the m**** service disallows reading from/writing to that folder (and the “current other” user doesn’t have any privileges on that folder, too).
If anyone could give a nudge in the right direction (or point out my mistake), it would be much appreciated :slight_smile:

Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

DM me for more specific language because I appreciate the vagueness here might be confusing.

Thanks, @TazWake. Will look into the other stuff tomorrow. Now it’s time for some overdue sleep :smiley:

Men im about to say bad words !!! Why in the hell i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! FUCK

@Jk3r said:

Men im about to say bad words !!! Why in the hell i keep receiving this "WARNING: Failed to daemonise. This is quite common and not fatal. () ". I looked at php functions that are disabled and uploaded another rev-php but none ! FUCK

it quite often means something went wrong with Pentestmonkey’s reverse PHP shell.

It doesn’t always mean the shell failed so you might want to check if anything is hitting the listener or if something else is the problem.

If other shells are failing you might need to do some deeper troubleshooting.

If other shells are failing you might need to do some deeper troubleshooting.

That’s the f**king problem, Im not good at php ! :lol:

@TazWake said:

Have a look to see if the attackers, or someone on the system, left something useful behind. Possibly in the built in tables.

DM me for more specific language because I appreciate the vagueness here might be confusing.

The vagueness was just right. Managed to grab user. Thanks :slight_smile:

And for the last step, I assume that something else was left behind, somewhere. Guess, I need to enum even more :confused:

@HomeSen said:

The vagueness was just right. Managed to grab user. Thanks :slight_smile:

Phew - glad to have helped a bit.

And for the last step, I assume that something else was left behind, somewhere. Guess, I need to enum even more :confused:

Yeah, they might have changed something to get in through the back door.

This box FAQ my head off :lol: Anyway rooted !! Thanks @TazWake for the help. Pm if anyone need help …

Rooted. What an awesome ride. Thank you @TazWake for the nudges along the way. I really need to dig deeper into Linux forensics.
Thank you @D4nch3n for a great box. Really loved it from start to finish :slight_smile:

Done & Dusted!

Boy that trip caused several “Double Palm” / “DOH!!!” moments as well as “walk away… just walk away…” moments. @TazWake again thank you for your hints and advice in these forums / discussions they were just the nudges I needed without having to “call a friend” :wink:

Cheers @D4nch3n for the fun / maddening at times machine.

Rooted!
Really interesting BOX!

Thanks @D4nch3n !

Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

@weeeeeeeeee said:

Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

This is on purpose. I suggest taking a look at @TazWake’s response, here: Official Compromised Discussion - Page 6 — Hack The Box :: Forums

Type your comment> @HomeSen said:

@weeeeeeeeee said:

Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?

This is on purpose. I suggest taking a look at @TazWake’s response, here: Official Compromised Discussion - Page 6 — Hack The Box :: Forums

Understood, and thank you for the refresher. I did find that juicy nugget. Was working that avenue but so far hit has been unfruitful. Maybe it’s time to use a bigger hammer against it.

----Edit: found the right hammer, this box is dope so far. Definitely mirrors some real world applications.

Hi anyone i can dm about user ?

Type your comment> @freez3r said:

Hi anyone i can dm about user ?

If you shoot me a dm I might be able to help out.

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Definitely an interesting privesc technique, gonna keep that one in my back pocket. :wink:

I’m stuck with foothold :frowning: I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

I would be very grateful for hints.

Type your comment> @netburger said:

I’m stuck with foothold :frowning: I can browse files and found m***l running but somehow fail to leverage anything to gain user rights. And I think I know what prevents connections from the outside world. I read the hints in this thread and did my best at enumerating. It is very possible that I already found something and just do not know how to leverage it.

I would be very grateful for hints.

Read the b***up, find the log, readt it, and you might find the creds !

Type your comment> @Jk3r said:

Read the b***up, find the log, readt it, and you might find the creds !

I found them. Because of them I am able to browse files.
My access is not interactive (is this my mistake?) and I failed to use those creds at any other place.

Hard to explain it without spoilers. Maybe DM, anyone? :slight_smile: