I was stumped on root here . EDITED TO ADD: Rooted now but that was hard.
I think I know what I need to do but I cant get it to work. It doesnt help that I cant seem to get it to give me any troubleshooting data. So there could be a lot wrong with what I am trying but I cant work out what
It doesnāt help that the entry I am relying on seems to get wiped every few minutes!
i did entry command as some value to the table after i selected the table, it succeed but i failed getting shell, donāt know why, i already planted my rev within the lf** fdm mes* dir , this is insaneā¦ i canāt seems to make it work.
EDIT: ROOTED! , finally i found a method to get around it, definitely insane machine!
iām down to help if any of you guys need it, just PM me.
Iāve found an XSS in *********.crossfit.htb but not sure on what the next step should be. I can see from some of the comments above to look at /vendor/ also but I dont see anything of interest in the files found there. Can anyone point me in the right direction?
so, in order to pay back my debts, i am offering my help to anyone who is stuck.
i am more than happy to help you, but be prepared to show some effort! i wonāt just give away solutions
edit: āby whoā or āby whomā? iām going for the latter
@UserAlpha said:
Can anyone point me in the right direction?
you might know, that an XSS on itās own wonāt be worth a thing: most often you want to forge this vulnerability into something different.
think about what kind of services (other than web) are running on the machine and then think about how you might be able to attack them via HTTP (it wonāt work though)ā¦ and then think about what would have to happen (or exist) that such an attack (i.e. via HTTP!) could succeed.
if you still need a hint (or if the above was too cryptic) just send me a DM
I am really glad I was able complete this machineā¦with a little help though ?. This machine has a lot to do with real life bugsā¦ especially the user part. For those who are stuck, here are my hints
User 1- If you are struggling to find vhost , SSL certificates are the best source of finding them. Just like we do in bug bounties. Might be you find some vulnerability then, try to escalate it with other services running on machine. Many times there are services or domains which are accessible locally but not publicly.
User2 - You may find a public CVE however you may not be able to exploit it. Take a look again. If you have vulnerability in nth line of code, the execution should reach nth line before the vulnerability is triggered. To reach there, you may need to do some extra stuff, may be you find ftpadm credentials somewhere. Who knows??
Root - If you find nothing, may be try to see if any binary or something is executed every second. You may try pspy64 with -f flag. May be you need to reverse engineer something. Once you understand the logic, you may try the zip symlinking bug.
Let me know if I could help you in any way. You may give me the respect in return.
This is my first INSANE boxā¦ felt super difficult, I have to get some help to get the root flag, the pspy64 was the hint, also the content under user2 home gives me another hint on what to do nxt
When @polarbearer & @GibParadox were designing Crossfit root. I wonder what made them decide to " turn it up to 11" for that user latteral privesc.
The sequence of moves to get there was insane.
Worst of all, when I first got it got it to return that revshell days ago, I āthoughtā i understood how it workedā¦but I didnāt, and just got insanely lucky while spamming possibilities inside of the small window. between each Langolier visit.
ā¦but then the next day I couldnāt actually reproduce it in order to get back to that shell in order to keep goingā¦or the day after thatā¦for about four daysā¦
Eventually, by trial and error and process of elimination I narrowed down the exact sequence of steps I happened to perform the first time around to get that lateral privesc,ā¦yet I have absolutely no clue why it seems to only work in this particular way.
Also, the Langoliers were very, very hungry this time around ā¦probably from doing all that crossfit.
Rooted! That final 6hr stretch latst night got us across the finish line.
After rooting, it was so nice to be able to analyze some processes responsible for the sleight of hand-like CRUD moves.
Also, while running this analysis from rootās POV I stumbled onto something that made me question whether the path I took to exploit our** friendly crossfit langoliers** actually needed all the steps.
Mhh, Iām stuck on the outside. Found the informational dns thingy, canāt get in anywhere. Possible to get a hint for tomorrow? Gotta get some work done today first.
edit, nvm, thereās no dns on the network, manually added it ,works now.
Iām stuck on the lateral move to i*c. Have found the way and done the DB part but canāt trigger it as I canāt work out what directory the FilesystemIterator is working on (i.e. the value of $m_**r, which is defined in a file I donāt have permission to read). Can anyone give me a nudge? I donāt want the answer, just a pointer to how to work it out. Iāve searched the filesystem for any obvious directories to put things in, but not found anything. Maybe I missed something obvious? Perhaps a permissions issue. I really hope this doesnāt just come down to guesswork!
Never mind - finally got there. Really enjoyed that - but ironically found the pivot to i***c the toughest bit. I really must have missed something! Respect to @polarbearer and @GibParadox.
I got the user, but stuck for a day to get root. Can someone give me some hints about this. I see the vuln php file, i got access to the DB that executed continuosly. I even clone that command from github to reproduce the bug. but canāt get any where, may be i miss something.
after trial and error for days got priv esc to iā¦c really the toughest part. And now journey to the root is more challenging, after searching everywhere got something about /ā¦/lā¦l/ , /ā¦/backup and messages table. Need more reading to get the correlationā¦
. EDITED TO ADD: Rooted now but that was hard.
