rooted. initial foothold is the difficult part but root is simple. Thanks to @ArtemisFY for the nudge
Did anyone try to crack the root hash from shadow file?
Can anyone give me a nudge for USER? I got a low priv shell from the s*** exploit, have ran enum script and found the encrypted PW for the DSM app, which is not proving useful at the moment… I identified a random hash in a file that looks like it is a PW once decrypted, then I attempted to login to diff services on the box with the found PW and list of valid users but have not been successful. Additionally, I found a key to the DB but current low priv shell doesn’t have access to the DB directory. Sanity check?
@mf10ck4 said:
Can anyone give me a nudge for USER? I got a low priv shell from the s*** exploit, have ran enum script and found the encrypted PW for the DSM app, which is not proving useful at the moment… I identified a random hash in a file that looks like it is a PW once decrypted, then I attempted to login to diff services on the box with the found PW and list of valid users but have not been successful. Additionally, I found a key to the DB but current low priv shell doesn’t have access to the DB directory. Sanity check?
Your enum scripts may have presented you with what you need, but possibly in a format that is difficult to understand.
Think about the application and mistakes people can make. If they make a mistake the data is captured in a file. If you look through that file you might see someone putting the loot you want in the wrong place.
Thanks @TazWake ! My initial s*** exploit landed me in a super restrictive shell (w** - **), once i adjusted my payloads i was able to get a shell as w and able to access the file you mentioned. Thanks for your help!
Rooted !
Pretty frustrating box, the initial foothold is the trickiest part. The user could take some time because it’s a needle in a haystack.
Definitely not an easy box but a solid medium one instead.
PM if needed :).
Type your comment> @beorn said:
Pretty frustrating box, the initial foothold is the trickiest part. The user could take some time because it’s a needle in a haystack.
Definitely not an easy box but a solid medium one instead.
This is true. I wonder what qualifies for easy vs medium vs hard vs insane. It’s been quite a roller coaster lately.
Hi everybody, i got to root but for some reason when i own root in hack the box it tells me that it is an incorrect hash. Any ideas what could it be?
This is true. I wonder what qualifies for easy vs medium vs hard vs insane. It’s been quite a roller coaster lately.
Yeah, seeing Doctor as Easy and Time as Medium - something is seriously wrong…
I’m stuck on foothold one of the fields on the s****e m*****e platform executed a command to my local hhtp server for instance so I’m pretty sure that could be way in but I’m at loss at which exploit…Any help anyone please?
Stuck on root. Any hint will be appriciated. Ran my priv esc enum script tried different things but no luck.
Found my way in via the M*g service and can get limited stuff to run via the a, but getting a shell is not working “something went wrong”. Did you guys have to do any special mods on your payloads? Thanks
@hairyfrog said:
Found my way in via the M*g service and can get limited stuff to run via the a, but getting a shell is not working “something went wrong”. Did you guys have to do any special mods on your payloads? Thanks
It shouldn’t need anything special, but it 100% depends on what you are trying. If you are going for revshell, it should “just work”. If you are trying to send over a meterpreter payload or something, I dont know.
Please help, looking at all the clues here regarding SI. I’m trying to follow the detection for this vulnerability. I’ve tried all combinations given by pages like book.hacktricks.xyz and other sites regarding this topic and they all follow some sort of items to input to try. I’ve tried all of them and it doesn’t give me any errors like the sites advise. None of the detection techniques mentioned lead me to understand whether the M***I*G is vulnerable or not.
@kiteboarder said:
Please help, looking at all the clues here regarding SI. I’m trying to follow the detection for this vulnerability. I’ve tried all combinations given by pages like book.hacktricks.xyz and other sites regarding this topic and they all follow some sort of items to input to try. I’ve tried all of them and it doesn’t give me any errors like the sites advise. None of the detection techniques mentioned lead me to understand whether the M***I*G is vulnerable or not.
You might not be looking in the right place to see the output.
Found a way to do a simple RCE in M*******g service and see the output. Still struggling to find the correct payload (should be a matter of encoding spaces). Not too easy so far.
Type your comment> @TazWake said:
@kiteboarder said:
Please help, looking at all the clues here regarding SI. I’m trying to follow the detection for this vulnerability. I’ve tried all combinations given by pages like book.hacktricks.xyz and other sites regarding this topic and they all follow some sort of items to input to try. I’ve tried all of them and it doesn’t give me any errors like the sites advise. None of the detection techniques mentioned lead me to understand whether the M***I*G is vulnerable or not.
You might not be looking in the right place to see the output.
Tried intercepting with BurpSuite to see if I can find it there. Any nudges where to look?
@kiteboarder said:
Tried intercepting with BurpSuite to see if I can find it there. Any nudges where to look?
It boils down to what page you are looking at. You need to submit it and look at the page it interacts with.
Have you enumerated files and folders on the host yet?
I have two problems with doctor:
- The user hash is not accepted (i’m on EU free server). I tried after the box reset, still not accepted.
- Root exploit runs successfully but no command exec (i’m running local exploit using bash payload).
Where am i going wrong?
If anyone needs a nudge until this point, feel free to DM.
@tang0 said:
I have two problems with doctor:
- The user hash is not accepted (i’m on EU free server). I tried after the box reset, still not accepted.
This is frequently brought up as an issue in pretty much every thread. It appears to be a result of the dynamic hashes. Resetting is unlikely to help.
If the hash you have isn’t working and its been a few minutes since the box was last reset, the best solution is to raise a JIRA ticket.
- Root exploit runs successfully but no command exec (i’m running local exploit using bash payload).
Where am i going wrong?
Its really hard to answer this. It could be typos, incorrect exploit, not running the bit which says “If all went well run…” etc.
At a guess , and without further information to go on, I’d suggest the username/password hasn’t been changed.