Official Laboratory Discussion

HomeSen · January 11, 2021, 11:31pm

I’m stuck at foothold…Created account and found it is vulnerable certain vuln (NOT rce), but can’t get it working.

Reading hints over here I assume I need to get RCE with a chain of vulns (?) and replicate the environment (??) and I just feel so lost at this point. Definitely overwhelmed.

Anyone would point me in the right direction? I feel I need a little push, information here at the forum just don’t make sense with respect with what I found enumerating, and I should definitely find where I’m failing.

Assuming that you found the correct “non-RCE” vuln: Read all that is written about that specific vulnerability. A little further down the report, a potential path to RCE is explained

xUltra · January 12, 2021, 11:24pm

Fun machine, but not easy at all…

Here are my advices

Foothold

I didn’t had to install g*****b on a local c*r. With a bit of Google-Foo you will find the the desired exploit to use in msfe.

User

Read the comment about getting user of @0xczar at page 10

Root

Look for a thing that you can run and see what it does, even if it seems to do nothing

number8 · January 13, 2021, 2:08pm

hi all, is this the only record that

Spoiler Removed

any other subdomain? currently I can see one single page only

v3ss0n4 · January 14, 2021, 8:49am

rooted! foothold and user without local g***** instance

ThymineDNA · January 14, 2021, 9:49pm

Type your comment> @HomeSen said:

@ThymineDNA said:

I’m stuck at foothold…Created account and found it is vulnerable certain vuln (NOT rce), but can’t get it working.

Reading hints over here I assume I need to get RCE with a chain of vulns (?) and replicate the environment (??) and I just feel so lost at this point. Definitely overwhelmed.

Anyone would point me in the right direction? I feel I need a little push, information here at the forum just don’t make sense with respect with what I found enumerating, and I should definitely find where I’m failing.

Assuming that you found the correct “non-RCE” vuln: Read all that is written about that specific vulnerability. A little further down the report, a potential path to RCE is explained

Thank you, I think I see your point and I’ll try that

joeldejo · January 15, 2021, 5:21am

I have an exploit that is giving me a 500 while delivering the payload. I used the same exploit for a similar active machine. I also tried a few exploits which can leverage the secrets I got with a file read bug, which in turn ended up with no results.

Can someone help me with this?

number8 · January 15, 2021, 5:45am

Type your comment> @joeldejo said:

I have an exploit that is giving me a 500 while delivering the payload. I used the same exploit for a similar active machine. I also tried a few exploits which can leverage the secrets I got with a file read bug, which in turn ended up with no results.

Can someone help me with this?

I found a nice r*** script and got a shell
what I noticed the script use a CVE to read s*****.**l and combine it with other technique to get reverse shell.
now I am stuck getting user.txt

number8 · January 15, 2021, 1:26pm

hi any hints to get root.txt?

HiddenCry · January 15, 2021, 1:49pm

rooted.

Thank you very much to @clure

PM if anyone needs help.

NoMad · January 15, 2021, 10:27pm

rooted. As always, I was just missing the courage to go down that rabbit hole during user. Thanks to you folks on the forums for keeping me motivated.

So here are some hints to keep others motivated…

@joeldejo
Foothold: Try another exploit, you really want to do more than just blind file reading. I was surprised how fast I got interactive with off-the-shelf tools.

User: By far the most time-consuming. Just break in and loot everything you can. I under-estimated the privilege I got during the foothold. And was a bit lazy with my research.

@number8
Root: With some proper enumeration and the smallest bit of analysis, YOUR PATH to root should be fairly obvious.

PM me for help

joeldejo · January 16, 2021, 6:43am

The path to the root is known with the file *****r-*******y located at
/**r/*l/
But I couldn’t move forward with that file. I did a strings file and executed it using commands like

./file root 
./file su - root

It didn’t go well !! Can anyone provide some leads on that?

kurogai · January 16, 2021, 8:42am

Type your comment> @cool4coder said:

Foothold was really painful. SomeONE helped and guided me with a lot of patience, thank you very much, once again.

But watch it yourself, we documented this process very thoroughly:

https://www.youtube.com/watch?v=RrJnzBFzEEY

That was just foothold. After that things got better.

Lol, that was pretty funny

TazWake · January 16, 2021, 1:08pm

@joeldejo said:

The path to the root is known with the file *****r-*******y located at
/**r/*l/
But I couldn’t move forward with that file. I did a strings file and executed it using commands like
./file root 
./file su - root
It didn’t go well !! Can anyone provide some leads on that?

Look at what it does. Use that to get root.

TTWabbit · January 18, 2021, 11:54am

Hi, I have a shell but I didn’t set up my own environment, I used one other thing. I’m on the system as g**. It’s required to set up the thing to procede or me being at the system as g** user is enough to keep going?

TazWake · January 18, 2021, 1:20pm

@TTWabbit said:

Hi, I have a shell but I didn’t set up my own environment, I used one other thing. I’m on the system as g**. It’s required to set up the thing to procede or me being at the system as g** user is enough to keep going?

Yes.

And I’d love to know how you got that shell though as getting it was probably the hardest part of the box.

TTWabbit · January 18, 2021, 1:29pm

Type your comment> @TazWake said:

@TTWabbit said:

Hi, I have a shell but I didn’t set up my own environment, I used one other thing. I’m on the system as g**. It’s required to set up the thing to procede or me being at the system as g** user is enough to keep going?

Yes.

And I’d love to know how you got that shell though as getting it was probably the hardest part of the box.

Yeah, I got user. I’m going to pm you about the shell.

wndr · January 19, 2021, 3:41pm

i used msf exploit to get-in but didn’t find anything either that could help me go further, any hints?

TazWake · January 19, 2021, 5:40pm

@wunderer1337 said:

i used msf exploit to get-in but didn’t find anything either that could help me go further, any hints?

Use the technology you have exploited to turn the clock back to a time when sensitive data was available on the file system.

UVision · January 19, 2021, 6:11pm

I’m stuck on the user part, I’ve founded 3 ssh keys with LinPeas, but with what users can I use these keys ?

TazWake · January 19, 2021, 6:14pm

@Link64 said:

I’m stuck on the user part, I’ve founded 3 ssh keys with LinPeas, but with what users can I use these keys ?

Manual enumeration is often better. You could try using them for the account the keys are in.

For example if you found the keys in a folder called Steven and you checked Steven had an account, it would definitely be worth trying to ssh in as Steven with the key.