Official Laboratory Discussion

Hi! Has anybody tried to generate a cookie using the g***** console, for a cookie ser********** attack? How do you write the payload for the reverse shell? It’s trying to run the curl command for some reason. I have no Ru** skills so I’m stuck in this part.

@pidnull said:

Hi! Has anybody tried to generate a cookie using the g***** console, for a cookie ser********** attack? How do you write the payload for the reverse shell? It’s trying to run the curl command for some reason. I have no Ru** skills so I’m stuck in this part.

It is possible you have set up your listeners before you’ve generated the cookie.

Type your comment> @d8ll0 said:

I’ve been trying to access the website since the release time and it’s not working
Tried different servers and all they are having the same issue
And yes I know I should edit the hosts file

This box is kind of wild, wow.

Finally got a foothold by googling exploits for the thing that I registered an account for, turns out my machine already had the framework I needed to run the one I found.

Currently trying to get user but I’m still just rummaging around.

If you don’t even know where to start on the foothold, then you might want to try using some different flAgs on nmap, you might come up with some more info.

Ok. I’m stuck.

I am new to pentesting. Just did 5 machine from the retired section (with help of the walkthrough).

This is hard.

I was able to create my accoun in Gb.
Was able to use an exploit againt it.
Was able to gain shell access. Found it was in a c
er.
Was able to r
t main user password in G***b
Found out the ssh key.
Was able to connect to main server and get user flag.

Found a file with weird s**d. I suppose I can use it but don’t know how.
Analysis of comportement give me errors on chaging some permissions on file.

Anyway. Someone can give me a little help here?

PS : This is my first post, so I am unsure what is a spoiler and what is not. Tells me if I say to much. thanks.

Type your comment> @Anarethos said:

Ok. I’m stuck.

I am new to pentesting. Just did 5 machine from the retired section (with help of the walkthrough).

This is hard.

I was able to create my accoun in Gb.
Was able to use an exploit againt it.
Was able to gain shell access. Found it was in a c
er.
Was able to r
t main user password in G***b
Found out the ssh key.
Was able to connect to main server and get user flag.

Found a file with weird s**d. I suppose I can use it but don’t know how.
Analysis of comportement give me errors on chaging some permissions on file.

Anyway. Someone can give me a little help here?

PS : This is my first post, so I am unsure what is a spoiler and what is not. Tells me if I say to much. thanks.

Well… finally got IT!

Let just say that file that call other file not using full path… can be dangerous when used with s**d.

superb box! thanks @0xc45

foothold
web app enum is key to success, and they arent lying when they say the website is unhackable (unless I’m missing something). Go to the the foxy app where code is usually stored and make yourself a home. Feel free to borrow one of their domain names while you are at it. Once you are in, enumerate some more! especially around version numbers and known weaknesses with them.

user
this was the trickiest part for me, and i have two ways of going about it. The CTF-competition way which i basically used the framework to bust the thing open and get in, and then there is the long way to do it which involves a much more complex way to “build” your own exploit. I think this part alone blows the “easy” label out of the water, and it is REALLY difficult to describe how to get this without spoiling it. Either way, once you are in, you are the admin of the tool. What would an admin do to reveal or overtake the secrets of another admin? research how to use the cli tool to admin this foxy repository of code.

root
was not really expecting this and it took me a minute to figure it out. Basic enumeration should get you what you need to focus on - and follow some of the guides on Linux local enumeration for inspiration. You’ll find a weird, odd looking element that is supposed to do something and it doesnt. Pry it open, see what it does and then try to “fool” it into giving you the power. This reminded me a bit of those unquoted path vulnerabilities in Windows :slight_smile: oh and I am definitely no expert or even good at prying open bins.

I was tryna attempt laboratory its hard

can someone dm me please i need some help when i generate a cookie using glr**** i get this error
Traceback (most recent call last):
1: from (irb):36
TypeError (singleton class can’t be dumped)

Update: I actually solved my problem for G** R** C** i was using version 13. i uninstalled that and downloaded the corresponding one to this box and C**k generated. =]

Just rooted it. Thanks @TazWake for helping me along the way!

Foothold: msf gonna make it lot easier, make sure to get the options correct.
User: Gotta learn how the system handle the old repositories, try something to recover them
Root: Both linpeas/linenum do their job… just pay attention.

Feel free to DM me.

Someone give a nudge i want to retain U**** P** of D** how would i go about that? As I do not want to reset the p** ? pm me please

@AnonHack3r said:

Someone give a nudge i want to retain U**** P** of D** how would i go about that? As I do not want to reset the p** ? pm me please

I hope someone replies to you on this because I dont think I know what you are talking about. I’ve checked my notes and cant for the life of me work out what this could be related to, sorry.

Is this initial foothold, getting user or getting root?

Type your comment> @TazWake said:

@AnonHack3r said:

Someone give a nudge i want to retain U**** P** of D** how would i go about that? As I do not want to reset the p** ? pm me please

I hope someone replies to you on this because I dont think I know what you are talking about. I’ve checked my notes and cant for the life of me work out what this could be related to, sorry.

Is this initial foothold, getting user or getting root?

No worries, I greatly appropriate the help. I accomplished the initial foothold took a little setting up n stuff now I am on the stage of getting the user? pass? =]

Rooted. Crazy learning experience. Didn't create a local instance to gain access, there's an interesting chained POC . Foothold with a low shell, manage to upgrade it with perl, nothing else worked. 

Finding user was crazy and interesting, spend a loooot of time at this stage. Repositories might help in the right direction and from there Google was my best friend for a few days.
Root was is a bit easier than user, if you follow the hints, find that exec and the correct PATH . Google showed me how. Definitely not an easy machine, more like a custom exploitation one.
Thanks guys for all the hints, could not have owned the machine without help from you!!

Rooted. Crazy learning experience. Didn’t create a local instance to gain access, there’s an interesting chained POC . Foothold with a low shell, manage to upgrade it with perl, nothing else worked.
Finding user was crazy and interesting, spend a loooot of time at this stage. Repositories might help in the right direction and from there Google was my best friend for a few days.
Root was is a bit easier than user, if you follow the hints, find that exec and the correct PATH . Google showed me how. Definitely not an easy machine, more like a custom exploitation one.
Thanks guys for all the hints, could not have owned the machine without help from you!!

edit: ayeye still manage to take days with all the hints here and a framework module
the funniest ■■■■ is that i test if my rev shell is working with command ls, not id, not pwd, not even ls -la, but ls, and uh the landing dir is empty >_>

i see many ppl comment the rooting process as “follow the hint”, which make me think there’s alternative way of getting root, as my trying-to-let-a-quiet-binary-spit-out-some-info doesn’t really involve hint: the binary stands out after a very. very routine enum. can we smh talk about dat dat sounds interesting :<

got foothold as user g**

. what should i be looking for from here on?! chcking repositories…but found nothing of interest i guess…
a little assit would be appreciated ! thank you

This was a fun box, thanks a lot! I did couple of easy boxes before but this is the first one for me without hints!

foothold: super easy with msf
user: simple after a bit of enumerating (there are like three ways to find it at least)
root:

  1. “wrong” way first with B**** S****** :smiley:
  2. “right” way with a bit of enumeration and path handling

Thanks once more!

Finally rooted. Not an easy box at all tbh.

Foothold: Search fo public et that let obtain r s**** without setting up ll g*b e********t. Personally I had to to do some tricks to have stable working condition.

User: Know where you are and what is used below you. Google how to r*** u*** p*******. Go back where you started and retrieve useful stuf that let you have a stable foot in.

Root: This took me a while after using typical enum tool. Finally with a deeper look of the enumeration output and with a deeper look into thing the enumeration tool pointed you to, I followed the right PATH and manage to trick that thing in order do to something evil and gain root privileges.

Important note: struggled a lot for this box with HTB free servers, I had to switch several times for the foothold part, finally switching to AUS server ended my pains.

Thanks a lot for the box!

Long time lurker here.

I’ve been working boxes here for almost a year and I have to say, the initial foothold and getting to user on this one does not warrant an easy rating on this box. It’s intermediate at the very least.

That being said, I will say, if your attack VM is robust, the D****r route for GL will make your life easier.

Although it was a bunch of hoops, this was a fun box and I recommend this one for everyone.