Type your comment> @TazWake said:
@quentinotd said:
Hello everyone, for the lateral movement from k** to p** is it the correct approach to modify what is fetched by sl***.s* in order to execute what i want ?
Yes
Thanks ! i copied it locally to try some stuff and my payloads are working but it is never executed , and from using pspy64 i don’t see any cron, am i still supposed to wait for it to be executed ?
@quentinotd said:
Thanks ! i copied it locally to try some stuff and my payloads are working but it is never executed , and from using pspy64 i don’t see any cron, am i still supposed to wait for it to be executed ?
Yeah - if you are running pspy64 you should see it executing on a fairly regular basis. I think there are ways to trigger it as a service as well but I never tried that.
Type your comment> @TazWake said:
@quentinotd said:
Thanks ! i copied it locally to try some stuff and my payloads are working but it is never executed , and from using pspy64 i don’t see any cron, am i still supposed to wait for it to be executed ?
Yeah - if you are running pspy64 you should see it executing on a fairly regular basis. I think there are ways to trigger it as a service as well but I never tried that.
It is super weird, i ran pspy with the standard args for commands and filesystem but i don’t see any sl****.s* being run, and the script is supposed to erase the content of the other one but it’s still filled with the line generated.
@quentinotd said:
It is super weird, i ran pspy with the standard args for commands and filesystem but i don’t see any sl****.s* being run, and the script is supposed to erase the content of the other one but it’s still filled with the line generated.
You might see the commands within that being run - at least that’s the first thing I saw.
And yes, if the script isn’t wiping your file, something is broken.
Type your comment> @TazWake said:
@quentinotd said:
It is super weird, i ran pspy with the standard args for commands and filesystem but i don’t see any sl****.s* being run, and the script is supposed to erase the content of the other one but it’s still filled with the line generated.
You might see the commands within that being run - at least that’s the first thing I saw.
And yes, if the script isn’t wiping your file, something is broken.
i’ll take another look thanks a lot, and from what i understood when the VM is reset the file group belongs to p** and i cannot write in it if it’s not k**'s group, but when i change it’s group i think it doesn’t get execute/wiped anymore
@quentinotd said:
i’ll take another look thanks a lot, and from what i understood when the VM is reset the file group belongs to p** and i cannot write in it if it’s not k**'s group, but when i change it’s group i think it doesn’t get execute/wiped anymore
I cant remember what the permissions are to the file, but its path implies the k** account should be able to write to it.
However, I think the script can only be modified by p**.
Type your comment> @Dann0071 said:
guys, i always make a kid user’s reverse shell using the script who has elevated privileges, do someone knows why could it be? y ejecute a reverse shell in bash but always is just kid user
Did you manage to resolve it, I encounter the same problem and I have no idea on how to resolve it.
Type your comment> @TazWake said:
@quentinotd said:
i’ll take another look thanks a lot, and from what i understood when the VM is reset the file group belongs to p** and i cannot write in it if it’s not k**'s group, but when i change it’s group i think it doesn’t get execute/wiped anymore
I cant remember what the permissions are to the file, but its path implies the k** account should be able to write to it.
However, I think the script can only be modified by p**.
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
maybe my permissions knowledge is rusty but it isn’t normal,
and when i create the file again but with k** as full owner the script doesn’t get execute (pspy64).
Is there anywhere i could send you a screenshoot ?
Type your comment> @IHaveTheFile said:
Type your comment> @Dann0071 said:
guys, i always make a kid user’s reverse shell using the script who has elevated privileges, do someone knows why could it be? y ejecute a reverse shell in bash but always is just kid user
Did you manage to resolve it, I encounter the same problem and I have no idea on how to resolve it.
Not at all, at this point i’m not sure what to do, based on the permissions we should be able to change the file’s content, but we can’t, is it a bug ?
Type your comment> @quentinotd said:
Type your comment> @IHaveTheFile said:
Type your comment> @Dann0071 said:
guys, i always make a kid user’s reverse shell using the script who has elevated privileges, do someone knows why could it be? y ejecute a reverse shell in bash but always is just kid user
Did you manage to resolve it, I encounter the same problem and I have no idea on how to resolve it.
Not at all, at this point i’m not sure what to do, based on the permissions we should be able to change the file’s content, but we can’t, is it a bug ?
Is there a way to report a bug, i’v checked with someone who did the box and it’s probably a bug since he was able to write to the file
@quentinotd said:
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
@quentinotd said:
Is there a way to report a bug, i’v checked with someone who did the box and it’s probably a bug since he was able to write to the file
You can raise a support ticket - there is a post at the top of the forum about this and there should a link on the www.hackthebox.eu page.
Type your comment> @TazWake said:
@quentinotd said:
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
@quentinotd said:
Type your comment> @TazWake said:
@quentinotd said:
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Are you sure that isn’t the script running?
Type your comment> @TazWake said:
@quentinotd said:
Type your comment> @TazWake said:
@quentinotd said:
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Are you sure that isn’t the script running?
Well at first i thought it was that, but when the file gets truncated i don’t see the script being executed in pspy64.
But i’ll give it another try today
Type your comment> @quentinotd said:
Type your comment> @TazWake said:
@quentinotd said:
Type your comment> @TazWake said:
@quentinotd said:
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Are you sure that isn’t the script running?
Well at first i thought it was that, but when the file gets truncated i don’t see the script being executed in pspy64.
But i’ll give it another try today
After a final reset, i was able to write to it, no idea what went wrong, same payload and all.
@quentinotd said:
After a final reset, i was able to write to it, no idea what went wrong, same payload and all.
Good to hear - hopefully it will work now.
Type your comment> @mementovivere said:
Okay, rooted the box. Moving laterally to the user with more privileges was by far the hardest part, simply because of some bash shenanigans. For anyone wondering why they aren’t able to get a shell for the p** user, make sure the beginning of your command of your payload has multiple spaces in it. I had to insert 4 spaces for it to actually work for me… Took me 3 hours bashing my head in, thinking I had a typo in my payload… nope just needed some spaces lol
Anyway yeah, nice fun box, thanks @0xdf
thanks a lot bro it worked, but I still can’t understand that why we need many spaces?
Hi dont know what I am doing wrong but my reverse shell does not get the other user. Anyone that wants to point me in the right direction?
@ala76nl said:
Hi dont know what I am doing wrong but my reverse shell does not get the other user. Anyone that wants to point me in the right direction?
It has been discussed a few times in this thread. In general the answers are: