Hello everyone, for the lateral movement from k** to p** is it the correct approach to modify what is fetched by sl***.s* in order to execute what i want ?
Yes
Thanks ! i copied it locally to try some stuff and my payloads are working but it is never executed , and from using pspy64 i don’t see any cron, am i still supposed to wait for it to be executed ?
Thanks ! i copied it locally to try some stuff and my payloads are working but it is never executed , and from using pspy64 i don’t see any cron, am i still supposed to wait for it to be executed ?
Yeah - if you are running pspy64 you should see it executing on a fairly regular basis. I think there are ways to trigger it as a service as well but I never tried that.
Thanks ! i copied it locally to try some stuff and my payloads are working but it is never executed , and from using pspy64 i don’t see any cron, am i still supposed to wait for it to be executed ?
Yeah - if you are running pspy64 you should see it executing on a fairly regular basis. I think there are ways to trigger it as a service as well but I never tried that.
It is super weird, i ran pspy with the standard args for commands and filesystem but i don’t see any sl****.s* being run, and the script is supposed to erase the content of the other one but it’s still filled with the line generated.
It is super weird, i ran pspy with the standard args for commands and filesystem but i don’t see any sl****.s* being run, and the script is supposed to erase the content of the other one but it’s still filled with the line generated.
You might see the commands within that being run - at least that’s the first thing I saw.
And yes, if the script isn’t wiping your file, something is broken.
It is super weird, i ran pspy with the standard args for commands and filesystem but i don’t see any sl****.s* being run, and the script is supposed to erase the content of the other one but it’s still filled with the line generated.
You might see the commands within that being run - at least that’s the first thing I saw.
And yes, if the script isn’t wiping your file, something is broken.
i’ll take another look thanks a lot, and from what i understood when the VM is reset the file group belongs to p** and i cannot write in it if it’s not k**'s group, but when i change it’s group i think it doesn’t get execute/wiped anymore
i’ll take another look thanks a lot, and from what i understood when the VM is reset the file group belongs to p** and i cannot write in it if it’s not k**'s group, but when i change it’s group i think it doesn’t get execute/wiped anymore
I cant remember what the permissions are to the file, but its path implies the k** account should be able to write to it.
However, I think the script can only be modified by p**.
guys, i always make a kid user’s reverse shell using the script who has elevated privileges, do someone knows why could it be? y ejecute a reverse shell in bash but always is just kid user
Did you manage to resolve it, I encounter the same problem and I have no idea on how to resolve it.
i’ll take another look thanks a lot, and from what i understood when the VM is reset the file group belongs to p** and i cannot write in it if it’s not k**'s group, but when i change it’s group i think it doesn’t get execute/wiped anymore
I cant remember what the permissions are to the file, but its path implies the k** account should be able to write to it.
However, I think the script can only be modified by p**.
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
maybe my permissions knowledge is rusty but it isn’t normal,
and when i create the file again but with k** as full owner the script doesn’t get execute (pspy64).
Is there anywhere i could send you a screenshoot ?
guys, i always make a kid user’s reverse shell using the script who has elevated privileges, do someone knows why could it be? y ejecute a reverse shell in bash but always is just kid user
Did you manage to resolve it, I encounter the same problem and I have no idea on how to resolve it.
Not at all, at this point i’m not sure what to do, based on the permissions we should be able to change the file’s content, but we can’t, is it a bug ?
guys, i always make a kid user’s reverse shell using the script who has elevated privileges, do someone knows why could it be? y ejecute a reverse shell in bash but always is just kid user
Did you manage to resolve it, I encounter the same problem and I have no idea on how to resolve it.
Not at all, at this point i’m not sure what to do, based on the permissions we should be able to change the file’s content, but we can’t, is it a bug ?
Is there a way to report a bug, i’v checked with someone who did the box and it’s probably a bug since he was able to write to the file
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Are you sure that isn’t the script running?
Well at first i thought it was that, but when the file gets truncated i don’t see the script being executed in pspy64.
But i’ll give it another try today
Okey, i can finally see the script with pspy64, and from what i understood entering special char on the app execute said script, but i still can’t write inside l***/h****** even though the permissions are -rw-rw-r-- 1 k** p**.
What happens when you try?
Nothing, no errors, and when i tail -f to it i can see the changed being written but right after the file gets truncated
Are you sure that isn’t the script running?
Well at first i thought it was that, but when the file gets truncated i don’t see the script being executed in pspy64.
But i’ll give it another try today
After a final reset, i was able to write to it, no idea what went wrong, same payload and all.
Okay, rooted the box. Moving laterally to the user with more privileges was by far the hardest part, simply because of some bash shenanigans. For anyone wondering why they aren’t able to get a shell for the p** user, make sure the beginning of your command of your payload has multiple spaces in it. I had to insert 4 spaces for it to actually work for me… Took me 3 hours bashing my head in, thinking I had a typo in my payload… nope just needed some spaces lol