This was a weird one for me. HOURS to find the right user thing (my fault I guess), and less than 60 seconds to get root
Finally got root. Very easy except for the reset connections was a little aggressive.
Type your comment> @benjamin2000 said:
Can anyone explain why running â./linpeas.shâ gives me a permission error, but running âbash linpeas.shâ works fine? All permissions are set correctly, Iâve never seen this before.
Itâs kind of funny. The filesystem is set as non-exec. So, the script itself is not executable. However, bash is executable and in a filesystem without the non-exec flag. So, even though if you call the script directly itâd usually use bash as interpreter, you cannot do it. You need to call bash and have it opening the script.
@Kaiziron said:
Rooted in less than 30 minutes. This is way too easy, after getting foothold instantly privesc to root. May I know if it is intended?
The box is easy, but after getting foothold you should at least have found some loot via common enumeration (easy again, but took me much more then 60 seconds to find out) and edited something else to get RCE after getting the user (this is actually very straightforward). If you have instant privesc as soon as you get the foothold you may have been piggybacking on someone else or found an unintended way. If not, kudos for your enum-fu!
PM me if you want to confront your solution.
Type your comment> @damnc said:
Type your comment> @benjamin2000 said:
Can anyone explain why running â./linpeas.shâ gives me a permission error, but running âbash linpeas.shâ works fine? All permissions are set correctly, Iâve never seen this before.
Itâs kind of funny. The filesystem is set as non-exec. So, the script itself is not executable. However, bash is executable and in a filesystem without the non-exec flag. So, even though if you call the script directly itâd usually use bash as interpreter, you cannot do it. You need to call bash and have it opening the script.
Ah ok, makes sense. Thanks!
i spent hours trying to get a revshell and still cant get a connection back!
tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!
Type your comment> @AbuQasem said:
i spent hours trying to get a revshell and still cant get a connection back!
tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!
Try with msfconsole again !
I was able to go from www straight to root because of some permission things. Is that the right way? Iâm thinking that maybe I just got lucky because it seems so wild and easy.
am I blind or what? my enumeration skills are not enough, canât get user after foothold
would love some help from someone
edit: im blind lol
Rooted!
foothold : just basic known cms rev-shell
user : make sure you didnt miss any file from the automation tools output [we definitely getting close to the summer]
root : from step to step you will understand which file you need to edit
That was fun. Annoying but funâŚ
Thanks
whoami && hostname && id
root
spectra
uid=0(root) gid=0(root) groups=0(root)
@htbserge said:
I was able to go from www straight to root because of some permission things. Is that the right way? Iâm thinking that maybe I just got lucky because it seems so wild and easy.
If you donât know whether you got it the intended way, then you probably have not: it is quite obvious once you find it. Also you are supposed to move laterally before privesc, not going straight from RCE to root.
One of the easiest easy boxes so far. Great lead in for HTB for people coming from THM.
Find stuff you canât see
Go beyond your tools
Find which file to editâŚ
Rooted.
Foothold:
â the answer is right in front of you, basic enum, lots of tutorials online once youâre âinâ
User:
â run your typical scripts, but read EVERYTHING â no matter how dumb it may seem
Root:
â you will probably have to do some basic reading on a new command â find what is executing and how you can use that to your advantage
Got user + root!!!
However, I donât understand why the people delete the useful files from the machine. Iâve spent many hours to get user, but some info has been delete by someone!!
Just rooted the box, not too bad. Learned something when it came to the root privesc, which is nice. I would say the difficulty is a little on the medium side, but that might be due to the fact you really, really need to enumerate and running scripts in this environment can be a bit challenging. The actual process of the initial foothold and user isnât difficult, but I can see where people might hit roadblocks with the final privesc. This box really forces you to roll up your sleeves and enumerate and not rely on your tools so much. There might be times where you cannot execute scripts such as LinpeasâŚ
Initial Foothold:
Like others have said, itâs right in front of you but you may not be able to see it right away. Brush up on your enumeration skills and poke around - you will find something that sticks out. A lot of companies have a separate development and production environmentâŚdo they share any similarities? Once you get that access, itâs a known way to pop a shell from the CMS.
User:
This was the fun part since I didnât use any scripts such as linpeas. If you are doing your enumeration steps correctly, you should find a file that will tell you some things. Something to do with reading something a juicy file? Once found, it will tell you where to look for your answer. Is it hot in here or is it just me?
Root:
Finally, you made itâŚeh kinda. This user can do something powerful, but if youâre like me, you probably need to do some research (you should always be learning in infosec). Get familiar with it, understand the files it uses, yada yada yada. It might help to see what groups youâre in as it will help you finding what files youâre looking for Once you make your move, you are home free.
If you made it this far, crack open a cold one - you deserved it you enumeration champ!
(solved)
Rooted! It was a little bit tricky easy box but enjoyed it a lot! Here my hints:
Initial Foothold: is actually very straight forward as there is little enumeration to find what you need.
User: this one was a little harder to what we are used to. Are there any interesting files? what is their content?
Root: just do your basic enumeration. Youâll know what you need to do to get root privileges.
got root, nice box. Has someone done it without ***?
Please pm me if you haveâŚ
Finally got root after some time,a frustrating box if you donât PROPERLY do your enumeration.
Foothold: Look at every file,see what sticks out,also dont forget to read the source.
User: I spent hours on this since I was overthinking things,just enumerate from the base directory and dont overthink.Again,look at what sticks out.
Root: Research about what you can do and be quick.
Overall a nice box that if you overthink things like me youâll spend hours only to realize the answer was in front of you.