Postman

bumika · November 10, 2019, 11:20pm

Type your comment> @d4rk5p07 said:

I’ve got access through r***s. I’ve discovered 4 potential attacks,

webshell → not working (no write access)

copy ss*-related file in home dir → not working (no access)

inject cronjob → not working (no access)

Master/Slave exec payload → not working (missing command MOD***)
what i’m missing? is it one of the 4 options i discovered?
Option 4 seemed the most promising to me. Ive worked through this thread, but as it seems i dont understand the breadcrumbs at all.

One of them works. Think about directory aspect again…

mrvanee · November 10, 2019, 11:38pm

First machine and finally got root! Lessons learned and i thought it was a fun box !

nob0dy73 · November 11, 2019, 12:44am

I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

tekkenpc · November 11, 2019, 1:56am

Was able to decrypt the i*****.**k , although always getting “Connection closed by 10.10.10.160” , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?

passkwall · November 11, 2019, 2:53am

@tekkenpc said:
Was able to decrypt the i*****.**k , although always getting “Connection closed by 10.10.10.160” , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?

I’ve been having a ton of overall issues connecting to the box lately so i don’t think you’re alone. not sure if anything has changed, but some others have been saying “keep trying til it works”

bumika · November 11, 2019, 7:41am

Type your comment> @nob0dy73 said:

I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.

Purpose of these settings are exclusion of alternative solutions.

Exci · November 11, 2019, 10:23am

Type your comment> @passkwall said:

@tekkenpc said:
Was able to decrypt the i*****.**k , although always getting “Connection closed by 10.10.10.160” , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?

I’ve been having a ton of overall issues connecting to the box lately so i don’t think you’re alone. not sure if anything has changed, but some others have been saying “keep trying til it works”

Let’s just say, if you’re already in one of the house’s rooms, don’t just walk out and ring the doorbell again.

Locutus · November 11, 2019, 12:41pm

Nice box, learned something new and yes, there are already more than enough hints in the previous comments. Special thanks to @TheCyberGeek

nob0dy73 · November 11, 2019, 1:22pm

Type your comment> @bumika said:

Type your comment> @nob0dy73 said:

I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.

Purpose of these settings are exclusion of alternative solutions.

So this would be atypical of how a default r**s would be setup? From my understanding of how the accounts for services should be setup, even in a testing environment, is that none of my attacks should have worked. I’m just curious if this is something you actually see in the wild.

dcarmichael · November 11, 2019, 1:48pm

Man I’m at a wall and I know it is going to be something stupid got user M*** and I know people are saying to go to the beginning but I must have missed something enumerating… Please PM! Great so far haha

bumika · November 11, 2019, 1:57pm

Type your comment> @nob0dy73 said:

Type your comment> @bumika said:

Type your comment> @nob0dy73 said:

I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.

Purpose of these settings are exclusion of alternative solutions.

So this would be atypical of how a default r**s would be setup? From my understanding of how the accounts for services should be setup, even in a testing environment, is that none of my attacks should have worked. I’m just curious if this is something you actually see in the wild.

I think several r***s services run as root and accessible without authentication in the wild. In that case all mentioned attacks can be successful.

Meise · November 11, 2019, 3:13pm

Someone can PM me a hint to get root? i have the user M*** and im in with his shell

Edit: rooted

ki3den · November 11, 2019, 6:24pm

Very nice, I think this was my first root.

All the hints are pretty straightforward. I would suggest a clean restart of the box before you get started; there are some pretty tempting configurations that can be changed, which will throw you off quite a bit.

As a side note, for those that have completed it, I wrote a script for the r* part, but it doesn’t work – but when I run a few other commands (that are in the script) it lets me in. Anyone else seeing that?

dnperfors · November 11, 2019, 7:09pm

Got user a few days ago, but it is very frustrating that people reset the box every time they think an exploit for the initial shell is not working, while it can easily be solved by a few simple commands to that could be sent to r***s that will solve the error message people get…

STOP RESETTING WHEN THE SERVICE IS IN READONLY MODE, BUT JUST SEND THE CORRECT COMMANDS THAT FIX IT!!!

Anyways:

root@Postman:~# hostname; id; date
Postman
uid=0(root) gid=0(root) groups=0(root)
Mon Nov 11 19:19:46 GMT 2019
root@Postman:~#

Root was way to easy… the hardest part was fighting the resets…

FoX01 · November 11, 2019, 9:14pm

Rooted. Thanks @Chantal2019 for the nudge. PM for hints.

tekkenpc · November 11, 2019, 10:45pm

Just finalised path to root, very cool box and my first one in HTB !

Thanks @cycl0ps for the tip you gave me

gsxrjason · November 11, 2019, 11:40pm

Rooted.
Thanks @FoX01

Oupi · November 12, 2019, 1:25am

Hi guys, Can anyone give me a nudge, I’ve looked through the previous hints regarding r*s but all the scripts I’ve found seem not to be working , because of access denied, or because "unknown command 'mdle’". cheers

ShredX · November 12, 2019, 2:36am

Hi Guys, Any one willing to nudge me on how to deal with the i*****.b** file? Happy to give reps, etc.

I have low priv access but having problems with the above (barely mentioned) file.

dnperfors · November 12, 2019, 5:53am

Type your comment> @MrCadimas said:

Hi guys, Can anyone give me a nudge, I’ve looked through the previous hints regarding r*s but all the scripts I’ve found seem not to be working , because of access denied, or because "unknown command 'mdle’". cheers
Perhaps you shouldn’t use existing scripts, but rather do things manually?