SolidState

Are we absolutely sure we even need the command to run via the script? I’m pretty sure unlike the other lab that had a similar machine that actually required it to run the script for it to work this particular machine does not require it… We can escape another way.

Got user already, and I’m going after root now. The exploit we’re dealing with says something like “payload will be executed once somebody logs in.”

I’m doing all by hand, not using automated scripts available. I go in there and write the email to the “premium user” and bla bla bla. My question is: will it execute once somebody logs into the P**3 service or logs in via SSH? I tried both and didn’t get intended result.

Hey JChris you are correct that it will trigger via one of those services. You probably won’t get the intended result unless you have found the correct way of doing it. (I know that was a bunch of words to say nothing, but that is the nature of this forum after all) I would ask yourself what is it you are expecting the script to do for you and if it can be done manually without the script at all… The script might be running as intended even when you see the errors so be sure to check that it worked instead of assuming it errors out and didn’t work. However that being said, I was able to get user and root without having to bother with the script. I confirmed this by resetting the machine and doing it again and it works just fine.

Also, this machine is one of the ones where the outcome of your actions is VERY MUCH affected by what previous users have done/tried in their attempts. I recommend resetting this machine before working with it each time you come back to it.

Got Root. Nice experience.

it’s almost always the same dirs to check on all machines, else use linenum.sh

Should i log into to the user with password to read the emails or there’s another thing to do ?

Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

@theNightMan said:
Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

You can modify a file that can easily get you to your goal… Check and PM me if you need more help. :slight_smile:

@theNightMan said:
Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

It sounds like you’re on the right track. How are you executing that file? If you run it as mindy, even if the commands execute, I’m pretty sure they’ll still execute as mindy. Is there a way to run this file as the owner instead?

If all that stuff is right and it’s still not working, the problem could be with your code. Or, it might just take a second to run and you might not get much of an indication that it executed, if that makes any sense.

Feel free to PM me with what you’re trying and I’ll see if I can help.

Are there any hints to get reverse shell? i have tried manually sending cmds to …/…/…/etc.conf user but when i log in with mindy i do not get a shell. Plese give a hint in the right direction

@theNightMan said:
Hi all, I have hit a wall in privilege escalation. I have found an interesting file and have modified it to initiate a reverse shell as the file’s owner, but I can’t seem to execute it! Does the solution have something to do with the very first line in this file (#!) ? I could really use a nudge.

have a good look at what the original file does, how can you monitor it?

@lordsoahc said:
Are there any hints to get reverse shell? i have tried manually sending cmds to …/…/…/etc.conf user but when i log in with mindy i do not get a shell. Plese give a hint in the right direction

try various shells, not all variants will work, make sure you researched the application running on the server and how to use it to do what you want

Nailed it! This box was fun and a great learning experience. On to the next one…

why this machine are always going to freeze?

It is hard to point you into the right direction without spoiling, especially since it is a bit unclear how you are “logging in”. You should generally get an initial shell though when doing it correctly. One of the challenges will be to transform this shell into something more useful. Perhaps abusing a small file misconfiguration will be helpful for this.

In case you should not see even an initial shell at all when logging in (although I do not know how that could happen), the system might be broken. It is one of the machines where other users can significantly interfere with your own activities, so resetting might help in case you are really stuck.

Solved… now i’m with the last file trying to know how can i continue… :smiley:

After solving the box, I looked at the walkthroughs. None seem to mention metasploit… Just wanted to mention it has something up it’s sleeve as well.