Swagshop

There is an advantage in an unstable box: more time to learn.
When you wait until box will be online again, you have time to learn how exploit works in details, and in the same time to read forum and to talk with your firends.

Nice box!

My tips:

User: Having problem with tunnel…? Forget it. There are at least 2 other methods to gain RCE. You will need an admin account first… and you can create this account using a very known vulnerability on this CMS (sh******). xD

Root: It was very straightforward. Just follow your basic enumeration scripts.

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

Rooted, great box, If somebody needs help, PM me…

Fantastic box, thanks to @ch4p for putting it together … got user and root flags with a very nice surprise at the end (totally worth it).

Couple of observations: not as easy as some of the comments might make you believe (depending on your expertise :wink:

PM if you need any hints.

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

Also to everyone doing the box: Don’t mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

Is more simple than you believe, try to figure out what you could do if you were root :wink:

Type your comment> @lemarkus said:

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

Also to everyone doing the box: Don’t mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Ty for the hint. I know where I can use the s*** command, the problem is that it’s asking me for the w**-***a passwrd. I’ve tried multiple args ans stuff but nothing worked

Type your comment> @HackSh00t said:

Type your comment> @lemarkus said:

 Type your comment> @HackSh00t said:

       I've a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn't work. I'm in the w**-***a user. I will apreciate some hints.





  No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

  Also to everyone doing the box: Don't mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Ty for the hint. I know where I can use the s*** command, the problem is that it’s asking me for the w**-***a passwrd. I’ve tried multiple args ans stuff but nothing worked

s*** command is the way with a right path :slight_smile:

Type your comment> @HackSh00t said:

Type your comment> @lemarkus said:

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

Also to everyone doing the box: Don’t mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Ty for the hint. I know where I can use the s*** command, the problem is that it’s asking me for the w**-***a passwrd. I’ve tried multiple args ans stuff but nothing worked

You can PM me if you need some hint.

In case it helps, I think I know why the box throws so many 503s.
Before you install an extension, make sure the FIRST CHECKBOX (Put store on the maintenance mode while installing/upgrading/backup creation) is unchecked… But then again, I might be wrong.

As for the FIleSystem menu option, it does not come by default. So every time you have seen it, someone else had installed it, so a reset will remove it… just saying.

Man, getting the reverse shell was much harder that getting root, I got root in less than a minute, and user in 3 hours lol.

hey,

I have been able to find the snake and made it lead me inside the panel
however, because of this sick 503 i had to subscribe in the VIP.
Unfortunately, i have been trying to access the panel with the same snake but it is not allowing me at all !!! Is there a difference or what is the issue here??

Please PM

Nervermind !!!

Nervermind !!! I found the issue

I was able to load what is necessary for the a**** portal and ct showed successful on upload but I am still not seeing it as an option in pannel, in ct everything looks great. Any nudges?

what would you guys say is the harder part? start → a**** p**** or a**** p**** → RCE

would you please stop uploading your shells to index.php??!! there are other ways - this server was destroyed at least 5 times today mid session.

Could some one shoot me a hint on getting a TTY shell? I believe I know what to do after but I’ve been stuck on this for a while.

Edit - Rooted, pm you need a hint

Spoiler Removed

Type your comment> @Thomasian said:

@badman89 said:
ok cheers @Thomasian , seems to be ok now ive moved server! any hint on where to get the file i need to upload have one but says connect error unsupported resource type

Uploading through M****** Con**** might put it into maintenance mode. I did not upload my shell there. I am not saying you can’t do it there but there is an easier way to upload you shell without creating your own extension package file for your shell.

Could you provide some hint do this? I’m struggling with the M**** Con**** and I can’y figured out how can I upload my shell.
Tks

EDIT: I Rooted this machine after 1 day. The elevate privilegie is quite simple. PM for help!