Swagshop

Fantastic box, thanks to @ch4p for putting it together … got user and root flags with a very nice surprise at the end (totally worth it).

Couple of observations: not as easy as some of the comments might make you believe (depending on your expertise :wink:

PM if you need any hints.

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

Also to everyone doing the box: Don’t mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

Is more simple than you believe, try to figure out what you could do if you were root :wink:

Type your comment> @lemarkus said:

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

Also to everyone doing the box: Don’t mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Ty for the hint. I know where I can use the s*** command, the problem is that it’s asking me for the w**-***a passwrd. I’ve tried multiple args ans stuff but nothing worked

Type your comment> @HackSh00t said:

Type your comment> @lemarkus said:

 Type your comment> @HackSh00t said:

       I've a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn't work. I'm in the w**-***a user. I will apreciate some hints.





  No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

  Also to everyone doing the box: Don't mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Ty for the hint. I know where I can use the s*** command, the problem is that it’s asking me for the w**-***a passwrd. I’ve tried multiple args ans stuff but nothing worked

s*** command is the way with a right path :slight_smile:

Type your comment> @HackSh00t said:

Type your comment> @lemarkus said:

Type your comment> @HackSh00t said:

I’ve a TTY shell, I enumerated all I could an I tried multiple priv esc kernel exploits that didn’t work. I’m in the w**-***a user. I will apreciate some hints.

No need for kernel exploits. The priv esc sticks out in your basic enumeration, so you have to look a bit closer. Took me 5 Minutes and I am not the best hacker, just ran my basic stuff, something sticks really out because it should not be there.

Also to everyone doing the box: Don’t mess with the index.php, that is the laziest way to get your RCE, and in the field would put you into a lot of trouble. Also it is not fun for the people who are here to learn a thing or two, so maybe if you are messing around the next time, think a few steps ahead.

Ty for the hint. I know where I can use the s*** command, the problem is that it’s asking me for the w**-***a passwrd. I’ve tried multiple args ans stuff but nothing worked

You can PM me if you need some hint.

In case it helps, I think I know why the box throws so many 503s.
Before you install an extension, make sure the FIRST CHECKBOX (Put store on the maintenance mode while installing/upgrading/backup creation) is unchecked… But then again, I might be wrong.

As for the FIleSystem menu option, it does not come by default. So every time you have seen it, someone else had installed it, so a reset will remove it… just saying.

Man, getting the reverse shell was much harder that getting root, I got root in less than a minute, and user in 3 hours lol.

hey,

I have been able to find the snake and made it lead me inside the panel
however, because of this sick 503 i had to subscribe in the VIP.
Unfortunately, i have been trying to access the panel with the same snake but it is not allowing me at all !!! Is there a difference or what is the issue here??

Please PM

Nervermind !!!

Nervermind !!! I found the issue

I was able to load what is necessary for the a**** portal and ct showed successful on upload but I am still not seeing it as an option in pannel, in ct everything looks great. Any nudges?

what would you guys say is the harder part? start → a**** p**** or a**** p**** → RCE

would you please stop uploading your shells to index.php??!! there are other ways - this server was destroyed at least 5 times today mid session.

Could some one shoot me a hint on getting a TTY shell? I believe I know what to do after but I’ve been stuck on this for a while.

Edit - Rooted, pm you need a hint

Spoiler Removed

Type your comment> @Thomasian said:

@badman89 said:
ok cheers @Thomasian , seems to be ok now ive moved server! any hint on where to get the file i need to upload have one but says connect error unsupported resource type

Uploading through M****** Con**** might put it into maintenance mode. I did not upload my shell there. I am not saying you can’t do it there but there is an easier way to upload you shell without creating your own extension package file for your shell.

Could you provide some hint do this? I’m struggling with the M**** Con**** and I can’y figured out how can I upload my shell.
Tks

EDIT: I Rooted this machine after 1 day. The elevate privilegie is quite simple. PM for help!

Rooted!

For user: After you get logged in, google/youtube a bit. When you find the right method, you may need to find an alternate version of it.

For root: Think 101 level. very basic.

PM for help!

So I have my own creds from the first RCE, and I’m in the admin panel. I’m trying the 2nd, directly on the DashC**.php page, but getting a 500: Internal Server Error. Using it on any other page or URL fails as the regex function in the code can’t find the string it’s looking for.

What am I doing wrong here?

why do I feel that they sweep up the whole box at once
I just got the shell and then it became laggy and finally my shell is gone oh wait the whole directory is gone !!

Could someone please point me to the correct extension?

I downloaded an extension, modified it a little by inserting something in and then uploaded it back. No errors, but also no shell… tried 3 different shells, so it is probably not the way I should be going :slight_smile:

Any advice?

Update: I had to reset the box - it worked afterwards. And root was really easy! When something like “that” is in place just go for the root shell directly.