I’m connected to the admin interface bu I can’t find the file explorer any more.
hunch how to get there would be nice
The explorer really shouldn’t be there. If you see it there it’s because another user put it there. That should be a pretty big hint on how you need to proceed.
Worried I might be over thinking this one, I got user.txt, a shell, magento admin and a meterpreter session all easily but I’ve spent a day trying to escalate privileges on my shell to get root. If anyone could offer a nudge without a spoiler that would be great!
Worried I might be over thinking this one, I got user.txt, a shell, magento admin and a meterpreter session all easily but I’ve spent a day trying to escalate privileges on my shell to get root. If anyone could offer a nudge without a spoiler that would be great!
I was in the exact same position all weekend until about an hour ago. try running the cmd your trying with s**o
That really was something.
Personally, I’ve chained two exploits from exploitDB - I’ve had to modify both to get RCE.
There is no need to:
explore the a**** panel
use m****** c******
get a rev shell
upload anything
After that, getting root was easy; and next time I’ll read more carefully what the /e**/s****** file says to save me some head-aganst-the-wall-banging.
I have a rev-shell as www-data. I think i know the way to root it using something found in /e**/su****** but I cant find a way to get a proper shell working with special keystrokes. If is willing to help please PM. Thanks
I’m totally new at offensive security (I do have a lot of experience in defensive security), anyway this is my first attempt against a HTB machine and rookie as I am, I need guidence to solve it.
After a lot of reading (this entire thread included) and 2 weeks in this box (I know…) I think I have the “plan” to execute to solve it, the “how to…” use the tools is a work in progress in my case, but that’s the fun part, right?
Anyway, this is what I have done so far:
nmap
gobuster
nikto (almost exact same results as gobuster, did it just in case)
search for exploits (including: OS, services and App), in which I think the App exploit is the best one to try, but I’m stucked in a previous step.
The “plan” I trace was:
enumerate all directories for the web server (app) and possible users.
try to find like an “upload page” or some part of the server where I can upload the exploit.
Get a Reverse-shell back to me and find the “user” flag and then escalate to “root”.
Results:
With gobuster and nikto find the directories. Did not find an “upload” page but did find the login page for application administration. I’m guessing, I have to login with an admin account to upload the exploit. For that, I need an users and password list.
For the users, I’ve tried to browse all the directories in the server (when I said “all”, I mean I have looked at ALL .xml, .txt and files in the server) but either I’m not picking up the right users or I’m missing them completely. Same for passwords.
OK, so in this point is where I need help. What should I be looking for (just a hint) in terms of possible users?
After that I guess I’l go further with step #2 and so on…
Bonus question: Yes or No, the plan of attack is correct?