Got root txt , and a root shell. For the shell is not a matter of “technical” knowledge but rather thinking outside the box. If anyone want a hand just PM me. You can also find me on the discord HTB server with the same handle.
ok, so user part was tricky, enumeration was the most tricky part. Search something from everything type. But getting the root part was easy. If possible try holiday machine of ippsec.
Thanks for the nudge @Baikuya .
Happy to help.
crunch & hydra are your friends
I’m stuck again, this box is driving me crazy… xD
I already got user.txt and now i’m on my way to root, still no luck.
Everything points and i’m pretty convinced that i’m on the right path… To get root i think we have to abuse an user script, seems clear that this should be a wild exploitation, but everything i try is a dead end for me.
Seems that the vulnerable code has two possible ‘entry points’, not sure which one is the right way… In the first one, the t** line. I’m not able to execute an evil shellscript throught this. I have recreated the scenario on my computer and i think the problem is that target is inside a directory and referenced relatively ([dir]/). In my tests, i’m able to get it working only if the target is in the same directory (/).
And the other possible target, the ch*** command, i’m not able to found a way to abuse it to read a privileged file.
Any hint? I’m at least on the right path?
Thanks!
C’mon, initial access, the password part is lame, I would have never searched there , why don’t you hide something in the apache manual? FFS
stuck with low priv
… now got user … for everyone struggling , don’t search for the “interesting” service, it’s obvious what the service is as it’s the only thing integrated with the moodle cms , all you need is to read the config files and go from there
Type your comment> @seke said:
… now got user … for everyone struggling , don’t search for the “interesting” service, it’s obvious what the service is as it’s the only thing integrated with the moodle cms , all you need is to read the config files and go from there
This was helpful.
Well I avoided asking for help too early however I just cannot find the file holding the credentials or any inderesting service that could hold the credentials. I need some help if possible. Thank you
Edit: Talking about the user priv escalation
Pretty sure I’ve got initial user and password + the final character of the pwd but cannot login to m****le. Anyone PM me to tell me what I’ve missed?
If you are sure you have the right character you should be able to login, that is if no one is messing with the moodle login, try a reset or a morning hour
I disliked this challenge at first. It gets better as the challenge progresses. Obtaining root is particularly interesting as you do not obtain a shell per say but doing so should be possible.
Could anyone please hint me on how to obtain the creds for the user Gio****, I’ve viewed every file and page but no luck, I’ve also read all the comments here but I cannot find anything on the website, Could anyone please hint me PM.
Type your comment> @rulzgz said:
I’m stuck again, this box is driving me crazy… xD
I already got user.txt and now i’m on my way to root, still no luck.
Everything points and i’m pretty convinced that i’m on the right path… To get root i think we have to abuse an user script, seems clear that this should be a wild exploitation, but everything i try is a dead end for me.
Seems that the vulnerable code has two possible ‘entry points’, not sure which one is the right way… In the first one, the t** line. I’m not able to execute an evil shellscript throught this. I have recreated the scenario on my computer and i think the problem is that target is inside a directory and referenced relatively ([dir]/). In my tests, i’m able to get it working only if the target is in the same directory (/).
And the other possible target, the ch*** command, i’m not able to found a way to abuse it to read a privileged file.
Any hint? I’m at least on the right path?
Thanks!
Same boat, don’t know how to deal with the ([dir]/*) format with t**. Any hint?
Thanks!
Type your comment> @faisal94n said:
Could anyone please hint me on how to obtain the creds for the user Gio****, I’ve viewed every file and page but no luck, I’ve also read all the comments here but I cannot find anything on the website, Could anyone please hint me PM.
same like me
Type your comment> @azareth said:
Type your comment> @faisal94n said:
Could anyone please hint me on how to obtain the creds for the user Gio****, I’ve viewed every file and page but no luck, I’ve also read all the comments here but I cannot find anything on the website, Could anyone please hint me PM.
same like me
Ping me I’ll happy to help you?
I am starting with this box… I already found an interesting file with a P*d in it. Found the complete name of the user but already tried all combinations possible and cannot log into his user panel. Any hints would be appreciated.
Type your comment> @SiV4rPent3st said:
I am starting with this box… I already found an interesting file with a P*d in it. Found the complete name of the user but already tried all combinations possible and cannot log into his user panel. Any hints would be appreciated.
Enumration is the key…
HI guys , this box its very annoying can some of them please give me a help on the last letter of that password, i dont know i try low lettr g and capital G in user i try r,R in the end of that password but not working , any help would be appreciate , thank you!