Ok, went for Traverxec. Got user, possibly (still www-data) but I have no idea where the flag is.

Follow

@m4iler @TheGibson @tinker @ryen depends on what you want to do and what UID you are. If not root/system, tune to elevate! (If you can)

@jerry @TheGibson @tinker @ryen Yeah, I'm www-data, but all modules only got me from perl to meterpreter

@jerry @TheGibson @tinker @ryen Also, I got a username and md5crypt hash of the password. Unfortunately, I ran JtR through rockyou.txt and no dice.

@m4iler @TheGibson @tinker @ryen there are often privilege escalation vulnerabilities laying around - editable scripts that run as root, etc. take stock of the system, what is on it, etc, look for vulnerabilities. Get ya pwn on

@jerry @TheGibson @tinker @ryen Yah, got the password.

Now I have no idea how to use it, it seems to be bound to only this nostromo instance and nothing else. And I have nowhere to put it. I tried ssh, su change, some other places...

@jerry @m4iler @tinker @ryen

With Windows, I always look for scheduled tasks that are admin scripts.

They are often saved locally on the server in a insecure folder like c:/temp

They run as the admin.

Edit the script to add whatever you want.

They’ll never check it unless their process is disrupted.

@jerry @TheGibson @tinker @ryen Ok, giving up for now. I need a brake, I've been at this for 4 hours now. I feel like I could use a SUID privesc, but I'm not sure how exactly to do that.

I'll read up on it and try again.

Maybe splurge 10$ on the Htb premium.

@m4iler @TheGibson @tinker @ryen it’s all good. This is the fun part. Getting the shell is just opening the door. The tools just help with automation - the magic comes in developing an intuition on where to look for common mistakes/misconfigurations/unpatched vulns (hint: no one patches local priv esc vulns, because YOLO)

@jerry @m4iler @tinker @ryen

Lol! This is exactly why I don’t usually talk much about the more complex exploits, because I rarely have to go there.

Building your work list of things to look for, and working down that list usually gets you to escalation pretty quick.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.